To what great lengths are hackers going to infiltrate your people operations and steal employee data? Let us count the ways:
- They pretend to be recruiters and hiring managers and even conduct fake job interviews to get unsuspecting targets to share their resumes, bank routing numbers, tax forms and other personal information that could be used to access financial data.
- They create fake LinkedIn profiles hoping to lure unsuspecting employees to connect and then open emails that could launch phishing attacks to gain access to company computer networks.
- They send fake emails that appear to be from company executives to human resources staff requesting employee data, which they also use to access corporate networks.
- They exploit weaknesses in security systems to steal and leak salaries, email exchanges and confidential data to sabotage a company’s operations or destroy its reputation, as was the case with the 2014 Sony Pictures hack.
“HR data is tasty for hackers,” said Shon Burton, chief executive of artificial intelligence-based recruiting software maker HiringSolved and a former cybersecurity architect.
“If you have someone’s resume you have many of the things you needed to get a credit card or to trick them” into thinking you’re a different person, including where they live and the last place they worked, Burton said. “It’s juicy, and it needs to be protected carefully.”
Of course, cyber threats reach well beyond attempts to hack HR. That much is clear from the string of data breaches that in the past two years struck Equifax, Yahoo, the Securities and Exchange Commission, HBO, the Democratic National Committee and Internal Revenue Service, among others.
However, cybersecurity is no longer just an HR problem or an information technology problem. It’s a CEO problem — and if you’re a CEO and you’re not paying attention, you have a big problem.
Consider Equifax. The credit bureau’s CEO resigned and other top officials were forced out last month in the wake a data breach that compromised information on roughly 143 million Americans, or nearly half of the country’s adult population.
With cyberattacks as much a part of daily corporate life as bagel Fridays, you can’t rely on people, policies or technology alone to prevent them. The best defense is a multi-part offense that includes up-to-date business and people practices, cybersecurity software, vigilance, insurance and someone high up the corporate ladder whose job is on the line if something bad happens.
Here’s a breakdown of anti-hacking best practices for people operations from cybersecurity experts.
Don’t make people log onto your HR platforms if they don’t have to.
Asking someone to create a username and password on an applicant tracking system that they’ll probably use once to apply for a job gives would-be hackers yet another way into your company’s networks. It also gives them the opportunity to steal the job seeker’s confidential information. “If a hacker can access your candidate’s passwords for the ATS, and match the candidate’s email address up with some other piece of data floating out in the world, life gets hard for you,” writes Steve Gifford in a recent Fistful of Talent post.
Keep tech platforms updated and look for ‘cracks’ that could let in hackers.
Companies like Equifax that have been around for years and have tens of thousands of employees have a large data infrastructure. It’s conceivable that parts of its network were built years ago and haven’t been upgraded to the latest technology.
“The likelihood of there being a small crack someone can exploit is very high,” Burton said.
When it comes to data breaches, companies with a small workforce have an advantage over bigger businesses because leaders see employees every day and can talk to them directly, often about security best practices. Startups also are well positioned to stop attacks because their technology is likely to be new and built around modern best practices.
“There’s no hidden Java code that’s been running for 17 years,” Burton said.
Regardless of size, Burton recommends following cybersecurity standards created by the National Institute of Standards and Technology. At HiringSolved, “our theory is defense in depth, “ Burton said. “It does you no good to beef up the front door when the back door is a screen door.”
Don’t use email.
A simple way to avoid phishing attacks is minimizing communicating via email. That is easier said than done. But companies are already switching to Slack, Chatter or other internal communications platforms, so tighter security is a nice byproduct. It doesn’t eliminate using email for external communications, but I’ll get to that in a minute.
Another phishing avoidance tactic is storing information in the cloud instead of on a desktop, laptop or phone. That way, even if an employee falls for a phony email requesting company data, they would send a link to a file that a hacker wouldn’t be able to access because they wouldn’t have the additional information they needed to open or decrypt it. Some companies require employees to store data online. That way, even if an employee’s laptop is stolen there wouldn’t be any company information on it worth stealing (personal information could be a different story).
If you use email, encrypt it.
Encrypting outgoing email is one way to thwart would-be phishing attacks. Services such as Gmail and Microsoft Office 365 offer encryption, but using it doesn’t allow for checking for spam, automatically sorting messages into folders or other common functions, according to CSO. Employees who travel or log into company networks from public Wifi hotspots can use secure virtual private networks to check email.
Plug-ins are another option. Startup cybersecurity tech vendor Trustifi sells an email plug-in that encrypts and postmarks messages and verifies a sender’s identity. It appears as a button on the Outlook tool bar. “Before you click send, you choose whether you want it to be encrypted or not,” said Idan Udi Edry, the company’s CEO.
Companies can create policies about when encryption should be used or leave it up to the employee. At Trustifi, Edry said he dictates which types of email are encrypted. He’s also a fan of holding meetings dedicated to reviewing cybersecurity and encryption rules.
Provide awareness training.
Take cybersecurity training beyond holding meetings and including basic guidance on the issue in an employee handbook. Last year, the cybersecurity training company KnowB4 — infamous 1990s hacker Kevin Mitnick is the company’s chief hacking officer — sent simulated phishing attempts to 300,000 employees at 300 of its clients to train them to be better at identifying problem emails. Prior to the training, 16 percent of employees clicked on links in the simulated phishing emails. A year later, the number had dropped to 1 percent, according to KnowBe4.
Carry cybersecurity insurance.
Approximately three-quarters of the world’s largest companies buy some kind of cybersecurity insurance, as do about a quarter of small and middle-size enterprises, according to research from Willis Towers Watson, an HR services broker and advisory firm.
Policies insure against financial losses an organization could occur from a hack or other data breach, or if an employee’s laptop is lost or stolen. Depending on the policy, cyber insurance could pay for the cost of disseminating breach notifications, setting up credit card monitoring for employees, and performing a forensic analysis to determine what happened, according to Anthony Dagostino, head of global cyber risk for Willis Towers Watson, which sells cyber insurance policies.
Premiums for stand-alone policies range from a few hundred dollars for a small office into the millions of dollars for a large global company. Some companies add a cyber insurance rider to an existing property insurance policy, Dagostino said.
Michelle V. Rafter is a business journalist in Portland, Oregon, reporting on workforce and technology for Talent Economy and other publications. If you have a comment or column idea, email email@example.com.