As custodians of sensitive employee data, HR departments have proven to be high-value targets for cybercriminals.
In May, the Ministry of Defence was the victim of a Chinese government-backed cyber attack that hacked the agency’s payroll system, exposing the personal information of 270,000 current and former military personnel. Similarly, Sweden’s central bank was hit by a ransomware attack targeting its human resources and payroll systems in February.
Rex Booth, CISO at identity management software company Sailpoint, said HR is a target primarily because the data it holds is so sensitive.
“Attackers aren’t necessarily focused on HR-related systems, they’re just looking for systems that contain sensitive information,” he explains. “They’re looking for data that they can monetize, hold for ransom, or use for espionage. HR departments hold a lot of information that is attractive to attackers.”
HR departments face growing risks: HR and recruiting services faced more threats than any other industry last year, according to data from cybersecurity firm Mimecast.
“HR departments are disproportionately targets for cybercriminals because they act as a gateway to personal information that can potentially be used to trace employee identities and associated medical, financial and employment records,” said Mick Paisley, chief security and resilience officer at Mimecast.
Due to the sensitive nature of this information, cybercriminals believe organizations would pay a high price to retrieve this data and prevent it from being made public, he added.
HR is the gateway to business
But HR isn’t just at risk because of the data it manages: it’s also a convenient access point for cybercriminals to infiltrate an organization.
HR Leaders are on the Frontlines of Preventing Insider Threat
For example, cybersecurity training company KnowBe4 recently revealed that it had hired a North Korean IT worker who had passed its HR interview process using a stolen US citizen’s ID and an “AI-edited” photo. Upon receiving the company laptop, the suspected state-sponsored actor immediately began loading malware onto the computer.
Laura Probert is chief human resources officer at Egress, a security company recently acquired by KnowBe4. Probert says that many of the cyber attackers attempting to break into Egress are targeting the company’s human resources department. Attackers use phishing emails, where attackers mimic legitimate messages to trick recipients into clicking on malicious links. Phishing emails may be sent as fake job offers or salary increases, but are actually intended to harvest personal information for future attacks.
“These tactics often overlap quite a bit with what HR talks about,” Probert said, “which creates a natural connection between HR and security executives based on the types of attacks people are using.”
Improving HR Cyber Resilience
Egress conducted cyber stress tests for HR to mitigate the cybersecurity risks posed by the HR department, including sending fake phishing emails to employees to help HR identify what future attacks might look like.
“We do a lot of testing as an HR team because we’re in high-risk areas within the organization,” Probert says. “It’s not designed to catch us, it’s designed to help us learn how to get better and eliminate some of the risk.”
HR can play a role in promoting a cybersecurity culture, she adds: For example, the CISO and HR can work together to develop cybersecurity policies and procedures and jointly consider how to most effectively implement them.
Booth also points out that collaboration between HR and security departments is important to address insider threats, which are individuals within an organization who become malicious, whether it’s for financial reasons or job dissatisfaction. Working together, HR and security departments can help identify potential bad actors within an organization at each stage of the employee lifecycle.
“HR leaders are on the front lines of preventing insider threats from happening,” Booth explains. “From a prevention and detection standpoint, it’s as much a technology issue as it is a people issue. Combining the two can achieve a lot.”
Mandy Andress, CISO at AI search platform Elastic and author of “Surviving Security: How to Integrate People, Process & Technology,” agrees that HR and security professionals have developed a closer working relationship in recent years. “We went from not having a lot of contact with HR leaders before to now having conversations on a weekly basis.”
These often involve securing new HR systems, reviewing data handling and understanding changes to onboarding and offboarding processes to ensure only the right people have access to sensitive company information. “These people need to work closely together to protect the organization,” Andres says.
Cultural issues
While building a close working relationship between the CISO and CHRO is a critical first step in mitigating cyber threats, Probert believes there is a “natural tension” between security and HR teams.
Cybersecurity policies can be strict and unforgiving, so it’s important to involve HR and consider the impact the rules will have on company culture and the work environment. “Being the victim of a cyberattack can be extremely traumatic,” she explains. “Harshly reprimanding people when they make mistakes doesn’t create a conducive working environment.”
Fostering a positive work environment can also help improve an organisation’s cyber resilience: the report, “The Ransomware Victim Experience”, co-authored by Jason Nurse, a cyber security lecturer at the University of Kent, and published by defence think tank RUSI, found that companies with a strong culture are much better able to weather a cyber security crisis.
Nurse said companies where employees value each other’s work and understand their contributions to the organization as a whole are much better able to handle cyberattacks. “Where there’s a strong company culture, employees feel like they’re the ones taking on external attackers and are more willing to help each other solve threats,” he added.
While HR leaders will need to work more closely with security teams to protect their own functions, it’s reassuring to know that efforts to improve company culture will also have cybersecurity benefits.
3 Ways HR and CISOs Can Work Together
Collaborative Policies and Procedures
HR and the CISO should consult with each other when developing cybersecurity policies and procedures. While the CISO has the technical expertise, HR’s people perspective can help get staff buy-in for new rules.
The two parties need to work together to ensure that cybersecurity policies comply with existing rules in the employee handbook and that employees are not unduly punished for violations.
Improving security across the employee lifecycle
For CISOs, new colleagues also represent new potential threats, so it’s important to quickly bring new staff up to speed on cybersecurity policies and limit their access to sensitive data in the first few months after being hired.
Similarly, when employees leave a company, it is important that they do not take confidential information with them. This is even more important for disgruntled employees who may use inside information to launch retaliatory attacks.
To mitigate these risks, HR needs to involve security teams at each stage of the employee lifecycle.
Security training ideas
Because learning and development falls under the HR department’s purview, these teams are well-equipped to advise on cybersecurity training programs.
Working together, CISOs and CHROs can ensure that lessons learned during cybersecurity training sessions are communicated to staff.
