Understanding the role of HR and security in protecting sensitive data
The human resources department is one of the crown jewels of any organization, housing some of the most sensitive and private information. Cybercriminals frequently target HR with the goal of collecting financial and personal identifiable information—think social security numbers, dates of birth, bank detail and home addresses, to name a few. However, when your primary resource for potential new employees and record-keeping also happens to be the most popular access point for cybercriminals, the margin for error in your security strategy is almost non-existent.
Recruiting agencies and HR departments are constantly bombarded with emails and attachments from aspiring talent, making them an ideal target for hackers and cybercriminals. Staff literally cannot avoid opening emails and attachments from people they do not know. This means the job description of a recruiter is no longer just finding quality candidates; now they also must be cyber-conscious, spotting security threats before their organization’s infrastructure is compromised.
Nowadays we’re seeing an action as simple as opening a resumé document having the potential to completely devastate an organization. A prime example was the variant of the Petya ransomware, GoldenEye, in a campaign in 2017 that distributed ransomware through malicious email attachments aimed at HR departments via fake job applications. This was a specific effort to abuse the fact that HR employees must open emails and attachments from unknown sources.
While many companies have room for improvement in their threat-prevention plans, they must also turn their focus to their employees’ awareness of the dangers associated with email correspondence. Here are some ways HR executives can keep their company safe from a cybercriminal’s go-to weapon, but still keep the wheels in their department turning.
While it seems like one of the basics, ensuring that your HR team is properly vetted is one of the most important first steps that a company can do to secure its information. HR professionals should be of the highest character and integrity given that they will handle the most sensitive employee data and be involved in some of the most complex organizational issues such as hiring, promoting and even firing of staff. There should be extra scrutiny for those charged with working through and handling the data for the most intimate of situations in an organization.
Good Rapport With Information Security Team
While many HR employees don’t have a cybersecurity background, they do play a crucial role in thwarting cyberattacks. They need to be aware of and practice fundamental principles of information security such as being attentive of suspicious grammar, texts and URLs and not opening emails that raise concerns. They also need to be diligent about alerting their information security teams when correspondence is viewed as suspicious. In fact, it is critical that the HR and information security teams have well-established, open communication channels so that everyone is aware of their role and responsibility when an incident occurs. Not only is HR staff the last line of defense against attacks targeted through their department, but they also are empowered to train employees and implement cybersecurity policies in the company as a whole. Knowing how to spot suspicious activity and training and enforcing other employees to do the same will help immensely.
Understand Third-Party Risks
If an organization is using a recruiting or staffing agency, it’s imperative to do an assessment of the agency you’re working with. Just as the broader organization may evaluate its supply chain, partners and integrators, there needs to be some level of assessment with a recruiting or staffing agency. As with any third party, there is inherent risk to an agency operating on behalf of an organization and gaining access to sensitive information.
HR is considered to be one of the most vulnerable departments within any organizations, since one of its primary functions is to constantly receive and open files and documents from unknown senders. By understanding the inherent risks and implementing each of these best practices, HR departments can be better equipped to deal with malicious activity and help protect their organization and employees’ sensitive information.
Credit: Daniel V. Medina