Cyber attacks are becoming increasingly common and just this year big companies like Target and Ebay have both been the victims of a data breach. It’s not just big corporations that are at risk either, if you have a bank account, you are vulnerable. The Washington Post reported that more than 3,000 companies in the U.S. were notified by federal agents last year that their computer systems had been hacked.
The Human Resource department is particularly vulnerable because it houses personal information like birthdates, social security numbers and addresses of all current and past employees which can be useful to criminals. Considering the nature of the HR department, it is also highly likely to receive a lot of unsolicited emails. HR will typically receive emails from potential job candidates that contain attachments like resumes and cover letters and criminals seize this opportunity to send fake emails with attachments containing viruses to infect systems and collect information.
HR will also have employee banking information if they use direct deposit as well as banking and financial information for the company making it a target for theft. “Cybercriminals are skilled at adding phantom employees to payroll, including them in ‘direct deposit’ lists and having a money mule waiting at the bank for a payroll deposit to the phantom employee,” says Stu Sjouwerman, founder and CEO of security software and training firm KnowBe4 LLC.(1)
Security expert Brian Krebs recently exposed another attack that involved capturing login information for payroll and HR management provider UltiPro. The hackers were able to download the employees’ W-2 information and then filed fake tax returns. The fraudulent refunds were automatically loaded onto prepaid American Express cards that were mailed to drop sites around the country to be cashed.
So what can you do to ensure your company’s information stays safe? The first thing you can do is review your company’s security measures and anti-virus software on a regular basis, especially if you are doing any cloud computing or if you allow employees to do any work on their personal devices. Advise employees who use mobile devices to be cautious about what information they provide to outside applications. There is no reason for an app to have access to your contacts or even know your location. Employees should also never access the company network when using public WiFi.
One of the most prevalent dangers HR faces is when a hacker plays to the weakness of a human, not of a computer system. Hackers disguise themselves to convince people to give up secure information under false pretenses in a process known as phishing. Trojan horses come through email or malicious websites and silently gain entry to your system. Then, they download spyware and begin to steal data and damage the system. For this reason, employees should be weary of attachments from unknown senders. It is important to periodically test and train employees on the dangers of email phishing and make sure they can recognize malicious emails. Sending security tips to employees on a regular basis and even sending simulated phishing emails to see how they respond are both good ways to make sure they are keeping your data safe.
References:
1. Preventing Hacker Attacks
Additional Reading:
How To Talk To Your Employees About Cyber Security Without Putting Them To Sleep
Thwart Cyber Security Threats Through Training
Photo credit: http://uwf.edu/go/cybersecurity/