This morning I came into the office and was greeted by our human resources director. She asked why I would request to see all of our employee W2’s this morning, did I have a more specific request that she could help me with? I explained that I had not made such a request and her suspicions about the email were confirmed.
We walked to her desk to find a spoofed and targeted email sent to our HR distribution group. The email appeared to come from me, requesting a copy of all W2’s. They had used our resume submission link to send the masked email. Thankfully, her guard was up and no action, click or response had occurred.
We used this attempt as an opportunity to reinforce the cyber vigilance our team must use. In the course of our standup meeting we discussed the increasing attacks that are targeted to human resources. Over the past few months we have seen an uptick in these attacks.
As a hacker, human resources is a logical entry point and holds a treasure trove of sensitive data and valuable information. Depending on the company, human resources has personal information like:
· Social security numbers and tax information
· Bank account information for ACH payroll
· Health information
· Home addresses, driver’s license
· 401k and retirement benefit information
· Life and disability benefit information
· Family member info
The list goes on and on…
Access to that information could provide a criminal with a valuable virtual fortune.
Human resources is also vulnerable because of their public presence. As recruiters, human resources is required to showcase what it’s like to work for their company. Social media posts and advertising campaigns highlight benefits, show pictures, identify job descriptions, salary information and other valuable information that helps a hacker create a targeted attack. That information is used by hackers to tailor thier attack. The attacks can be personal and targeted because the hacker has so much information availble.
Recruiters have lowered thier email suspiciouns through habit. They are used to getting emails from personal addresses, that may not look traditional. Most job seekers use personal not business accounts. BigBallerITGuy@gmail.com sends them resumes daily. Some of the strategies used by other departments to identify suspicious emails are forgotten in the hunt for good talent.
Opening resumes and cover letters from strange places is part of the job. Desperate talent searches call for desperate email practices. Some suspicious content is not only being read, but links are being clicked and attachments are being opened.
Finally, HR departments are frequently sending sensitive information to varioys third parties. This behavior can desensitize them to the importance of practicing vigiliance when sending. This information includes:
· Health information and insurance requests
· Employment information in support of legal matters
· Compensation information for lending requests
· Family changes to benefits
· Previous employee requests for information
There are many more examples. The point is, that HR departments are used to providing information of various sources to various people. This information is often sensitive, but it is part of the job description.
Hackers are aware of the vulnerabilities and the value of the data. We are increasingly seeing bad guys use HR departments as a gateway into company networks. While many companies work hard to protect client and payment data, human resources is often overlooked as a critical threat.
Human resource professionals must be vigilant. They must appreciate the power of the information they are asked to protect. They must be acutely aware of how their jobs require them to take cyber risks. And most importantly, they need to learn how to use best practices and security tools to protect that information.
If you are an HR professional, please speak with your IT team about the protections they have in place. Understand how you can send data securely. Determine where you should be storing information and be hyper vigilant with the emails your read and attachments you open.
IT folks and business leaders, work with your company to educate them about the importance of this information. Even non-regulated companies can be held liable for leakage of this information, make sure you are protected. Provide human resources with the tools they need to protect their data. Educate them on the tools you have in place and practice caution when it comes to sharing. Even better, check you information sharing polices and reduce your risk through limitations of such sharing.
Finally, this is a great reminder for business leaders to understand what you are responsible to protect. Companies store more data than ever before. Leaders often overlook just how much data they hold and are responsible for securing. We have a few toolkits you can use to understand the data you have and the risks of holding that information. Don’t get caught off guard, be cyber vigilant.