HR increasingly under fire from cybercriminals
• HR is almost as attractive to hackers as finance. But a successful attack on an unprepared target can be potentially more lucrative and commercially devastating.
• With employees representing the most likely gap in any enterprises’ cybersecurity armour, HR departments must take on a prominent role in raising cybersecurity awareness by developing skills and encouraging employees to avoid risky behaviour such as clicking on embedded links from unknown parties.
This year, enterprises worldwide will spend more than ever – more than US$114 billion according to Gartner – on protecting themselves from cybersecurity breaches. And for good reason. Cybercrime is now such a big business that, if it was a country, it would rank 13th globally in terms of GDP.
Hong Kong is far from immune. Last year, the Hong Kong Computer Emergency Response Team (HKCERT) received 6,506 cyber complaints. About one in three concerned malware attacks – an 80% spike from the year before. In general, Hong Kong firms are probably a little behind other markets, such as Singapore, that typically have more cyber defences in place.
But, how much a company spends on the latest and greatest security tech does not directly correlate to better security. One of the biggest risks any firm faces will always come from the inside – its employees.
HR on the frontline
In phishing simulations, staff open emails that are often cunningly disguised as social media invites or legitimate-looking internal organisational messages. This happens despite those employees having received training on how to spot phishing emails.
What is worse, it appears HR and finance staff – two departments that manage critically sensitive information – are more likely to be misled by phishing emails than the average employee.
This unrelenting onslaught places a tremendous burden on businesses. Not just on the IT staff, but also on HR departments, which have the double-duty of protecting a wealth of sensitive data, as well as providing employees with ongoing education and training to thwart the latest crop of security threats.
Why pick on HR?
In many ways, HR is an obvious target. For a start, it is one of the most publicly visible departments in any business. So, it is comparatively easy to identify people and track down valid email addresses.
HR is also bombarded with communications of all kinds from all manner of individuals and organisations. Opening and reviewing documents – such as CVs from candidates applying for vacancies – is a key part of the function. So, unlike other departments, HR cannot simply delete emails with an attachment.
Because HR sits at the heart of most enterprises, it’s also a target-rich environment. While most ordinary employees will use a few applications in their day-to-day activities, HR professionals may use a dozen different systems. If these are accessed via an infected machine, malware can quickly proliferate throughout the business, creating a myriad of opportunities for ransomware attacks and other scams.
Hacks are not always a dash for cash
However, hackers aren’t always looking for fast money. What they value most of all is information. Especially personal details that can be used to develop other attacks that could pay-off handsomely. And HR is the holy grail when it comes to confidential corporate information.
This kind of high-level information harvesting looks like the main motivator behind the recent SingHealth hack. Billed as Singapore’s worst cyberattack, hackers stole the personal particulars of 1.5 million healthcare patients, including the country’s Prime Minister.
When it comes to penetrating a business, a fraudster armed with details about senior executives can do quite a lot of damage. A convincingly concocted “urgent” request from a CEO to wire funds to a plausible-sounding supplier often yields results if the right person in finance receives it. With the right information from persistent employee reconnaissance, a scam-artist is able to jump through enough security hoops to authorise a fake payment that costs a company millions.
Security begins at home
As a core engine of corporate culture and promoter of continuous learning and best practices, HR cannot afford to be behind the curve in the security stakes. That makes learning and executing the basics of cyber self-defence imperative for any business that wants to prevail in the never-ending battle to outwit the digital bandits.
There is a lot that can be done. There are several security controls that can help, such as simply disabling the macro functions in Microsoft Office documents such as Word and Excel for the entire HR department. This can help reduce one of the most prolific threats to in-house systems – malicious embedded macros designed to install virulent viruses on a target victim’s PC.
These days the cybercrime ecosystem will “rent” any hacker a malicious macro building toolkit for as little as US$40 a month. But, if the macros in a Microsoft Office file won’t run because they’ve been disabled, then the malware can’t infect the device or spread.
Looking longer longer-term, an in-depth review of the IT security infrastructure, carried out in concert with the in-house IT department, is a good idea. A good place to start is tightening up on email filtering rules and sophisticated email security constructs such as Sender Policy Framework (SPF).
Spreading the word
Security awareness and phishing training for HR staff should also be a priority. Once the HR team has been tested and trained, the next step is to make sure that security awareness is extended throughout the organisation.
Unfortunately, there is no silver bullet or an effective one-time fix. Achieving genuine security requires an on-going effort to educate staff, encourage best practices, and discourage risky behaviour. Fortunately, that’s exactly the kind of long-term project at which good HR departments excel.
Security awareness training should be extended to the entire company. Not just sharing simple training slides or a quarterly mention in the company newsletter, but interactive phishing simulation exercises that test a user’s ability to identify potentially dangerous approaches. If they avoid clicking on a link or opening an attachment, such as a malware infected Word document, they pass the exercise. If they make a mistake, they’ll be directed to attend a security awareness course to find out exactly where they went wrong.
Repetition is the secret of successful security training. Rolling out exercises at random every few months keeps staff on their toes. They really won’t know whether the next email will be a test from HR or an actual attack and will therefore pay more attention. The frequency is typically more intense at the beginning, dropping back once the click rates – the rate of opening phishing emails – is close to 5%.
To take the edge of the process and improve morale, HR can offer modest rewards, such as coffee shop coupons to successful staff. Employees that manage to maintain a “clean” security record might even win a more substantial incentive, like an extra vacation day. That might sound expensive, but it’s peanuts compared to the cost of a serious data breach.
Maintaining momentum is critical to ongoing security
That’s the carrot. But, what about the stick? As long as employees are fully aware of their responsibilities, discipline isn’t usually an issue. For example, clean desk policies, which cover things like not leaving any confidential information on view when you aren’t present, are commonplace. The same approach must apply to cybersecurity. Staff need to understand that serious breaches could be grounds for termination.
A clear Code of Cybersecurity Conduct should be created and communicated to all staff via HR. And breaches, if and when they occur, should treated in a manner that is both measured and appropriate.
Staff that regularly fail simulations should be given verbal feedback and written warnings. If they need additional support, one-on-one or small group sessions with security experts may be a good idea.
As long as employees continue to pose a persistent threats to any enterprise, it is critical that HR departments take on a prominent role. That means raising cybersecurity awareness, developing skills, and encouraging employees to avoid risky behaviour. Ultimately, developing a security culture can achieve more than technology alone.
This article was first published (in Hong Kong) in HKIHRM Magazine September 2018 issue
By: Anwar McEntee
Senior Business Development Manager, Adura Cyber Security
Based in Asia since 2001, Anwar combines a strong understanding of the region with extensive experience in the industry to deliver tailored cyber security insights for organisations in Asia.