Tips for securing HR from cyber threats

Some professions are more susceptible to cyberattacks than others, a Kaspersky study has found.

Research by Russian cybersecurity company Kaspersky and B2B International has looked at employees’ role in a business’s fight against cybercrime, and found that they pose a significant risk.

Enterprise cybersecurity advisor at Kaspersky, Lehan van den Heever says, “We’ve found that just over half of businesses (52%) believe they are at risk from within. Their staff, whether intentionally or through their carelessness or lack of knowledge, are putting the businesses they work for at risk.”

Some hackers target HR departments with the goal of using them as an entry point to compromise other parts of the private company or public authority. This is because the computers of human resources professionals are usually more at risk of cyberattacks because they are easily accessible. HR people’s contact details are often posted on the company websites, for future and current employees, which makes them easy to reach.

HR professionals also receive mountains of correspondence from outside the company, and tend to have access to personal data that the company cannot afford to leak. It is therefore vital to protect HR departments enabling them to carry out their work without allowing hackers access to the organization.

Kaspersky shared three main ways in which HR professionals are vulnerable to attack:

Incoming mail: Cybercriminals penetrate the corporate security perimeters by sending an employee an email containing a malicious attachment or link. Opening this link can release a virus, which can download personal files.

Access to personal data: HRs have access to all personnel data held by a company. By compromising a HR employee’s mailbox, access is opened.

Email hijacking: Here, a senior staff member’s mail account is hacked. It sends out emails to colleagues requesting fund transfers or the forwarding of confidential information.

Lehan says this is why staff training is essential in raising awareness among personnel and motivating them to pay attention to cyberthreats and countermeasures, even if it’s not part of their specific job responsibilities.

  1. To minimise the likelihood of intruders penetrating an HR department, he recommends the following:
  2. Employee-focused security measures such as employee engagement and training on cyberattacks.
  3. Identify compromised file formats that come through, looking like resumés and work samples.
  4. Install updates and ensure that anti-virus protection is always on.
  5. Isolate HR computers on a separate subnet. If one computer is compromised, the threat cannot spread.
  6. Store personal data on a different server, not on HR machines.
  7. Update software on HR computers regularly and maintain a strict and easy-to-follow password policy.