When hackers attack, human resources (HR) is one of the first places they hit. HR is a popular target because of HR staff's access to data that's marketable on the dark web, including employees' names, birth dates, addresses, Social Security numbers, and W2 forms. To get their hands on that kind of information, hackers use everything from phishing to posing as company executives asking for internal documents—a form of phishing some call "whaling"—to exploiting vulnerabilities in cloud-based payroll and HR tech services.
Continue Reading Below
To fight back, companies have to follow safe computing protocols. That includes training HR people and other employees to be on their guard for scams, adopting practices that protect data, and vetting vendors of cloud-based HR technology. In the not-too-distant future, biometrics and artificial intelligence (AI) may also help.
Cyberattacks aren't going away; if anything, they're getting worse. Companies of all sizes are susceptible to cyberattacks. Small businesses, though, might be at greatest risk because they generally have fewer people on staff whose sole task is to keep an eye out for cybercrime. Bigger organizations might be able to absorb the costs associated with an attack, including paying for a couple of years' worth of credit reports for employees whose identities have been stolen. For smaller enterprises, the consequences of digital pilfering could be devastating.
It's not hard to find examples of HR data breaches. In May, hackers used social engineering and poor security practices at ADP customers to steal their employees' Social Security numbers and other personnel data. In 2014, hackers exploited log-in credentials at an undetermined number of customers of Ultimate Software's UltiPro payroll and HR management suite to steal employee data and file fraudulent tax returns, according to Krebs on Security.
In more recent months, HR departments at numerous companies have been on the receiving end of W-2 tax form whaling scams. In several well-reported instances, payroll department and other employees gave W-2 tax information to hackers after receiving a spoof letter that looked like a legitimate request for documents from a company executive. In March, Seagate Technology said it inadvertently shared W-2 tax form information for "several thousand" current and former employees through such an attack. A month prior to that, SnapChat said an employee in its payroll department shared payroll data for "a number" of current and former employees to a scammer posing as CEO Evan Spiegel. Weight Watchers International, PerkinElmer Inc., Bill Casper Golf, and Sprouts Farmers Market Inc. have also been victims of similar ruses, according to the Wall Street Journal.
Making employees aware of potential dangers is the first line of defense. Train employees to recognize elements that would or wouldn't be included in emails from company executives, such as how they typically sign their name. Pay attention to what the email is asking for. There's no reason for a CFO to ask for financial data, for example, because chances are, they already have it.
Continue Reading Below
One researcher at the Black Hat cybersecurity conference in Las Vegas this week suggested that businesses tell their employees to be suspicious of all email, even if they know the sender or if the message fits their expectations. That same researcher admitted phishing awareness training can backfire if employees spend so much time checking to make sure individual email messages are legitimate that it decreases their productivity.
Awareness training can be effective, if the work cybersecurity training company KnowBe4 has done is any indication. Over the course of a year, KnowBe4 sent simulated phishing attack emails to 300,000 employees at 300 client companies on a regular basis; they did this to train them on how to spot red flags that could signal a problem. Before the training, 16 percent of the employees clicked on links in the simulated phishing emails. Just 12 months later, that number dropped to 1 percent, according to KnowBe4 founder and CEO Stu Sjouwerman.
Store Data in the Cloud
Another way to do an end-run around phishing or whaling attacks is by keeping company information in encrypted form in the cloud instead of in documents or folders on desktops or laptops. If documents are in the cloud, even if an employee falls for a phishing request, they'd only be sending a link to a file a hacker wouldn't be able to access (because they wouldn't have the additional information they needed to open or decrypt it). OneLogin, a San Francisco company that sells identity management systems, has banned using files in its office, a feat OneLogin CEO Thomas Pedersen has blogged about.
"It's for security reasons as well as productivity," said David Meyer, OneLogin's cofounder and Vice President of Product Development. "If an employee's laptop is stolen, it doesn't matter because nothing's on it."
Meyer advises businesses to vet HR tech platforms they're considering using to understand what security protocols the vendors offer. ADP wouldn't comment on recent break-ins that hit its customers. However, an ADP spokesman did say the company provides education, awareness training, and information to clients and consumers on best practices to prevent common cybersecurity issues, such as phishing and malware. An ADP financial crimes monitoring team and client support groups notify clients when the company detects fraud or attempted fraudulent access has happened, according to the spokesman. Ultimate Software also put similar precautions in place after attacks on UltiPro users in 2014, including instituting multi-factor authentication for its customers, according to Krebs on Security.
Depending on where your business is located, you might have a legal obligation to report digital break-ins to the proper authorities. In California, for example, companies have an obligation to report when more than 500 employees' names have been stolen. It's a good idea to consult a lawyer to find out what your duties are, according to Sjouwerman.
"There's a legal concept that requires you to take reasonable measures to protect your environment, and if you don't, you're essentially liable," he said.
Use Identity Management Software
Companies can protect HR systems by using identity management software to control log-ins and passwords. Think of identity management systems as password managers for the enterprise. Instead of relying on HR staff and employees to remember—and protect—usernames and passwords for each platform they use for payroll, benefits, recruiting, scheduling, etc., they can use a single log-in to access everything. Putting everything under one log-in can make it easier for employees who might forget passwords to HR systems they only log into a few times a year (making them more inclined to write them down somewhere or store them online where they could be stolen).
Companies can use an identify management system to set up two-factor identification for HR system administrators or use geofencing to restrict log-ins so admins can only sign in from a certain location, such as the office.
"All these security risk tolerance levels for different people and different roles aren't features in HR systems," OneLogin's Meyer said.
HR tech vendors and cybersecurity firms are working on other techniques for preventing cyberattacks. Eventually, more employees will log into HR and other work systems by using biometrics such as fingerprint or retina scans, which are tougher for hackers to crack. In the future, cybersecurity platforms may include machine learning that lets software train itself to detect malicious software and other suspicious activity on computers or networks, according to a presentation at the Black Hat conference.
Until those options are more widely available, HR departments will have to rely on their own awareness, training employees, available security measures, and the HR tech vendors they work with to avoid trouble.