The human resources department is often the first face of a company for job seekers, but it can also be the weakest point of entry for hackers. The HR department is a target for those seeking to do harm and a potential trap to job seekers when hackers falsely identify themselves as HR recruiters.
These are two different – but not mutually exclusive – issues HR managers need to consider today. Security experts suggest HR must do a better job at protecting confidential information while also protecting their identity.
In other words, recruiters need to do more to stay safe online. Last year’s Office of Personnel Management breach highlighted how HR information may be a gold mine for those looking to steal identities.
The Human Resources Soft Target
Hackers need to only gain access to one entry point on a network, and while servers are often hardened against cyber attacks this isn’t the case with other computers.
HR can offer an all too easy hole in a company’s network, and for this reason hackers continue to target it in numerous ways, including brute force attacks that breach firewalls, and through the use of script kiddie tools that are designed to penetrate networks.
“HR can be one of the softest parts of any business as few do enough to protect those systems,” warned Adriel T. Desautels, manager and CEO at Netragard, Inc., a firm that specializes in the delivery of threat penetration testing services.
It might seem that HR doesn’t have a lot to offer, and as such might not be targeted – but it is often a softer target than other parts of a company network. More importantly, it also tends to offer easy access to information that hackers want to mine.
“HR is the first means to a company, as people come in cold and reach out for positions,” added Desautels. “If you compare HR to support you find that customer support is trained to be trusting, but given recent attacks it is now a much harder target. Support isn’t so trusting these days, which is why hackers now know to go after HR.”
If and when HR is breached, hackers suddenly have the proverbial “keys to the kingdom.”
“There are several categories that are threats for HR,” added Bob Baxley, chief engineer at security firm Bastille. “There is the danger of hackers attacking payroll, spearfishing to obtain information on an executive and getting employee information including social security numbers and bank account information. It is worrisome.”
Brute Force Not Required
The other serious danger facing HR is from forms of social engineering. And when it comes to hackers, HR all too often rolls out the red carpet.
“When you work in HR you have to engage with complete strangers and give them some level of trust. Hackers can quickly identify that trust, highjack that trust and then use it to achieve their goals,” said Desautels.
“You don’t need fancy malware,” added Baxley. “You need to be slightly better than the Nigerian Prince scammers. Most organizations have policies in place to not open attachments, not to click on weird links, but when your job is to reach out to people and share thoughts you open the gates. Social engineer plays on trust.”
The other part of the problem is that the information that HR has is typically not seen as all that important, or at least doesn’t require the same level of protection as other “sensitive” information. Lax security leaves information there for any hacker with the skills to grab them.
“Most HR managers do not do a risk analysis of the information they have,” said Alan Webber, research director for IDC Government Insights’ National Security and Intelligence research program. “They certainly don’t do risk analysis on why someone might want that information. That absolutely needs to be done.”
About the only factor that may determine how HR might be targeted in a cyber attack is the time frame that is involved. Social engineering can take time, not to mention a certain skill set, to successfully pull off. Those using scripts and malware tend not to understand the nuances of social engineering.
“If you are a script kiddie you won’t use social engineering,” said Webber. “That is why those who do use social engineering along with their hacking skills are so worrisome. They’re looking for much richer targets than just an account number. They could do real damage if they breach a network.”
Is HR Doing HR Work?
Protecting the HR department isn’t just something that the HR department can do or even should do by itself. Company admins need to monitor the HR department as closely – maybe even more so – than other departments.
“HR should be isolated and monitored,” said Desautels. “The IT department should know that HR people shouldn’t be running net commands from a command shell on the network.”
This extra level of monitoring may seem like an invasion of privacy to those who work in HR, but the point is that routine monitoring at least of how users on the network are using it can help reduce the threat level.
At the same time experts suggest that while isolated, HR shouldn’t be left to its own devices, either.
“If your HR operation and security offices live in different corporate silos, then you’re doing it wrong,” said Jim Purtilo, associate professor in the computer science department at the University of Maryland. “Since OPM and DHS have experienced massive data spills of basically everyone having a clearance – and their families – we know both the challenge and impact already. Your HR operation needs to do those agencies one better, at least.”
