The online threats faced by HR departments
Paul Wood, January 17, 2013
Typically, HR departments are privy to a company’s most sensitive information, be it private details about individual employees ranging from their personal information and insight on their financial status through to workforce planning in order to manage future business. The data they hold is seen as a goldmine by cyber criminals that deal in the exchange and exploitation of personal data.
The pivotal position that HR professionals hold in relation to the security of their company therefore should not be underestimated. Indeed, in many instances, they may prove to be the first line of defence as cyber criminals set their sights firmly on them.
Those HR professionals using group inboxes (e.g. firstname.lastname@example.org) should be aware that emails received via these addresses could be malicious. HR departments are more likely than most in a company to receive unsolicited emails from potential candidates for employment, which are quite likely to include attachments such as CVs, or examples of past work. As a result of this, the chances of them accidently opening a malicious document which then infects a company's networks increases. Wary of this fact, criminals will look to embed code into documents, which have the ability to infect systems, or perhaps even return data to the hacker, which in turn can be used for corporate espionage.
Social networks are also proving fruitful ground for criminals to fool individuals into unleashing dangerous files throughout their systems. Just as HR people scour social networks to learn more about potential candidates, so do cyber criminals looking to profile their targets. HR practitioners should be cautious when accessing documents or external links related to individuals they are interested in, as criminals may have already been there first, having set a trap for inquisitive staff to fall into.
It is not only in house HR teams that need to remain vigilant to the threat. Outsourced recruitment consultancies also have a responsibility in ensuring that they do not subject their clients to potential cyber attack. For instance, criminals are aware that recruitment agencies use automated systems to match candidates to appropriate positions, and will tailor fake job applications with documents containing malicious code, which may ultimately find its way back to its intended target. Criminals will have carried out research on their intended targets upcoming vacancies and will use their preferred recruitment partner to gain access to their systems.
It's important that people do not dismiss this threat as something simply confined to larger organisations with obvious value to criminals. Our research has also indicated that attacks on SMB's has increased from 18 to 31% in 2012, due to a number of reasons, such as their role in the supply chain, the valuable intellectual property they hold, and potentially the less stringent security measures they have in place.
So what steps can organisations and their HR teams take to combat this threat? It fundamentally begins with education. Teaching staff about the risks, and making sure that they are aware of the tricks that may be employed on them, and what to watch out for is key. To support this, organisations should consider enacting policies which establish clear guidelines on how to manage unknown or suspicious messages, and ensure employees understand their responsibilities with regard to doing their utmost to mitigate potential attacks.
Finally, security technology should be installed to act as the last line of defence. Given the nature of the HR profession and the sheer scale of unsolicited emails received, it is important to guard against those few that might slip through the net. The best security technology will catch these, and prevent them from wreaking havoc through a company's systems.
The traditional maxim of not opening correspondence from unknown senders does not necessarily apply to HR teams due to their unique circumstances, and therefore, they are open to attack each and every time they open an email. The majority of these will be safe. However, there might be that one occasion when the email is not from a legitimate job hunter and the HR manager inadvertently exposes their organisation to attack. Being aware of this threat and being prepared to combat it is essential within organisations of all sizes.
Paul Wood, cyber security intelligence manager at online protection company Symantec