Cyber Risk DSI: Human Resources
This is the first in our mini-series of cyber risk department-specific inquiries (DSI). This week we’re taking a closer look at the risk faced by an organisation’s HR department and how these can best be mitigated
Welcome to another edition of Cyber Security: Beyond the headlines. Each week we’ll be sharing a bite-sized piece of unique, proprietary insight from the data archive behind our high-quality, peer-reviewed, cyber security case studies.
As we’ve touched on many times before cyber security tends to take a far too narrow, technological view of its work. What our data illustrates is that time and again in many high-profile cyber breaches a key risk was either overlooked or simply dismissed because of an over-reliance on technical defences (i.e. “this must be a genuine email since it got through the spam filter…”)
Similarly, in Operational Risk we have always tended to prioritise risk management in ‘line’ resources over ‘staff’. This was primarily because ‘line’ resources tended to have the greater potential impact if a risk was realised than those of ‘staff’.
However, the evolving threat of cyber turns all of this on its head.
To illustrate this point let’s take a key ‘staff’ function that almost every medium to large organisation has - the HR department.
Primarily responsible for recruitment, employee relations, staff safety, labour law compliance, training and compensation, their practices and processes simply haven’t been scrutinised by second line efforts to the extent that ‘line’ functions have.
This made sense in the old world: they didn’t handle significant funds, had little purchasing authority and rarely interfaced with major customers or suppliers etc. But in the new world this a major oversight.
Why?
Well here’s just a few reasons:
- HR generates, manages and has access to highly-sensitive employee data. Think about that treasure trove of personal identifiable information including but not limited to dates of birth, contact details, work/education history. Also medical issues, disciplinary details and salary information etc.
- HR has a reasonable legitimate business need to reach all employees but rarely has ongoing, regular contact. This makes them a perfect target for an impostor to mimic in an effort to trick an employee.
- HR applications are now the most highly used cloud applications across organisations and concerns are being raised about the level of oversight companies have of the tools.
Leveraging our repository we see many instances where a HR department’s vulnerabilities have been exploited:
- At Gannett a phishing email attack directed at the HR department led to 18,000 current/former employees account being compromised.
- At Seagate an employee in HR fell for a social engineering technique that convinced them to send social security numbers, salary details and W-2 tax information directly to the attackers.
- At RSA, the email and attachment in the phishing expedition that exposed their business-critical information was apparently called “2011 Recruitment plan.xls”.
- Sony’s breach revealed Deloitte’s employees pay details because their hacked HR employee had previously worked at Deloitte and had taken their employee data with them when they left.
With GDPR looming in the next couple of months there is no time to waste in identifying and fixing each and every vulnerability, especially those that are clearly well-known to malicious actors already.
After you run a department-specific inquiry like this it becomes crystal clear that a one-size-fits-all security approach won’t work. Tailored strategies dependent on application are the only true defence and leveraging your whole organisation’s talent on preventative and detective efforts is the only route to cyber resilience.
Found this interesting? Sign up to receive these insights every week directly in your inbox and check out our previous editions at Cyber Security: Beyond the headlines.
