Are HR Employees Your Biggest Cyber Security Risk?

Are HR Employees Your Biggest Cyber Security Risk?

In Uncategorized by bertie

Some roles present a bigger cyber security risk than others.

No matter your industry, cybercriminals will always target these departments simply because they’re easier to reach. Take Human Resources as a prime example.

Most HR professionals publish their email addresses on company websites to help with recruitment. But organizations forget that putting email addresses in the public domain also helps hackers launch an attack. Still, that’s not the only reason the department is your biggest cyber risk.

Today, we’ll explore why cybercriminals target HR professionals more than most.


3 Main Cyber Threats Related To HR

When you work in HR, you sit in a unique position. 

Not only do you spend your day messaging hundreds of people outside your organization. You have a trove of personal data at your fingertips. The kind of information no company can afford to leak. That’s why every HR department needs the right cyber security services in place.

And you need to beware of these cyber threats.

1) Inbound Emails Containing Suspicious Links

One of the cybercriminal’s favorite tools is the phishing email: a message that tries to infiltrate your cyber security services using a malicious attachment or link.

Phishing is why we advise people never to open emails with attachments or click on suspicious links when received from an unknown source. The trouble is, that’s almost impossible advice for an HR professional to follow. HR inboxes are flooded with emails from unknown sources every day. While nearly every email contains an attachment (the resume), a link (the portfolio), often both.

As a seasoned cyber security company, we believe at least half of these resources are suspicious:

  • Resumes might actually link to a suspect PDF;
  • Portfolios often arrive in less common formats (like CAD files). 

…and your HR team has to open these files to do its job. While cybercriminals have become experts at disguising dangerous file types behind more common extensions (say, switching EXEs to Docs). To make matters worse, some outdated programs can be a vulnerability in themself, with security flaws allowing random code execution and enabling the hack. 

Even Microsoft Office isn’t entirely immune to such a risk.

2) Ransomware Holding Personal Data Hostage

While more established companies might have two distinct departments to manage external recruitment and internal HR, smaller businesses are likely to rely on one rep to handle it all. 

Where that’s the case, the employee will have access to lots of sensitive data. And if a cybercriminal were to compromise this employee’s inbox, they could easily hold your company to ransom. As applicants who’ve sent résumés would see their personal information fall into a stranger’s hands, letting a hacker blackmail you into paying to stop it from entering the public domain. 

Or worse, if a cybercriminal beat your data security services and accessed your entire personnel database, there’d be no telling the damage a ransomware attack could cause.

For many hackers, this is the data jackpot.

3) A Compromised Inbox Enabling Spoof Emails

In recent years, we’ve witnessed the rise of the more complicated, yet infinitely more fruitful, business email compromise (BEC). This is where a cybercriminal gains access to an inbox before using a known and trusted email address to convince a ‘colleague’ to share sensitive information or transfer funds. 

The best way to succeed at this is to hijack the email of a senior executive. But hacking an executive’s inbox takes time — whereas we’ve already seen how an HR employee might be easier to dupe. And most company employees will open emails, click links, or follow instructions when received from HR.

Whether it’s a ‘recommended applicant’s resume’ sent to a department head or a company-wide email with event details: recipients are likely to click, which is why a hijacked HR inbox significantly raises the threat of a BEC.

How To Protect HR Computers

As an experienced cyber security company, we always tailor our advice to the organization in question. But if we believe your HR department is at particular risk, we’ll start by sharing the following recommendations:

  • Isolate All HR Devices: by putting HR computers and smartphones on a subnet, you minimize the likelihood of a localized threat turning into a network-wide catastrophe.
  • Protect Personal Information: require that your HR team stores personally identifiable data on a separate server or, better still, in purpose-built software that uses multi-factor authentication.
  • Train Every Employee: training is your best line of cyber security defense, so train everyone to spot the risks, but start with your HR department.
  • Define Acceptable File Formats: as part of the training, ensure HR reps know how to spot an EXE from a DOC file — and define which file types applicants should use when sharing resumes and portfolios.

The above covers HR-specific network security. But there are plenty of other tactics to keep your company safe. First and foremost, be sure to use trusted antivirus software on every device (and push your employees to keep it up-to-date).

Moreover, create a clear company security policy that avoids weak or duplicate passwords across accounts.

Cyber Security Services For Small And Medium Businesses

Whatever industry you work in, there’s no better form of cyber defense than reliable cyber security software. That could mean downloading a solution from a reputable provider — or you could work with an IT services company to guarantee more comprehensive coverage.

Whichever approach you choose, know that help is never more than a phone call away. Feel free to give Mid-Coast Tech a call, any time, at 207-236-0021.