HR, emerging lucrative target for cybercrime
Given the personal data it stores, Human Resource (HR) department of organisations is becoming a top target for hackers.The threat of a cyber-attack, scam or hack is not a new dangerous phenomenon to businesses; however, much like the work of a skilful pickpocket, it is often too late before organisations notice any wrongdoing.
So, what threat does cybercrime poses to the practice of HR?
In payroll fraud, recruitment scams, corporate espionage, cyber attackers have found numerous routes into organisations via HR.
Research has shown HR professionals, particularly those responsible for payroll, are an increasingly popular target for attacks and phishing scams because of the data they hold and ease of entry.
However, it is believed that it is possible to stop them in their tracks with innovations, training of personnel on susceptibility and alertness.Given the personal exploitative data HR departments store and the propensity for HR employees to open unsolicited electronic mails (emails), experts on HR matters have said the industry is a top target for hackers, noting that despite continued cyber-attacks, the HR industry has failed to implement significant changes.
They advised that there is a need for HR professionals to shift from reactive to a proactive approach on cyber-security, to make it difficult for hackers to gain access.For instance, a ransomware was hidden in a Microsoft Excel document of a seemingly legitimate job applicant sending his resume and aptitude tests for consideration.
There was a case where a hacker used an email address similar to the company president’s to request employees’ information, and the HR department mistakenly sent the hacker 900 employees’ tax information.Similarly, two years ago, the U.S. Office of Personnel Management was hacked, and the personal data of millions of past and present federal employees was stolen including names, addresses, social security numbers, and other information that could be used for identity theft and blackmail.
For organisations to risk being hacked, the Chief Executive Officer, Trustifi, a cybersecurity company, Idan Edry, urged HR departments to practice good cyber hygiene, raise phishing awareness, and protect their data, while personnel should be educated and trained on phishing attacks.
According to him, through encryption and data-up, organisations can protect themselves and eliminate cybercriminal’s profit, utilising strong unique passwords and anti-virus software.A HR expert and lecturer, Dr Dayo Badejo, from the University of Lagos, in an interview with The Guardian explained that technology should not be a challenge to HR in terms of payroll, as while the deployment of technology may have some benefits, the challenges are also numerous. He said as humans, there should be control on how HR is deplored to use technology to the best interest of organisations, even as departments try to build more on guarding against attendant crimes.
He advised HR personnel to do more research to come up with more stringent control measures that can check associated vices. Badejo said: “We have to put in more control measures to do checks and balances so we don’t take everything hook line and sinker.“Even if we bring in the best technology, we still need human element to drive those technologies. As long as we develop our people to be abreast of all these vices that are coming with technology, and what is happening with technology in our field, we also try bringing up necessary control, measures that will put you on top of situations.
“In HR, we have a department for research and development, as we develop in the clime; we are also abreast of what is happening. With the evolving technology, we acquire them to drive our functions, even as we develop our people to be on top of their game.“Every innovation and technology will always come with its challenges, and that is the beauty of research; society makes technology to advance, and we have antecedent vices coming with them. It is a general trend all over the world.”
Against this backdrop, the Chartered Institute of Personnel Management (CIPM), has advised that even as they leverage technology for optimal efficiency, professionals must also examine the challenges of working with the emerging trend to avoid falling prey to cyber criminals.
Immediate past president of CIPM, Udom Inoyo, at a learning leaders forum, explained that technology is a must for human resource experts to remain relevant in their chosen field.However, he urged that they must be abreast with the vices associated with it in order not to be found wanting.
“Today’s leaders are facing challenges their fore bearers never had, not only with the on-going economic uncertainty and geo-political instability, it is also a complex global market place with a growing millennium workforce that demands a whole new style of leadership.
“It is essential, therefore, for leaders to examine the challenging land scale of working, learning the whole of technology in delivery and the need for businesses and its talents to drive the transition into the future,” Inoyo said.
Ideally, hackers are always looking for a weak link into an organisation’s systems, one that leads to lot of valuable data. Because of their access to highly sensitive employee information, human resources departments provide an attractive target.A survey on how boards can lead the cyber-resilient organisation believe that there should be a strong collaboration between HR and information security departments in tackling cyber breaches, as workforce vulnerabilities contribute to many cyber incidents.
The findings according to the survey are encouraging because they signal that more organisations are involving their HR function into addressing cyber risks.The research revealed that organisations need greater collaboration between their chief human resources officers and information security officers to truly assess the organisational cultures driving cyber risk in the first instance. Most companies in the survey said they had experienced a serious cyber incident in the last year, which damaged operations, finance and company reputation.
The founder of security software and training firm, KnowBe4, Stu Sjouwerman, said: “HR has the keys to the kingdom.”He said while network administrators can get into the entire network, HR persons have access to all employees, payroll, and healthcare, but are generally not so security conscious, as insider attacks account for probably 70 per cent of attacks.He said HR personnel should be trained not to fall for social engineering, and their workstations should be given extra protection. While it is also particularly important that HR professionals receive thorough security awareness training, not only to keep from falling for a human-engineering attack themselves, but also because others in the organisation are likely to follow email or phone instructions that seem to come from HR.
No comments yet