Some professions are simply more susceptible to cyberattacks than others, regardless of the type of business. Today, we’re focusing on the cyberthreats aimed at professionals who work in human resources. The simplest, but far from the only, reason is that HR employees’ e-mail addresses are published on corporate sites for purposes of recruitment — they’re easy to find.
Cyberthreats Targeting HR
Originally Posted by Kaspersky Daily
In human resources, employees occupy a rather unusual position: They receive mountains of correspondence from outside the company, but they also tend to have access to personal data that the company cannot afford to leak.
Typically, cybercriminals penetrate the corporate security perimeter by sending an employee an e-mail containing a malicious attachment or link. That’s why we always advise businesses and employees not to open suspicious e-mails with attachments or click on links sent by unknown individuals. (Resource: Email Red Flags) For an HR professional, that advice would be ridiculous. The majority of external e-mails they get are likely to be from strangers, and many include an attachment with a résumé. As a guess, we’d say at least half of them look suspicious.
Moreover, portfolios or samples of past work sometimes come in uncommon formats, such as highly specialized CAD program files. The very nature of the job requires HR employees to open and review the contents of such files. Even if we forget for the moment that cybercriminals sometimes disguise a file’s true purpose by altering the file extension (is it a CAD file, RAW photos, a DOC, an EXE?), not all such programs are kept up to date, and not all have been thoroughly tested for vulnerabilities.
Access to personal data
Large companies might have a variety of specialists responsible for communication with job seekers and for work with current employees, but small businesses are more likely to have just one HR rep for all occasions. That one person most likely has access to all personnel data held by the company.
However, if you’re looking to cause trouble, compromising just the HR specialist’s mailbox usually does the trick. Applicants who send résumés might explicitly or tacitly give a company permission to process and store their personal data, but they’re definitely not agreeing to hand it over to unknown outsiders. Cybercriminals can leverage access to such information for blackmail.
And on the topic of extortion, we also must consider ransomware. Before depriving the owner of access to data, the latest strains often steal it first. If that sort of malware lands on an HR computer, the thieves can hit a personal data jackpot.
A foothold for more convincing BEC attacks
The more difficult but more effective business e-mail compromise (BEС) attack is now a major player. Attacks of this type often aim to seize control of an employee’s mailbox and convince their colleagues to transfer funds or forward confidential information. To ensure success, cybercriminals need to hijack the mail account of someone whose instructions will probably be followed — most often, an executive. The active phase of the operation is preceded by the long and painstaking task of finding a suitably high-ranking employee. And here, an HR mailbox may come in very handy indeed.
On the one hand, as mentioned above, it is easier to get HR to open a phishing e-mail or link. On the other hand, company employees are likely to trust an e-mail from human resources. HR regularly sends applicants’ résumés to department heads. Of course, HR also sends internal documents to the company at large. That makes a hijacked HR mail account an effective platform for launching a BEС attack and for lateral movement across the corporate network.
How to protect HR computers
To minimize the likelihood of intruders penetrating the HR department’s computers, there are many avenues that will protect your business. The top one being that your computer(s) adhere to basic security practices:
- Update software on HR computers in a timely manner
- Maintain a strict and easy-to-follow password policy (no weak or duplicate passwords for internal resources; change all passwords regularly)
- Install a security solution that responds promptly to new threats and identifies attempts to exploit vulnerabilities in software.
Helping Business Grow