It begins like this. An email arrives claiming to be from local authorities with information that the deadly coronavirus infection is being carried by one of your employees.You’re a bit suspicious but you recognize the logo and contact name. A PDF or link is attached, urging you to confirm the employee. You click and open it, infecting your computer with phishing malware. The malware gets to work harvesting employee data. It then injects more malicious code, stealing more information and monitoring employee activities.
Billions of fake emails are sent just like this every day. Many of them land in your employees’ inboxes, including HR disguised as resumes and payroll related requests. It is also reported that your company computers are also under hacker attacks every 39 seconds, over 2,200 times a day. A more troubling stat is that the time it takes to identify a breach is 206 days. The costs are enormous. On average cyberattacks cost businesses of all sizes $200,000. Forty-three percent of attacks are aimed at small business but only 14 percent are prepared to defend themselves.
Whether you own, manage, or am employed in a business, you have valuable data that cyber-criminals want. Keeping confidential info safe and hackers out is a growing problem, especially with the massive proliferation of mobile devices, wireless, and bluetooth. Unfortunately many common HR and employee practices leave your company insecure and vulnerable. But it wasn’t until we interviewed Morefield Communications cybersecurity specialist Clinton Eppleman on a recent podcast that I realized how dire the situation really was.
His interview put me on hyper-alert for how vulnerable your company is and how HR might be one of your company’s weakest links.
I didn’t see this scenario coming at all, even as a maniacal critic of using the job description to advertise job openings. “Job descriptions can be a useful tool to a malicious actor,” Eppleman told us. Those words simply pound one more nail into the job description coffin. “HR typically includes names of specific technologies and products in job listings to target the right candidates. Unbeknownst to them (until now), this information can be used to profile the organization and shape attack vectors.”
For example, your company wants to hire an individual who is proficient in G-Suite, so you include G-Suite in your required job skills. According to Chelsea Brown (CEO, Digital Mom Talk), “hackers now know that your company may have vulnerabilities because Google Calendar still has a public event scheduling vulnerability, where everything on your calendar that is public can be searched by looking up your Google Profile.” Often times, job listings mention software that is no longer supported by the manufacturer (Windows 7, Microsoft 2013) or have known vulnerabilities (CRM and accounting/finance software). For even a novice hacker, this information provides a road map for hacking and phishing. Attackers can also collate information from different job postings to maximize the effectiveness of an attack.
Start Here! Cybersecurity Policy
Protecting your company begins with creating a cybersecurity strategy, writing a policy, training employees on the policy, and enforcing it. “Not taking policy seriously is a huge problem,” reports Kelly Speers. “Training is critical. No employee, owner, president, or member of the C-suite is exempt from training. Training must be ongoing. They should be scheduled in short sessions and cover both old and new emerging threats. Keeping employees aware and vigilant is the goal.”
“Every business is a target for cyber-criminals,” warns Shannon Wilkenson. “One of the most common threats is something called “spear-phishing” where employees, typically in finance and accounting, Confident that the new IT upgrade catches all the carefully crafted emails pretending to be vendors, the unsuspecting employee clicks on the link that requests a change of bank account information for payments. With just a few keystrokes, hundreds of millions of dollars are diverted by good-intentioned employees to fraudulent bank accounts.”
Cybersecurity breakdowns are all digital. Speers also cautions that each new hire opens up a new hole in cybersecurity. For example, on his first day the new employee (or contingent worker) is challenged by an imposter, posing as a VP of the company. “I forgot my badge,” he says. The new hire responds, “Sorry, but I’ve been told that I can’t let anyone in without a badge.” The imposter shouts, “do you know who I am? I’ll have you fired if you don’t let me in right now.” The new hire succumbs to the threat.
Speers (President, Your IT Results Inc.) suggests: I like to see policies that address this. Make it a practice to challenge anyone in the office without an employee or visitor badge and ensuring every guest has an escort.
Shannon Wilkinson (CEO, Tego Cyber Inc.) suggests: One thing that organizations can do to protect themselves and their HR departments is to conduct annual cybersecurity awareness training to inform staff of the common threats they may face on a regular basis. Taking time to educate employees can effectively turn what is considered to be organization’s biggest weakness, employees, into one of their strongest defenses against cyber-attacks.
Speaking of new hires, Speers insists password management “should be the first policy on the list.” Don’t distribute or allow new hires (or any worker) to write down passwords on sticky notes. Because HR often posts job descriptions on multiple websites, it makes sense why they use the same password or a variation of the same password for all the accounts. It also gives a hacker a free pass to access all the accounts even if they only originally got the credentials for one of them.
Gabe Turner (Director of Content, Security Baron) suggests: To create a long, complicated and unique password for every account and keep track of them all, I recommend using a password manager. You’ll only have to enter a master password, and you can log into accounts by entering a passcode sent to your phone or use biometrics like fingerprint or facial recognition. This ensures that only authorized users access accounts, protecting sensitive data from unauthorized eyes. Thanks so much and hope to hear from you soon.
