Your organization’s C-suite isn’t the only target at risk of cyberattacks. Cybercriminals frequently target human resources (HR) departments with the goal of collecting financial and personally identifiable information (PII). HR departments not only are more likely to have cybersecurity vulnerabilities but also are the keepers of a great deal of personal and confidential information.
HR departments need to be aware that they may be the target of cyberattacks and have to be proactive about their cybersecurity.
A Quick Look at HR-Related Attacks
In the past few years, there have been a number of high-profile, HR-targeted attacks. Organizations have found themselves crippled by ransomware, while thousands of employees have discovered that their employer has unwittingly disclosed their personal information, leading to identity theft and financial abuse.
In 2017, the GoldenEye Ransomware Attack targeted HR departments with fake job applications. HR departments are used to collecting large volumes of e-mail attachments, often in the form of a PDF. GoldenEye included a malicious Excel file, which did not appear to be suspicious to many HR representatives. The result was infection with ransomware: GoldenEye would encrypt a computer’s disk and request payment of up to $1,000 to unlock files.
Where GoldenEye focused on ransomware, other attacks have focused on collecting information. In 2016, the Internal Revenue Service (IRS) sent out a notice warning HR departments of phishing schemes that were designed to collect personal information from employees. Phishing e-mails appeared to be from company executives and requested items such as copies of employee W2s. Many HR managers would simply forward these documents, leading to wide-scale breaches of Social Security numbers, dates of birth, and addresses that could be used for identity theft.
In 2014, bad actors began to target HR departments with Gameover ZeuS Malware. Gameover ZeuS was a malicious program that was designed specifically to capture banking data. HR became a target for social engineering, as hackers were able to look at sites such as Monster and CareerBuilder to identify spear-phishing targets. From there, the criminals were able to install the ZeuS Trojan that was able to capture information from website forms, implant fake employees, and target HR-related bank accounts.
These three attacks are very different, with their objectives ranging from ransoms to capturing employee data to stealing the financial data of the organization directly. The only common element of these attacks is that they target cybersecurity vulnerabilities in HR departments.
But why are bad actors so interested in HR?
Why Target HR’s Cybersecurity Vulnerabilities?
HR departments are the gatekeepers of a significant amount of personal data. W2s, 1099s, and other employee records can all contain not only PII but also financial information. Any company that maintains direct deposit for payroll, for instance, will have financial information readily available. Bad actors target HR departments simply because it is the most expedient way to collect the data that they need.
However, this isn’t the only reason why HR is targeted. As GoldenEye showed, HR is considered to be a weak point within many organizations from a security perspective. HR departments are designed and predisposed to collect outside information—to continue their hiring processes, they need to accept and open files from strangers outside of the network. Many HR managers are accustomed to opening strange documents and may often see files in unusual formats from applicants who choose nonstandard file types to submit their résumé or portfolio of work.
Additionally, HR departments aren’t prime candidates for the best technologies. HR is more likely to be using older applications designed specifically for HR purposes, which may not have been updated with current antivirus programs or definitions. In addition, HR managers and team members aren’t always the most knowledgeable about cybersecurity best practices. HR managers may not be able to identify common phishing attempts and may not be up to date on current attack trends.
What HR Departments can Do about Cyberattacks
While training is always important, technology is a better way to defend against these types of cyberattacks. HR departments need to be able to interact with the outside world, and many of them may not have a cybersecurity background.
Information security training likely will not prevent an HR professional from clicking on an innocent-looking e-mail with the subject line of “my résumé.” The system itself needs to be able to protect the company from the risk of an HR representative clicking on the wrong link. With as many files as HR departments generally receive, it is not realistic to expect the employees to catch every malicious attack.
To start, departments can route application traffic through a single workstation, isolating this station from the network and, therefore, minimizing risk. If a malicious program like GoldenEye gets on such a device, nothing of value will be lost; the encrypted machine can simply be reset. As it simply isn’t possible for most HR departments to stop accepting files, they need to be able to do it in the most convenient and lowest-risk fashion. Isolating HR computers from the network as a whole can prevent the propagation of malware.
When malicious programs do get into the HR department’s machines, or when routing all traffic to a single system isn’t possible, advanced malware detection technology can identify and mitigate malware-based threats before any real damage is done. Many of the newer cyberattacks are developed so that they cannot be identified through traditional means.
Antivirus programs cannot use signatures (static analysis) to identify these attacks because the criminals automatically modify their code so signatures immediately become outdated. Instead, advanced malware detection programs use dynamic analysis to identify the behaviors engineered into malware programs that are being submitted as attachments to HR. These technologies can tell when an application, attachment, or webpage is acting in a malicious fashion, regardless of the file type being used, and can quarantine the item.
Casey Jenkins is the Head of People Operations at Lastline.