When Juliette Rizkallah saw an email land in her inbox from her CEO asking her to send him all of the company financials, she hesitated. It was completely out of character for the CEO to make such a request.
And yet the email came from what looked – even to Rizkallah’s expert eye as chief marketing officer at cyber security firm SailPoint – like his genuine corporate email account.
But the email hadn’t come from the CEO at all. It had come from a hacker.
It’s a story that now plays out in organisations around the world on a daily basis. Rizkallah’s story ended well; she contacted the CEO directly to verify if it had come from him.
But not all firms are so fortunate. Target, eBay, JP Morgan, Google, Yahoo!… the list of those that have fallen foul of a cyber attack in recent times goes on.
Firms have of course responded, with HR rolling out cyber security training for employees. But is HR practising what it preaches and keeping the plethora of sensitive employee data it holds safe? Or is it the weak link putting organisations at risk of attack?
“It’s not necessarily that HR is the weak link but HR will always be quite heavily targeted because it handles so much personal data,” says Edward Whittingham, managing director of The Defence Works.
“Cyber crooks will target HR records as that type of information can be used and sold on the dark web to do other types of crime,” adds Rebecca Herold, CEO and founder of the Privacy Professor Consultancy. “There are situations where HR records have been stolen so [attackers] can see information about, say, the CEO and then use different types of phishing attacks to target that individual – it’s called spearphishing.
“And increasingly there are also cases where that data is not only used for cyber attacks but cyber crooks sell the data – such as the CEO’s home address – on the dark Web to traditional crooks that might use it for something malicious [in the physical world] such as breaking into their house.”
The challenge, says global HR systems leader at EY Anthony Shields, is that HR typically hasn’t previously had the cyber security expertise to manage these risks.
“Traditionally we’ve over-relied on the IT function to provide that coverage, but that’s changing,” he says.
Within Shields’ HR systems team, the focus over the past 24 months has been to build its own cyber security capability. “About 10% of my team is now working at any given time with the IT function to ensure HR systems are secure from a data perspective,” he explains. “It’s not about creating an IT and cyber security function within operations, but building up that cyber security capability in the function that can work in partnership with IT.”
So just what should the function be doing to keep its own house in order? Here, experts share their practical advice on making HR cyber-secure…
Ask HR tech suppliers the right questions
Shields asks his team to consider the following questions when selecting HR tech: “Have you moved beyond the standard procurement questions and guidelines when bringing new vendors in? Has the vendor moved from a passive defence into a more active defence to be able to defend against not just common attacks, but advanced attacks and some of the emerging attacks that we don’t know about yet?”
“Don’t be afraid to ask questions,” agrees Whittingham. “If you’re dealing with a potential new provider, don’t be afraid to challenge them – it’s important not to assume they know what to do from a cyber security perspective, as it’s not always the case.”
One useful question is whether the supplier has ISO 27001 certification for its information security management system, and whether the firm carries out cyber security awareness training with its own staff. “With around 97% of incidents caused by human behaviour, you want to know that your supply chain is doing something to educate their workforces too,” Whittingham adds.
Shields advises HR teams to also seek independent reviews of any tech they use. “But the big question I ask my teams to ask themselves is: ‘How are you partnering with IT and procurement to be able to review and assess vendors when they come through your doors?’,” he adds.
Conduct active testing on HR systems
With both new and existing HR systems, a clear testing and compliance strategy should be put in place to actively monitor them, particularly those that sit in the cloud, advises Shields.
“It starts with penetration testing to identify the vulnerable points in the HR infrastructure,” agrees Prasun Shah, partner in the people and organisation practice at PwC. He explains that this involves controlled hacking attempts by specialists.
Rizkallah points out that the most vulnerable systems are typically the peripheral ones because they are often overlooked.
“Sometimes the main HR system is very secure and has been tested, but then when you start putting other tech over it – like compensation software, for example – it may not be. Those little systems that are peripheral to the main system could be the entry door to the main system, no matter how secure the main system is,” she says.
Link HR processes and IT governance
Other tests include an internal software audit on HR systems to see who has accessed sensitive or personal data over the past year, says Herold. With recent research from SailPoint finding that 47% of employees who leave a job still have access to their former organisation’s data, HR must also carry out audits of this, Herold adds.
“When someone leaves the organisation, all access to systems needs to be revoked,” Rizkallah says, pointing to the risks posed by disgruntled ex-employees and by hackers who exploit the easy target that is an orphan (inactive) account.
This can be remedied through better linking HR processes and IT governance, she explains: “[IT governance] needs to be integrated with HR systems so that when a person’s employment is terminated by HR it starts a workflow to IT that will kick out their access – not tomorrow, not in two weeks, but immediately.”
The same should apply where staff are switching jobs within the same organisation. “Have basic security practices in terms of data masking and role-based access to data,” says Shah. “When you are moving role in the organisation, you shouldn’t have access to the previous role’s data.”
Protocols and policies
The frequency with which HR is asked to share information with other functions puts its data in a particularly vulnerable position. “You might have the best HR tech platform around in terms of penetration testing to a gold standard, but internally what flies around is spreadsheets,” says Shah.
“Finance will ask HR to send them cost structures but they will handle cost structures differently to how HR does. So in order to reconcile the two systems, the data will get downloaded onto a spreadsheet and emailed.”
This “culture of spreadsheets and emails” leaves HR data vulnerable, adds Shah: “HR should put in the right protocols so there is a model where data is transmitted from the HR system into a relevant system or other part of the organisation using the right encryption protocols.”
Cyber security software
Investing in dedicated cyber security software is also important, says Shields, who recommends “active defence products” that act on the firewall and spot common, advanced and emerging attacks. “There are definitely systems that should be deployed,” says Herold, suggesting a combination of data leak prevention (DLP) software (which will alert the organisation if employee data is being exfiltrated from the organisation) and intrusion detection systems (which will alert the organisation if someone tries to inappropriately access or modify HR records).
“DLP helps keep personnel records from leaving the company whereas intrusion detection helps keep unauthorised entities from accessing personnel records, so they form two purposes – keeping people from getting to the information to begin with and preventing the people who do have access to it from taking it outside the organisation,” she explains.
Social engineering events
“If you get a knock on the door and open it to someone wearing what looks like a police uniform, you’d normally take that person on face value, let them in and think they were someone who you can have a secure conversation with – people behave to social norms,” explains Shah. “What we increasingly see is cyber hackers trying to create events like this.”
These events – known as social engineering – could involve hackers finding out when an organisation is going through its performance review cycles and sending phishing emails asking managers to submit security information to confirm their teams’ bonuses. “You might think your organisation has done this deliberately to make the information secure, but this has been engineered to get you to hand over information,” says Shah.
He advises HR to send social engineering emails to its teams and wider workforce to test if they fall for them, and then provide more training for anyone who does.
The crucial thing, with the threats only getting more sophisticated, is for HR to keep up. “It’s changing literally by the hour,” says Shah. “As new technology comes out, there’s already someone figuring out how to break it.”
This piece appeared in the October 2019 HR Technology Supplement