Don’t be the
weakest link
HR is particularly vulnerable to cyber attacks because
of its access to sensitive personal and organisational
data – but it can protect itself, explains RACHEL SHARP
When Juliette Rizkallah saw an email land
in her inbox from her CEO asking her to
send him all of the company financials, she
hesitated. It was completely out of character
for the CEO to make such a request.
And yet the email came from what looked –
even to Rizkallah’s expert eye as chief
marketing officer at cyber security firm
SailPoint – like his genuine corporate
email account.
But the email hadn’t come from the CEO at
all. It had come from a hacker.
It’s a story that now plays out in
organisations around the world on a daily
basis. Rizkallah’s story ended well; she
contacted the CEO directly to verify if it had
come from him.
But not all firms are so fortunate. Target,
eBay, JP Morgan, Google, Yahoo!… the list of
those that have fallen foul of a cyber attack in
recent times goes on.
Firms have of course responded, with HR
rolling out cyber security training for
employees. But is HR practising what it
preaches and keeping the plethora of sensitive
employee data it holds safe? Or is it the weak
link putting organisations at risk of attack?
“It’s not necessarily that HR is the weak link
but HR will always be quite heavily targeted
because it handles so much personal data,” says
Edward Whittingham, managing director of
The Defence Works.
“Cyber crooks will target HR records as that
type of information can be used and sold on
the dark web to do other types of crime,” adds
Rebecca Herold, CEO and founder of the
Privacy Professor Consultancy. “There are
situations where HR records have been stolen
so attackers can see information about, say,
the CEO and then use different types of
phishing attacks to target that individual – it’s
called spearphishing.
“And increasingly there are also cases where
that data is not only used for cyber attacks but
cyber crooks sell the data – such as the CEO’s
home address – on the dark Web to traditional
crooks that might use it for something
malicious in the physical world such as
breaking into their house.”
The challenge, says global HR systems leader
at EY Anthony Shields, is that HR typically
hasn’t previously had the cyber security
expertise to manage these risks.
“Traditionally we’ve over-relied on the IT
function to provide that coverage, but that’s
changing,” he says.
Within Shields’ HR systems team, the focus
over the past 24 months has been to build its
own cyber security capability. “About 10% of
my team is now working at any given time
with the IT function to ensure HR systems are
secure from a data perspective,” he explains.
“It’s not about creating an IT and cyber
security function within operations, but
building up that cyber security capability in
the function that can work in partnership
with IT.”
So just what should the function be doing to
keep its own house in order? Here, experts
share their practical advice on making HR
cyber-secure…
Ask HR tech suppliers the
right questions
Shields asks his team to consider the
following questions when selecting HR tech:
“Have you moved beyond the standard
procurement questions and guidelines when
bringing new vendors in? Has the vendor
moved from a passive defence into a more
active defence to be able to defend against
not just common attacks, but advanced
attacks and some of the emerging attacks
that we don’t know about yet?”
“Don’t be afraid to ask questions,” agrees
Whittingham. “If you’re dealing with a
potential new provider, don’t be afraid to
challenge them – it’s important not to assume
they know what to do from a cyber security
perspective, as it’s not always the case.”
One useful question is whether the supplier
has ISO 27001 certification for its information
security management system, and whether the
firm carries out cyber security awareness
training with its own staff. “With around 97%
of incidents caused by human behaviour, you
want to know that your supply chain is doing
something to educate their workforces too,”
Whittingham adds.
Shields advises HR teams to also seek
independent reviews of any tech they use. “But
the big question I ask my teams to ask
themselves is: ‘How are you partnering with IT
and procurement to be able to review and
assess vendors when they come through your
doors?’,” he adds.
HR Technology Supplement Cyber security
22 HR October 2019 hrmagazine.co.uk
/hrmagazine.co.uk