[BreachExchange] Recruiting the good, blocking the bad: HR and cyber-attacks

Destry Winant destry at riskbasedsecurity.com
Fri Apr 26 09:26:20 EDT 2019


https://www.trainingjournal.com/articles/features/recruiting-good-blocking-bad-hr-and-cyber-attacks

Guarding so much sensitive information, the human resources department
of any organisation is a juicy target for cybercriminals. All the
financial and personal information, including National Insurance
numbers, dates of birth, bank details and home addresses it holds
makes an HR department a magnet for malicious actors.

But when the vault with your most important and sensitive data about
current and prospective employees is also one of the easiest access
points for hackers, the margin for error in your security strategy is
practically non-existent.

Recruitment agencies and HR departments are constantly bombarded with
emails and attachments from aspiring talent, making them an ideal
target for hackers and cybercriminals. Staff cannot avoid opening
emails and attachments from people they do not know.

This means the job description of a recruiter is no longer just about
attracting able candidates; recruiters must be cyber-conscious,
spotting threats before their organisation’s infrastructure is
compromised.

A prime example was the variant of the Petya ransomware, GoldenEye, a
campaign in 2017 that distributed ransomware through malicious email
attachments aimed at HR departments via fake job applications. This
was a specific effort to abuse the fact that HR employees must open
emails and attachments from unknown sources.

While many companies have room for improvement in their
threat-prevention plans, they must also turn their focus to their
employee’s awareness of the dangers associated with email
correspondence. Here are some ways HR executives can keep their
company safe from a cybercriminal’s go-to weapon while keeping the
wheels in their department turning.

The basics

While it seems like one of the basics, ensuring your HR team is
properly vetted is one of the most important first steps a company can
take to secure its information.

HR professionals should be of the highest character and integrity
given that they will handle the most sensitive employee data and be
involved in some of the most complex organisational issues such as
recruiting, promoting, and even firing of staff. There should be extra
scrutiny for those charged with working through and handling the data
for the most intimate of situations in an organisation.

Training, vigilance and good communication with information security team

While many HR employees don’t have a cybersecurity background, they do
play a crucial role in thwarting cyber-attacks. They need to be aware
of and practise fundamental principles of information security such as
being attentive of suspicious grammar, texts and URLs, and not opening
emails that raise concerns.



They also need to be diligent about alerting their information
security teams when correspondence is viewed as suspicious. In fact,
it is critical that the HR and information security teams have
well-established, open communication channels so that everyone is
aware of their role and responsibility when an incident occurs.

Not only are HR staff the last line of defence against attacks
targeted through their department, but they are also empowered to
train employees and implement cybersecurity policies in the company as
a whole. Knowing how to spot suspicious activity, and training and
enforcing other employees to do the same will help immensely.

Implement effective tools

While it’s important for HR personnel to be vigilant, investment in
the most advanced tools for securing the perimeter company is also
critical. Although most organisations have numerous security products
in place, older technologies like anti-virus are only effective to a
certain point.

It’s well established that detection-based products like AV frequently
fail when faced with the most elusive, advanced persistent threats.
Even technologies like sandboxes are seen as increasingly porous, with
new variants of malware designed to be ‘sandbox aware’.

With clear limitations on what both security software and humans can
detect, new methods of defence like file-regeneration technology are
coming to the fore.

Rather than trying to identify and block the ‘known bad’ which, aside
from being increasingly ineffective, also results in a high number of
‘false positives,’ file-regeneration technology creates safe, clean
and visually identical copies of files. This alleviates the pressure
on HR staff and recruiters to spot malicious documents, allowing them
to open every file with confidence and remain focused on their work.

Understand third party risks

If an organisation is using a recruitment or staffing agency, it’s
imperative to conduct an assessment of the agency you’re working with.
Just as the broader organisation may evaluate its supply chain,
partners and integrators, there needs to be some level of assessment
with a recruiting or staffing agency.

As with any third party, there is inherent risk in an agency operating
on behalf of an organisation and gaining access to sensitive
information.

We must all accept now that HR is one of the most vulnerable
departments within any organisation precisely because one of its
primary functions is to constantly receive and open files and
documents from unknown senders.

By understanding the risks involved in this and implementing each of
the best practices outlined above, HR departments can be better
equipped to deal with malicious activity and help protect the crown
jewels of their organisation, including all that sensitive information
about employees.


More information about the BreachExchange mailing list