While shoring up and safeguarding a firm’s defenses against cyber-criminals is primarily under the IT department, HR controls crucial data that is often targeted by these online thieves. One of the most prized data types that cyber-criminals are after is the personal identifying information of their employees, Shawn Neibaur tells Bloomberg BNA. He is the systems administrator at Utah-based HR software firm BambooHR.
“In addition, HR often controls the onboarding of employees, meaning that an attacker who compromises HR could register themselves as an employee and gain access to other systems,” Neibaur says. “Also, HR is a facilitator for the entire company, so attackers may try to impersonate HR personnel to gain compliance from other departments.”
HR needs to be proactive in protecting itself and the data it holds from being compromised, says Susan Vitale, chief marketing officer for New Jersey-based talent acquisition software company iCIMS. HR needs to ensure that “a hiring manager for a certain department doesn’t have the same access settings as an HR manager.”
“Be sure to ask your vendor if these settings are configurable,” Vitale adds. “Also, reviewing audit trails for unexpected activities quarterly is effective. These two relatively straightforward activities can dramatically decrease the risk of a security compromise.”
So-called social engineering schemes, where cyber crooks pose as company executives and use email to steal funds via bank transfers, are being used to target HR, Paul King, senior vice president and national cyber practice leader for USI Insurance Services, writes in Workforce.
This is being done by trying to trick HR employees to click on a phony link that activates ransomware, where information is held hostage, or when HR unknowingly sends payroll data. It has gotten so bad that IRS Commissioner John Koskinen issued a warning to HR departments.
“If your CEO appears to be emailing you for a list of company employees, check it out before you respond,” Koskinen says. “Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
Koskinen has good reason to worry, as this year cyber-criminals have stolen a record amount of personal data from W-2s to file fake tax returns. Payroll processor ADP acknowledged in May that a cyber-breach led to its clients' employees’ tax data being exposed.
But King notes that despite being targeted by cyber-criminals, many HR departments are still too complacent and consider cyber risk the domain of IT. Some HR departments incorrectly assume, for example, that a back office cloud service provider is responsible for breaches that expose employee data.
“In fact, should lax security measures or a breakdown in security protocols of an HR cloud or an IT service provider allow cybercriminals to steal employee data or breach personal information, the company that owns the data—and by extension the HR personnel responsible for the data—will incur the obligations (and expense) for notifications, credit monitoring and other issues,” King writes.
It’s imperative for HR to not only ensure that sensitive information they control is safe, but that employees and staff are diligent about being on alert, the Society For Human Resources Management (SHRM) notes.
“Training people to detect and resist attempts to trick them into sending sensitive data or money to criminals is a top action all companies should be taking right now,” Kip Boyle, founder and president of Seattle-based Cyber Risk Opportunities, tells SHRM.
Workers continue to be hoodwinked into clicking on bogus links or sharing information with cyber-crooks, Verizon’s 2016 Data Breach Investigations Report finds. Companies reported 144 instances last year of ransomware fraud, up from 133 in 2014 and 22 in 2013, Verizon senior information security data scientist Gabriel Bassett notes.
Phishing, where cyber-criminals fool employees into sharing information by convincing them they are trustworthy or use other means to steal credit card information, account logins and other private data, also is a big problem, according to the Verizon report.
Bassett says that although many employees know about phishing, “humans aren’t perfect,” and that is always going to create an opportunity for cyber-criminals. But HR can play a big role in reducing the chances that employees are victimized and the first step is to talk to staff and constantly educating them about cyber-crime, Boyle says.
Firms that still rely on manual processing also put themselves at greater risk and need to end the practice, Chris Bruce, co-founder and resident data security expert at London-based Thomsons Online Benefits, says.
HR also should keep access to sensitive data limited to a few individuals who are well versed on cyber-criminal tactics, says Mark Gilmore, president and co-founder of Wired Integrations, a strategic technology consulting firm in Silicon Valle.
Using encrypted email as a security measure is a good idea, says David Wagner, CEO of Dallas-based email encryption company, ZixCorp. HR also can limit damage from cyber-criminals who gain access by ensuring data is placed in multiple servers with firewalls, says Marc Voses, partner with the data privacy liability and technology services practice group at New York-based law firm Kaufman, Dolowich and Voluck.
Voses adds that HR should make it a regular practice to backup data. “The primary key to recovering from a loss of data is to regularly back up data,” he says.