As the custodians of sensitive employee data, HR is proving to be a high-value target for cybercriminals.
In May, the Ministry of Defence (MoD) fell victim to a Chinese state-backed cyber attack, which hacked into the government department’s payroll, compromising the personal data of 270,000 current and former military personnel. Similarly, Sweden’s central bank was subject to a ransomware attack that targeted its human resources and payroll systems in February.
HR is a target primarily because data held by the function is highly sensitive, says Rex Booth, CISO of identity management software company SailPoint.
“It’s not necessarily that attackers have a focus on HR-specific systems, they’re just looking for systems with sensitive information on them,” he explains. “They’ll be looking for data they can monetise, hold to ransom or use for intelligence. HR is the keeper of a lot of information that would be appealing to an attacker.”
The risks facing the HR function are increasing. HR and recruitment services faced more threats than any other industry last year, according to data from cybersecurity firm Mimecast.
Mick Paisley, chief security and resilience officer at Mimecast, says: “The HR department is disproportionately targeted by cybercriminals because it serves as the gateway to private personal information which can potentially be used to trace an employee’s identity and associated medical, financial and employment records.”
Due to the confidential nature of this information, cybercriminals believe organisations will pay a premium to retrieve this data and keep it from entering the public domain, he adds.
HR is the front door to the business
But the HR department is not just at risk because of the data it controls – it is also a useful access point for cybercriminals into organisations.
HR leaders are on the frontlines of preventing insider threats from happening
For example, cybersecurity training company KnowBe4 revealed it recently hired a North Korean IT worker, who used the stolen identity of a US citizen and “AI-enhanced” photos to pass the HR team’s interview process. When the suspected state-backed actor received their company laptop, they immediately began loading malware onto the computer.
Laura Probert is chief people officer of security company Egress, which was recently acquired by KnowBe4. According to Probert, many cyber attackers attempting to breach Egress have targeted its HR department. They have used phishing emails – where attackers mimic legitimate messages to trick recipients into clicking malicious links – which could be sent under the guise of fake job offers or pay raises but with the real goal of gathering personal information for future attacks.
“These tactics quite often straddle HR topics,” Probert says. “This creates a natural connection between HR and security executives, based on the kinds of attacks people use.”
Improving HR’s cyber resilience
Egress has conducted cyber stress testing of the HR department in order to reduce the cybersecurity risk posed by the function. This has included sending employees fake phishing emails, in order to help HR identify what future attacks might look like.
“We do lots of tests as an HR team, because we’re a high-risk area within the organisation,” Probert says. “That’s not designed to catch us out, it’s to help us to learn to be better and close some of those risks down.”
HR can play a role in promoting a cyber-secure culture, she adds. For instance, CISOs and HR can work together to create cybersecurity policies and procedures – and collaborate on how best to implement them.
Booth notes that collaboration between HR and security teams is also crucial for tackling insider threats, where individuals within organisations turn malicious, whether motivated by money or because they’re disgruntled with work. When HR and security teams work together, both departments are better placed to identify potential bad actors within an organisation at each stage of the employee lifecycle.
“HR leaders are on the frontlines of preventing insider threats from happening,” Booth explains. “It’s both a people issue and a technological issue, in regards to prevention and a detection perspective. You can get a lot done when you bring those two things together.”
Mandy Andress, CISO of AI search platform Elastic and author of Surviving Security: How to Integrate People, Process & Technology, agrees that HR and security professionals have developed a much closer working relationship in recent years. While she once had infrequent contact with HR leadership, conversations now occur on a weekly basis.
These are often in relation to securing new HR systems, reviewing data-handling and understanding any changes to the onboarding and offboarding processes, to ensure only the right people have access to sensitive company information. “They need to be working closely together to help protect the organisation,” Andress says.
The culture question
Although developing a closer working relationship between the CISO and CHRO is an important first step in reducing cyber threats, Probert believes there is a “natural tension” between security and HR teams.
Cybersecurity policies can be rigid and unforgiving, so it’s important to involve HR to consider the impact any rules can have on company culture and the work environment. She explains: “Being a victim to a cyber attack can be very traumatic. If we come down like a ton of bricks on people for making a mistake, it’s not going to create a nice environment to work in.”
Cultivating a positive working environment can also have benefits for improving the cyber resilience of organisations. The Ransomware Victim Experience, a report co-authored by Jason Nurse, reader in cybersecurity at the University of Kent, and published by defence thinktank RUSI, found that businesses that have a strong culture are much better able to weather a cybersecurity crisis.
Companies where employees value each other’s work and understand how they contribute to the wider organisation are much better placed to respond to cyber attacks, according to Nurse. “Where there’s a strong company culture, people have a mentality of it being us against an external attacker and are more willing to help each other to resolve the threat,” he adds.
While HR leaders need to collaborate more closely with security teams to protect their own function, it’s reassuring to know that the work they do to improve company culture comes with its own cybersecurity benefits too.
Three ways HR and CISOs can work together
HR and CISOs should consult one another when devising cybersecurity policies and procedures. While CISOs have the technological expertise, HR’s people perspective will be useful in getting buy-in from staff for any new rules.
The two should work together to ensure cybersecurity policy aligns with the existing rules in the employee handbook and that staff do not receive excessive punishment for any violations.
For CISOs, a new colleague is also a potential new threat. It’s important that new staff are brought up to speed with cybersecurity policies swiftly and that their access to sensitive data is limited in the initial months of employment.
Similarly, when an employee leaves a company, it’s vital that they don’t take sensitive information with them. This is even more important for disgruntled members of staff who may leverage insider knowledge in a revenge attack.
HR needs to involve the security team in each stage of the employee lifecycle to reduce these risks.
Learning and development falls under the remit of HR, so these teams are well equipped to advise on cybersecurity training programmes.
By working together, the CISO and CHRO can ensure that any lessons learnt from cybersecurity training sessions stick with staff.
As the custodians of sensitive employee data, HR is proving to be a high-value target for cybercriminals.
In May, the Ministry of Defence (MoD) fell victim to a Chinese state-backed cyber attack, which hacked into the government department’s payroll, compromising the personal data of 270,000 current and former military personnel. Similarly, Sweden’s central bank was subject to a ransomware attack that targeted its human resources and payroll systems in February.
HR is a target primarily because data held by the function is highly sensitive, says Rex Booth, CISO of identity management software company SailPoint.
