Cybersecurity Threats in the Workplace—Is Your HR Team Prepared?
While many think of data breaches as an Information Technology (“IT”) issue, recent studies demonstrate that Human Resource (“HR”) professionals may be the frontline defense in cyberattacks. Additionally, due to the sensitive company data kept within their departments, HR professionals can be prime targets for cyberattacks.
According to a recent survey, an estimated 90% of all data breaches were attributable to human error or misuse—not IT vulnerabilities, yet more than half of all employers do not train new employees on cybersecurity threats. Fostering cybersecurity awareness should be a priority of your HR department. We present below three common cybersecurity threats and what HR can do to prevent those threats from becoming a costly data breach.
Threat #1: Phishing Attacks
One threat specifically targeting HR professionals bears the apt title of “spoofing.” Spoofing constitutes the forgery of an email header so that the message appears to have originated from someone other than the actual sender. One recent example involved the attacker sending an email to an HR professional purportedly from a company executive, requesting employee records. See below:
Figure 1- SymantecConnect, Business email compromise scammers add tax return fraud to their toolbox (March 3, 2016) available here.
The Internal Revenue Service recently published an alert warning employers about this tax fraud scam, as described in more detail here.
Threat #2: Ransomware
“Ransomware” constitutes another prevalent cyberattack as to which company employees should be on guard. Ransomware is a type of malware that restricts access to a computer system (e.g. by encrypting files) and demands that the user pay a ransom to remove the restrictions. Some variations of ransomware not only encrypt all the data on a particular computer, but will also infect any connected network. Payment demands used to range from $100 to $300, but recent demands have been reported in the thousands. One reported attack, specifically targeting HR professionals, arrives disguised as a resume of a potential job candidate.
Looks harmless right? Although your company may have technological controls to prevent these types of attacks, hackers constantly seek ways of finding end runs around technology. Ergo, an informed and properly trained employee remains the best defense.
Threat #3: The Company Insider
An HR professional should remember that the cyber threat may be the actual employee. According to one survey, 59% of ex-employees admit stealing company data when leaving their former employer. We provide below some procedures a company can adopt to protect sensitive company data and foster awareness.
During the hiring of a new employee, HR should do the following:
1. Educate employees on common cyber security threats;
2. Outline expectations for how employees should handle company data;
3. Use the principle of “least privilege” for data restrictions with your company, providing employees with only the data access necessary to perform their individual job.
During the separation or termination of employees, HR should do the following:
1. Conduct a termination interview, reiterating the company’s data use policy and the possibility of both civil and criminal penalties for violations of that policy;
2. Seek confirmation in writing from employees that they did not and will not violate the company’s data use policy; and
3. Ensure that employee credentials terminate as to network resources and external websites or portals containing company data.
Legal counsel can play an important role in providing training and drafting the policies to reduce or minimize cyberattacks. If you have any questions about this information or other employment matters related to data security, please contact David Carr, a partner in Ice Miller’s Labor and Employment Group, or Stephen Reynolds, co-chair of Ice Miller’s Data Security and Privacy Practice.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.