Forbes recently released an article predicting that employment trends may move up. Moving to COVID-19-free life, new COVID support plans, and the coming seasonal uptrends in employment are just some factors that may result in a busy season for Human Resources (HR) departments. Attackers watch trends better than most of us, and they already see a bullseye on HR departments. HR is the primary source of personally identifiable information (PII), tax information, and employee banking information within most organizations. Attackers know that HR employees often operate under a significant level of stress while being responsible for a high volume of correspondence. This combination of factors makes HR employees a prime target for cyberattacks.
HR workers are also in position to significantly affect the security posture of a company. HR employees often find themselves as the gatekeepers for employee onboarding and offboarding. Historically, Sikich finds that many security events are tied to these processes.
Security Tips for HR Teams
As HR teams prepare for a potential increase in their workload, it is important that security be top of mind. The following four tips are meant to help HR teams operate in a more secure manner.
1) Do not multitask when working through correspondence.
Working through email can feel like a menial task that keeps you from other responsibilities. It is easy to think you can do something else while quickly responding to emails. However, trying to multitask and quickly go through email increases the likelihood that a phishing email goes unidentified. A phishing email is a tool used by attackers pretending to be someone you trust so that you will perform some malicious action on their behalf. Such actions might include clicking on a malicious link, opening a malicious attachment or changing the bank routing information for an employee’s direct deposit. We find that attackers often send phishing email campaigns at times when workers are most likely to give less attention to the emails. Add to this the fact that many employee emails to HR departments are urgent because of their impact on employee finances and you get HR workers that are likely to perform the requested action without thinking it through.
HR workers should intentionally slow down and follow a systematic process:
- Check the “From” and “To” fields to make sure they fit the context of the email (e.g. the user’s domain matches the theme of the email).
- Check the signature lines to see if they fit the company standards.
- Avoid clicking on links. Instead, open a browser and manually browse to any pages necessary.
- If something in an email gives you pause, follow up with a phone call to the sender.
2) Do not announce new hires until after they have completed security awareness training.
Attackers are watching LinkedIn and other social media platforms for opportunities. You should encourage all new employees to wait a couple of weeks before making any announcements about taking a new position. The hiring of a new employee presents an attacker with a great opportunity for phishing campaigns. I knew a new hire who felt intimidated by management upon starting a new job. It wasn’t long before that employee was attempting to purchase gift cards for an attacker who was pretending to be the employee’s boss. It is important that a new hire has gotten past their jitters, read and understood company policies, and undergone security awareness training before information goes public about the employee’s new position.
3) Make onboarding processes an example of best practices.
Onboarding processes are often the first impression an employee has of a company’s culture. If, out of convenience, a new employee is provisioned a network account with a weak password like “Welcome123” or is asked to send onboarding documents with Social Security numbers, health information, and bank information by email, the employee will quickly learn that policies around the use of strong passwords and the protection of sensitive data can be disregarded. Instead, be sure that all onboarding processes demonstrate the company’s commitment to information security best practices.
4) Follow standard operating procedures (SOPs).
Almost everything is happening remotely in the new COVID normal. However, this does not mean that the onboarding process has been simplified for new employees. It is normal for new employees to struggle with setting up their direct deposit, tax information, and health care choices in the best circumstances. Most HR departments working with a remote workforce have turned to complicated online onboarding systems. When the employee struggles to enter their direct deposit information correctly, your HR team may feel pressure to bypass your SOP and accept an employee’s bank routing information by email. It is important that you help the employee walk through the right process rather than risk routing their first paycheck to an attacker’s bank of choice.
It is also important that offboarding procedures be followed as designed. For example, most offboarding procedures include disabling an employee’s email while they are in the exit interview. This prevents a disgruntled employee from deleting important information. It may feel inconsiderate to turn off an employee’s email while he or she is in the exit interview, but your team has created the process for a reason. Be kind but firm.
Conclusion
We are all looking forward to life improving for families and to companies growing. To make sure your organization realizes the most benefit from these events, carefully protect your company and your employees from the increase in attacks that is likely to accompany them.
If you have any questions regarding HR security, do not hesitate to reach out to us at any time!
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.