Why HR is being targeted by cyber criminals
A recent survey found that HR was one of the primary industry sectors targeted by cyber-attacks.
The survey found that 60% of the reported data breaches in organisations were a result of successful cyber-attacks through HR functions, with some organisations reporting more than one data breach.
We look at the reasons why HR is often a target for cyber criminals and the key ways that HR professionals can put in place measures to help prevent cyber-attacks in their organisations.
The rise in social engineering and the risks of ‘user error’
Nearly all cyber-attacks start with a targeted victim(s) being manipulated into taking an action or divulging confidential information about themselves or the organisation they work for.
Lehan van den Heever, enterprise cyber security advisor at Kaspersky, says research shows that just over half of businesses (52%) believe they are at risk from employees within their own organisation – this is surprisingly low!
Research by Kaspersky and B2B International found that HR professionals are considered the ‘route in’ to many organisations by cyber criminals as the ‘gatekeepers’ of personal and financial data, company information and intellectual property.
It is through individual mistakes - due to lack of awareness or understanding of increasingly sophisticated techniques - that cyber-criminals can find their way in.
Remote working presents increased cyber threats
2020 saw a meteoric rise in the use of the internet to help us continue working without too much disruption.
The sale of laptops and other devices rose as people wanted to remain connected with friends and family, and there was a general rise in the number of people new to using the internet.
Those working from home for the first time have been searching for software to download or clicking on malicious links in adverts while browsing, and inadvertently allowing cyber criminals to infect a device with a virus or gain access to sensitive and personal data. These actions would have contravened company IT policy (for those that had them in place) and resulted in data breaches and ransomware attacks.
Pretexting > Phishing: the open door to cyber attacks
Organisations, and in particular those working in HR and Payroll, are reporting increased numbers of very specific attacks, such as criminals impersonating a member of staff, typically at a senior level via phishing emails or through a malicious link on a CV or job application, using pretexting techniques.
Pretexting is one form of social engineering, where hackers often research their victims in advance of their first communication. This gives the hacker a sense of the victim’s personal and professional life and assists with establishing the right pretext with which to approach the victim.
Hackers generally also rely on hitting upon an individual’s lack of technical knowledge and skill and lapses of judgement as well as a weakness in company tech security.
Recommended by LinkedIn
All of these risks are heightened with the increase in remote working, and for those without access to an encrypted system to update personal information themselves.
Take this example: an employee working in HR or Payroll – with their contact details often easy to find - receives an email that appears to be from a senior manager or CEO, asking for help to amend their bank details in the payroll system so their salary can be paid into their new bank account in time, as they can’t log into the company self-serve system to make the changes themselves.
The nature of the email puts pressure on the victim to act quickly and, in many cases, causes a lapse in judgment. It’s especially effective against victims who aren’t accustomed to receiving emails from senior management. Rather than being suspicious, the victim takes immediate action and so the attack commences.
Once an account is hacked, it can then send emails to colleagues requesting confidential information, for funds to be transferred or to manually amend bank details in the payroll system. This relies on other staff in the organisation to be alert to the phishing and make the right call to stop the attack spreading further.
The challenge for HR functions, particularly to those within areas such as recruitment, is that it is normal to receive communication from someone not yet known - someone applying for a job, for example. Knowing how to spot the difference and identify a phishing email isn’t always easy.
How to avoid becoming victim to a cyber attack
Some of these things may seem obvious, yet they’re some of the most common ways that cyber criminals attack business systems today:
Five key ways that HR can help prevent cyber-attacks in their organisations
Last but not least:
Credit:
Emma Parnell
Product Manager - Cyber
Zero Trust Content Security
1yGreat article, Matt - any updates on the figures? HR must open files from strangers all day long so they are a prime target for file-borne malware
Leading a high performing Account Management team, working with organisations to streamline processes and boost efficiencies by leveraging technology | F1 and Watch Enthusiast
3yThanks for sharing, great read!
Learning | Career Development | People Solutions Specialist
3yExcellent article Matt Newton. Over the years the best HCM projects that I have worked on have had IT/Information Security involvement from the outset. Confidence in this area is key.
Account Manager | Supporting in Building People Centric Organisations
3yBrilliant article Matt Newton! Some great tips on how to avoid being a victim of cyber attacks