· News

HR being deliberately targeted in cyber security attacks

Hackers are hoping to access data through HR professionals, so they must understand how to stay secure

Cyber attackers are increasingly targeting HR professionals to get hold of employee data, according to experts.

Jaqueline Davies, managing director of Audacity Associates, former HR director of the Financial Conduct Authority and former master of the Guild of HR Professionals, told HR magazine that she had heard “countless stories” of HR professionals being targeted.

Davies related how the infamous cyber hacker Kevin Mitnick had been hired by a Canadian business to see if he could access the organisation’s system. He found the details of its HR director on LinkedIn and asked a series of questions that led to it giving away the password to the company system via a link. Within 20 minutes Mitnick had accessed the personal and financial details of some 30,000 employees.

“I think there is a huge risk to HR professionals. We know that there are typically insider threats, and everyone in HR is aware of the disgruntled ‘rogue employee’ who might leak data after a bad experience. But the fact that HR are specifically being targeted as the gatekeepers made my blood run cold,” Davies said.

This risk correlates with the government’s Cyber Security Breaches Survey 2018 on the wider risk cyber attacks pose, which found that 43% of UK businesses and 19% of UK charities had experienced cyber security breaches or attacks in the 12 months from April 2017 to April 2018.

Michael Hoddy, client advisor and co-founder of cyber security consultancy The Technium Global, explained that organisations typically see breaches as a failure to grasp technology. But they actually need to understand how hackers operate psychologically.

“When we’re educating HR about these attacks it’s important for them to know that this isn’t necessarily a technology-led problem. This is based on social engineering; when someone knows the right questions to ask,” he said.

A lack of communication between departments makes HR vulnerable, Hoddy added: “There’s a wider problem surrounding cyber security generally with HR. The majority of data breaches are internal, and many of them are not malicious. So you can see that it’s a difficult problem for HR to tackle. Lots of organisations might carry out background checks but there can be huge implications for employees’ trust, and it’s understandable that HR might not want to address it.”

Sarah Morris, senior lecturer in forensic computing at Cranfield University, said that many in HR mistakenly believe cyber security to be outside of their remit.

“Training for HR in this area has been overlooked. A lot of people in HR have become reliant on IT for the security of electronic data, but they need to learn about social engineering and that this isn’t all down to technological expertise,” she said.

Part of the problem is HR professionals’ willingness to help, said Davies: “It’s within HR’s nature to want to be as helpful as possible. In this profession we are always thinking about other people, and tend to think of ourselves as ‘back office.’ We don’t always recognise the responsibility in our role and our place as gatekeepers.”

But the opposite should apply, said Davies: “When it comes to data we need to behave completely differently to how we would in any other situation; we have to be suspicious, and we have to be cynical.

“I would say audit the data you have access to, and ask yourself if you have anyone who is specifically responsible and accountable for this. HR leaders should think very carefully about how they handle this. Thorough vetting processes for new critical hires are an option, but in terms of privacy this does have a dark side,” she said.

Davies added that above all everyone across the workforce should be taught to be vigilant, and to think about the sort of information they are sending out online.