[BreachExchange] HR being deliberately targeted in cyber security attacks

Destry Winant destry at riskbasedsecurity.com
Tue Mar 5 05:14:53 EST 2019


http://www.hrmagazine.co.uk/article-details/hr-being-deliberately-targeted-in-cyber-security-attacks

Hackers are hoping to access data through HR professionals, so they
must understand how to stay secure

Cyber attackers are increasingly targeting HR professionals to get
hold of employee data, according to experts.

Jaqueline Davies, managing director of Audacity Associates, former HR
director of the Financial Conduct Authority and former master of the
Guild of HR Professionals, told HR magazine that she had heard
“countless stories” of HR professionals being targeted.

Davies related how the infamous cyber hacker Kevin Mitnick had been
hired by a Canadian business to see if he could access the
organisation’s system. He found the details of its HR director on
LinkedIn and asked a series of questions that led to it giving away
the password to the company system via a link. Within 20 minutes
Mitnick had accessed the personal and financial details of some 30,000
employees.

“I think there is a huge risk to HR professionals. We know that there
are typically insider threats, and everyone in HR is aware of the
disgruntled ‘rogue employee’ who might leak data after a bad
experience. But the fact that HR are specifically being targeted as
the gatekeepers made my blood run cold,” Davies said.

This risk correlates with the government’s Cyber Security Breaches
Survey 2018 on the wider risk cyber attacks pose, which found that 43%
of UK businesses and 19% of UK charities had experienced cyber
security breaches or attacks in the 12 months from April 2017 to April
2018.

Michael Hoddy, client advisor and co-founder of cyber security
consultancy The Technium Global, explained that organisations
typically see breaches as a failure to grasp technology. But they
actually need to understand how hackers operate psychologically.

“When we’re educating HR about these attacks it’s important for them
to know that this isn’t necessarily a technology-led problem. This is
based on social engineering; when someone knows the right questions to
ask,” he said.

A lack of communication between departments makes HR vulnerable, Hoddy
added: “There’s a wider problem surrounding cyber security generally
with HR. The majority of data breaches are internal, and many of them
are not malicious. So you can see that it’s a difficult problem for HR
to tackle. Lots of organisations might carry out background checks but
there can be huge implications for employees’ trust, and it’s
understandable that HR might not want to address it.”

Sarah Morris, senior lecturer in forensic computing at Cranfield
University, said that many in HR mistakenly believe cyber security to
be outside of their remit.

“Training for HR in this area has been overlooked. A lot of people in
HR have become reliant on IT for the security of electronic data, but
they need to learn about social engineering and that this isn’t all
down to technological expertise,” she said.

Part of the problem is HR professionals’ willingness to help, said
Davies: “It’s within HR’s nature to want to be as helpful as possible.
In this profession we are always thinking about other people, and tend
to think of ourselves as ‘back office.’ We don’t always recognise the
responsibility in our role and our place as gatekeepers.”

But the opposite should apply, said Davies: “When it comes to data we
need to behave completely differently to how we would in any other
situation; we have to be suspicious, and we have to be cynical.

“I would say audit the data you have access to, and ask yourself if
you have anyone who is specifically responsible and accountable for
this. HR leaders should think very carefully about how they handle
this. Thorough vetting processes for new critical hires are an option,
but in terms of privacy this does have a dark side,” she said.

Davies added that above all everyone across the workforce should be
taught to be vigilant, and to think about the sort of information they
are sending out online.


More information about the BreachExchange mailing list