Is HR a particular target for cyber security breaches within a business? Myhrtoolkit's Chief Technology Officer, Kit Barker, explores the issues around why HR need to be vigilant about cyber security and could be at risk.
With the mass migration to remote and hybrid working over the last couple of years, we’ve seen workers move away from the protection of the business-managed network and into the cyber wild west. There has been lots of discussion about the security implications of hybrid working, but we have still seen a year-on-year increase in targeted attacks. And according to the Cyber Resilience Centre for the East Midlands, HR professionals are at the forefront of this increase.
Why is HR a target for cyber criminals?
HR professionals have access to a huge store of personally identifiable information for all members of an organisation. With access to the personal details of your employees, malicious actors can launch extremely complex and convincing phishing attacks. They also have access to a whole host of information used to verify identity, such as date of birth, mother’s maiden name, address, and so on.
Furthermore, HR systems often integrate with financial and payroll systems too, and this is a high value target. Convincing someone in HR to update bank details and pay salaries into another account could be extremely lucrative. It’s clear that the role of HR in information security is an important one.
Security tips for HR professionals
Given the sensitivity of the information HR are responsible for, it’s clear that HR have a key role in information security. So how can HR professionals protect themselves against HR data security breaches?
There are many great resources for helping SMEs stay safe online, such as those provided by the National Cyber Security Centre and the other data security articles on our blog.
What further action should HR professionals take?
The advice linked to above is primarily about making yourself a harder target, but in the field of information security a key tenet is “assume breach”. This says that your protections should not be entirely focused on stopping malicious actors at the perimeter, but also making it as hard as possible for them if they do breach your defences.
1. Follow the principle of “least privilege”
When granting access to personal or sensitive information, only grant the absolute minimum needed to allow the person to perform the tasks at hand. This requires significant effort at times, as software platforms can make it difficult to do this, but before you grant someone administrator access, check if there’s a less privileged account that they could use. This is important as it limits the impact of a single machine or user being compromised.
2. Secure your accounts with MFA
Multi-factor authentication provides such an increase to the security of your accounts. Enabling MFA should be a requirement for all HR applications. If your applications don’t support it, you really should be asking questions about the security of that application.
If you’re not familiar with MFA already, you can read our short blog post about how MFA can benefit small businesses.
3. Ensure a core set of great policies
Great policies that are well understood and followed, are an essential part of information security. Policies can have a bad reputation as being dull and pointless, but ensuring your staff understand what they should be doing and why it matters, is crucial. As a minimum for HR professionals, I’d recommend having an Access Control Policy and a Password Policy.
4. Have a robust and tested backup
Backups don’t protect you from being attacked, but they can make all the difference in recovering from one – especially the likes of ransomware attacks.
The key here is to understand what data you have and how it is backed up as well as testing it. This final part is often missed and there are many scare stories about organisations only discovering their data wasn’t backed up after a breach.
5. Keep on learning
Security awareness training needs to be updated and refreshed often. The threats that HR professionals face change frequently and your training needs to reflect that too. Training doesn’t need to be expensive or time consuming and can be as simple as a monthly email to staff about the current threats and how to mitigate them.
Hopefully you never encounter a successful attack, but implementing these tips will make you a much harder target for cyber criminals and help you recover more quickly and fully from any attack that manages to breach your defences.
Read more from the myhrtoolkit blog
How SMEs can deal with a GDPR breach
Written by Kit Barker
Kit is myhrtoolkit's Chief Technology Officer and a company director for myhrtoolkit who leads the technical team in developing the system. On our blog he shares specialist knowledge and tips around data security and company culture.