While job descriptions pose a risk, job applications should cause panic! Many small and medium size businesses use Wordpress for their websites. They’ve adopted an online form for the job application.Unfortunately several times each year “there is a big security hole somewhere and if they are not fast enough to patch it (usually within 24–48 hours) a hacker gets into their website getting a lot of info from it,” says Alex Kovalenko.
That’s not all. Many websites don’t use what’s called an SSL (Secure Sockets Layer) certificate. The certificate is what converts the http into https, which is the difference between not secure and secure. The number of unsecure sites is not a small number either — as many as ⅔ of all websites according to Google. SSL is the technology that tells a user (and Google) that any data exchanged between the web server and browser is private and encrypted. When the certificate is missing or not installed correctly, the user gets a message that “this is not secure” or “your connection is not private.” What are the chances that a candidate will continue his or her search on your website? It’s not likely!
Even when a website has the certificate, the forms (aka job application or on-boarding doc) often do not. And unbelievably, there are a few ATS (applicant tracking software) providers that still do not include SSL.
To add insult to injury, Google started to flag unsafe websites at the end of 2017. In a world where every company competes fiercely to get their web pages to show up at the top of Google, you can’t afford any red flags.
Ira Wolfe (Host, Geeks Geezers Googlization; Author, Recruiting in the Age of Googlization) suggests: Whether you your company uses Wordpress or not, make sure your company website, career website, and application are all secure. If not, adding SSL is easy and inexpensive. But building using form builders to create your job application is still risky business. Without an ATS, HR, recruiters, and managers are likely receiving these applications by email. That opens up a whole other can of worms. The best solution today is using an ATS. But don’t assume your ATS is secure either. Make sure it has https when you search for it.
Chelsea Brown recently conducted an interview with an HR professional who verified candidate backgrounds before scheduling an in-person interview. “While leaving a message, she gave me her personal cell phone number.” A combination of social engineering or negligence can expose information of existing staff. “I was able to track her social media and personal email through a simple phone number lookup. If I was a hacker, I could have this information to steal her credentials and break into the facility because I had everything I needed to do in order to verify her identity. Employees need to be trained to not give or use their personal phone and emails for business activities.” Brown warns that the same thing happens with sending, accepting, and forwarding sensitive information such as Social Security numbers and date of birth without encryption. This is a common practice between 3rd party recruiters or sub-contracted staff and HR departments.
Dennis Chow (CSIO, SCIS Security) suggests: Use email encryption. Verify anyone calling about reference checks by only using a company email or by ‘calling back’ a main line to such company. Also make sure the other party has the candidate’s full SSN and any other identifier before you release such information.
HR emails a lot of people outside of their organization. “They can receive a lot of malicious emails disguised as resumes and CVs,” says Wilkerson.This introduces a massive risk and makes the organization vulnerable to phishing emails. Phishing is the easiest way for a hacker to get someone’s username and password simply by making a fake website and asking them to enter their information. In addition, “ransomware has often been spread to organizations when someone in HR opened a macro-enabled Microsoft document or simply clicked on an infected file disguised as a resume.”
Speers suggests: “We have seen an increase in resumes being emailed directly to HR team members and managers. Most organizations have a policy about deleting unsolicited emails or not clicking attachments. Make sure it is enforced.
Sending documents with “personally identifiable information” or PII, in unencrypted emails is a no-no but it happens every day. If this information is stored or transmitted in an unencrypted state, attackers can perform a man-in-the-middle attack (MITM) to get the information or just take the information from the unencrypted storage. MITM is like eavesdropping. When data is sent between a computer and a server, a cyber-criminal can get in between and spy. Speers explained how MITM plays out. “Let’s say you received an email that appeared to be from your bank, asking you to log in to your account to confirm your contact information. You click on a link in the email and are taken to what appears to be your bank’s website, where you log in and perform the requested task.”
In a more subtle risk, HR or hiring managers often send assignments or on-boarding forms to candidates and expect them back as attachments.
Guneet Sahai (Head of Technology, Mettl) suggests: “The best way to assess the candidate’s ability or collect the information you need for hiring is to make sure these assignments and documents are hosted on a secure server, with secure links, that required valid login credentials such as username and passwords provided to the candidate in different emails.”
Speers suggests: The solution is to ensure all PII information is stored in encrypted containers and that no email with PII is sent without encryption.
Gig and Remote Workers
Many workplaces now offer flexible schedules, allowing users to work from home or in public places like coffee shops. According to Geraldine Lim (Global Public Relations Co-Lead at SAP Fieldglass), “under-management of contingent and remote workers may expose your company to substantial risk.” In many cases, they access or forward sensitive information including information about customers, internal systems, and facilities. Lim revealed that 47% of respondents to a survey conducted by her company reported that they experience digital security breaches with non-payroll workers sometimes, frequently or in nearly every engagement.
Turner suggests: Being on a public Wi-Fi network can make you more vulnerable to hacking. If you’re using a public Wi-Fi network, be sure to use a VPN to encrypt your web traffic and hide your IP address.
About Ira S Wolfe: Chief Googlization Officer and President of Success Performance Solutions, Host of Geeks Geeks Googlization Show, and author of one of the best selling HR and Recruiting books of all time: Recruiting in the Age of Googlization.