Ransomware Attacks Are a Wake-up Call for Cybersecurity in HR
The recent wave of global “WannaCry” ransomware attacks were a shock to anyone who depends on their computer in daily life—which is now virtually everyone. For HR professionals charged with safeguarding some of their companies’ most sensitive information, this unprecedented global cyberattack must serve as a wake-up call about the need to keep systems up to date and exercise precautions in their day-to-day digital behavior.
The 2017 ransomware outbreak followed a year when business users faced a record number of digital threats—including a 750% increase in the number of ransomware families. Security provider Trend Micro detected more than 80 billion total threats during 2016—and the majority occurred during the second half of the year.
Trend Micro predicts that ransomware growth will plateau in 2017, with the number of families increasing 25%. However, the widespread availability of underlying code will encourage cybercriminals to diversify—expanding their range of targets and developing more sophisticated attacks methods to circumvent security solutions. As a result, a growing number of organizations and individuals will find themselves under attack from a growing number of malicious actors. And HR could be a big target.
Why Hackers Want Your HR Data
A company’s HR data can be extremely valuable because it contains many key data points useful for fraud and other digital crimes. HR has responsibility for everything from standard personally identifiable information (PII)—names, addresses, social security numbers, birth dates, etc.—to employees’ health insurance, payroll information, and much more.
In fact, a time when more companies are encouraging workers to participate in employer-sponsored wellness programs such as biometric screenings, many organizations have more sensitive data about their employees than ever before. This makes your HR department a more appealing target.
A core part of the U.S. federal government’s HR function—the Office of Personnel Management—was infamously hacked in recent years—revealing PII and results of background investigations for more than 20 million people who are, were, or applied to be employed by the United States.
In the wake of multiple large-scale global attacks, and given that there is ongoing state-sponsored development and proliferation of digital weapons, HR can’t afford to have its head in the sand. It can happen to you. In fact, right now there are armies of automated bots searching the internet 24/7 for vulnerable devices to infect.
Two Other Common Digital Threats Facing HR
One of the most important issues to understand about cybersecurity in HR is that it remains far easier to trick humans than computers. While some malicious software—such as WannaCry—can spread autonomously by exploiting vulnerabilities in outdated systems, the majority of attacks still depend on tricking the user into voluntarily downloading and/or running malware. According to Dell SecureWorks, about 70% of all IT breaches are attributable to human elements.
Hackers use social and behavioral engineering to manipulate their targets into clicking on malicious links or email attachments. Compromised computers or accounts can then be used to rapidly spread malware to other devices or users on a network.
Spear Phishing: Despite being one of the simplest digital attack methods—or perhaps because it is so simple—phishing remains one of the most common and effective ways for malicious actors to compromise a person’s email or gain login credentials for other accounts. Phishing emails have become increasingly sophisticated—utilizing extensive research to craft believe scam emails. Security researchers refer to these advanced attacks as “spear phishing.”
Earlier this year, U.S. media company Gannett announced it had been hit with a phishing attack that compromised up to 18,000 employees’ accounts. Gannett-owned publication USA Today reported that investigations showed the breach originated with emails to the company’s HR staff.
Business Email Compromise: Other tactics besides phishing are also used for business email compromise scams. For example, rather than convincing a user to download a file or click a link, scammers will use a hijacked executive’s email account or register a fake but similar email address to set up fraudulent money transfers.
Trend Micro predicts that cybercriminals’ use of business email compromise attacks will increase during 2017, driven by low costs, simplicity, and effectiveness. With very little infrastructure, a successful scam can deliver an average payout of $140,000. The FBI’s Internet Crime Complaint Center identified more than $3 billion in losses related to these types of scams during a 30-month period.
Learn How to Protect Your Organization
As the WannaCry attacks showed, merely keeping computer operating systems up to date can be major factor in preventing a devastating digital attack on your organization. In today’s increasingly cloud-based environment, deploying secure personnel management systems, payroll, and benefits management platforms is also a critical component of cybersecurity.
Learn about how to deploy secure workforce management software.
Read further analysis of the 2017 digital threat landscape and what IT administrators need to do to secure their networks.