Protecting HR from the rise of social engineering attacks
Let’s face it, life is a series of calculated and uncalculated risks. Some risks we know about and can choose how to deal with (e.g. mitigate), and others we remain blissfully ignorant of until the consequences hit us.
Work is like that, too; there are situations and threats that we have learned how to effectively navigate, and others that catch us unaware. But what about when our actual job duties carry with them an inherent danger?
Email inboxes are a virtual playground for cybercriminals. Even with all the technical sophistication that we’ve built into email filtering software and other security tools intended to keep criminals out, some maliciously crafted emails – phishing emails – can swim effortlessly past these blockades, and right into your inbox.
Security experts acknowledge this and typically offer advice such as, “Don’t click on links embedded in emails,” “Don’t open attachments from people you don’t know,” and the like.
HR professionals swim in dangerous waters
While some roles within the organisation have the luxury of navigating around anything that looks a bit dodgy, HR professionals often open emails and attachments from unknown sources – they have to, it’s their job. And, it means they are facing a growing threat of becoming victims to social engineering attacks (attacks that are designed to trick people into performing an action on behalf on an attacker).
For example, cybercriminals are posing as job applicants as part of a phishing campaign to infect victims in corporate HR departments with ransomware -and they're even providing a cover letter to lull HR people into a false sense of security.
In these cases, the attacker may not necessarily lace every attachment or link with malware – they will mix benign and malicious attachments and links in the same message to create a virtual minefield that looks and feels like “business as usual.” HR employees are indeed swimming daily in dangerous waters.
To give this some context, Seagate was recently sued by its own employees after a successful online phishing scam. The personal information of 10,000 existing and former employees were stolen by criminals and used to file fraudulent tax returns. How did the breach happen? An employee in HR fell for a social engineering technique that convinced them to send the information to criminals. The employees filed suit on grounds that the company did not adequately protect their information.
What to do
So, what measures can HR employees and departments take to protect themselves from these types of threats? There are four foundational strategies that your company can implement in short order to provide some help:
Strategy 1: Ensue that HR and IT adopt a collaborative approach
This first strategy is the building block for everything else. HR needs to recognize that they play a vital role in the security posture of the organisation. This isn’t just because HR employees can are a potential attack vector, but because HR plays a vital role in setting the tone and culture of any company.
Whereas many employees may see the IT security team as a group of ‘outsiders’ who impose rules and restrictions, HR is often seen as an ‘inside’ group that helps nurture the interests of the company and its employees.
Simply having HR as a visible partner or executive sponsor for a company’s security awareness programme can help foster a deeper sense of employee ownership for security-related topics.
Strategy 2: Deploy engaging security awareness training progammes and make them relevant and memorable
Security awareness and training is a vital component of any organisation’s cybersecurity programme. This is because the actions of your employees directly impact your organisation’s security posture. Humans are a layer within your security programme’s defence and offense.
And, while most organisations conduct some sort of security awareness effort, the specific challenges associated with certain roles, such as HR, can oftentimes go overlooked.
Targeted security awareness and training for HR professionals is critical. HR leaders can partner with IT to ensure that this training is included in the company’s overarching security awareness efforts. And if the organisation is not yet conducting security awareness training, HR is in the position to lead the charge!
In addition to the traditional topics covered in traditional security awareness programmes (i.e. compliance, secure data handling, etc.), HR-specific scenarios should be included. For instance, stronger emphasis should be placed on immersive scenarios and simulated situational attacks and role-plays that are specific to the HR employee’s job functions.
The key to an effective security awareness and training programme is to make it multifaceted. A multifaceted programme contains traditional educational components (such as modules delivered to users through a Learning Management System), and consists of messaging and activities geared toward driving behavior change.
For example, an effective multifaceted programme will include:
- Learning modules that cover topics critical to the organisation related to behavior, policy, or compliance expectations
- Simulated phishing and social-engineering attacks so that employees are conditioned to automatically look for red flags in any communication they receive
- Additional supportive messaging, modes of information, communication channels, and activities so that your organisation has the best chance to effectively develop a sustainable security mindset within each employee, division, region, and job role
- Knowledge and skills that are relevant and transferrable to an employee’s personal life and overall security hygiene
Strategy 3: Educate HR professionals on safe use of social media
HR professionals’ use of social media can serve as a goldmine of data for cybercriminals. Ensure that your security awareness training and scenarios help your HR employees think through how the data they put on social media could be useful to a would-be attacker.
This may mean that your HR employees limit the people that they accept as ‘friends’ on some social media platforms, or only post about a limited number of professionally-related topics on others. It may also mean that, rather than sharing an interesting article from their personal LinkedIn account, they share it from a more generic ‘corporate’ account instead.
Also, since HR employees will often receive emails with a link to a candidate’s LinkedIn profile (or other job board), they should always double-check the link to ensure that it is actually going to the propertied site. Or – better yet, navigate to the site and conduct a search for the candidate manually.
Strategy 4: Have a multilayered defence
Since no single layer of defence is bulletproof, HR should be an advocate for working with IT to create a strong multilayered defence that spans people, processes, and technologies. In fact, as seen in the Seagate case, companies are legally required to provide reasonable protection against threats for their employees.
HR can be an advocate for robust security awareness training, behavioral conditioning, and the deployment of easy-to-use security-enhancing technologies within the organisation. HR can partner with IT to help understand the unique needs of different departments and how new tools, processes, or training may help improve the overall security posture of the organisation.
The idea here is not that any single layer is a foolproof defence – but that all the layers together drastically reduce the likelihood of a successful attack and which can help mitigate the potential devastation from a mistake.
The security ‘arms race’ means that no layer of defence is 100% effective. Attackers have shown repeatedly that defensive technologies can be tricked.
Given this reality, organisations need to be diligent in bolstering their “human firewall” to serve as an effective last line of defence. HR can play a part in this by being an active voice and supporter of overarching corporate security awareness and training efforts, and by ensuring that high-risk roles, like HR, receive targeted training.
HR can both lead and participate in efforts to ensure that the organisation is effectively training employees and working to create a security conscious culture. This has the added benefit of making your organisation, and your people, more resilient.