We’re almost through 2017 and the world has suffered significant cyber attacks with no indication that hackers will relent.
The year began with the remnants of the GoldenEye attack, ransomware specifically targeted at HR departments.
May brought the WannaCry ransomware to over 150 countries and in late June, NotPetya hit over 65 countries.
In September, consumers learned that Equifax had been breached in July, affecting a majority of the US population. Cyber attacks will continue to wreak global havoc as hackers target vulnerabilities with the greatest rewards.
Given the personal exploitative data HR departments store and the propensity for HR employees to open unsolicited emails, the HR industry is a top target for hackers.
In the case of GoldenEye, the ransomware was hidden in a Microsoft Excel document of a seemingly legitimate job applicant sending their CV and aptitude tests for consideration.
Hackers also often use spear phishing to make requests for money or information. There was a case where a hacker used an email address similar to the company president's to request employees' W2 information and the HR department mistakenly sent the hacker 900 employees' tax information.
Two years ago, the U.S. Office of Personnel Management was hacked, and the personal data of millions of past and present federal employees was stolen including names, addresses, Social Security numbers, and other information that could be used for identity theft and blackmail.
HR is a lucrative target for hackers due to the value of information and ease of entry. But despite continued cyber attacks, the HR industry has failed to implement significant changes.
The HR industry needs to shift from a retroactive to a proactive approach to cybersecurity. In order to make it more difficult for hackers to gain access, HR departments need to do these three things:
1. Practice good cyber hygiene
The simplest way an organization can help protect itself from a cyber attack is to practice good cyber hygiene.
Cybercriminals are looking for a quick profit and seek the easiest targets. Actions that make an organization more difficult to exploit will often lead a cybercriminal to pass over the opportunity and move on to an easier target. Below are actions an organization can take to improve its cyber hygiene:
Utilize strong unique passwords
Use multi-factor authentication as often as possible
Never download third-party applications
Be conscious when surfing the web -- go only to trusted sites
Ensure network is private and protected with firewalls
Utilize anti-virus software
2. Raise phishing awareness
As exemplified by the GoldenEye attack, the primary way cybercriminals chose to target HR departments is through phishing attacks.
HR departments should be educated and trained on phishing attacks. Key points in the training should include these:
Never download/click on files/links from an unverified sender
Be aware of spoofed email addresses or addresses that may be off by a single letter
Report any email that makes monetary or sensitive information requests
Keep phishing top of mind, refresh training, discuss phishing attacks in the news
3. Protect data
Unfortunately, hackers will always find a way to gain access, so the best way to protect an organization is by encrypting data on the servers and utilizing an email encryption service.
By using encryption, even if a hacker gains access to the network or email account, any data they steal will be rendered useless.
In addition, organizations need to utilize back-up servers to avoid paying ransoms to hackers who have stolen their data. Through encryption and data back-up, organizations can protect themselves and eliminate cybercriminal’s profit.
HR is entrusted with the most sensitive employee and organization records; how many more cyber attacks will it take for the industry to make a change?
Instead of waiting for the next attack to implement change, begin today by increasing cyber hygiene, educating employees on phishing attacks, and considering network and email data encryption.
Idan Udi Edry is the newly announced CEO of Trustifi, a cybersecurity company specializing in email encryption services and security