Hackers have HR in their sights: Identity theft from resumes

by Human Capital18 Sep 2013

Targeted attacks by hackers have skyrocketed, according to a report – and what’s more, HR has become the corporate target of choice.

Hackers have changed their tactics, according to Liam O Murchu from security software firm Symantec. “The picture that we had before of targeted attacks was they went after CEOs or other top people in a company, and they went after very large companies and government agencies. Targeted attacks are now being spread out and used in far more scenarios,” O Murchu said.

The data found:

  • Targeted attacks are increasingly aimed at small and medium sized businesses – more than 50% of attacks were on organisations with fewer than 2,500 employees.
  • Nearly 18% of attacks took aim at companies with fewer than 250 employees.
  • More than 232 million identities were exposed in attacks in the last year.
  • Data breaches were more often the result of lost or stolen devices such as USB sticks, laptops, smartphones and tablets.
  • While lost and stolen devices account are the most frequent cause of data breaches, hacking attacks have more severe effects.

Attackers may be targeting smaller companies because of the less sophisticated security processes and many targets are in HR, public relations and sales. “While these workers may not have access to the data the attacker is ultimately after, they are often a convenient vector for penetrating an organisation's defences because they are easy to identify online and are used to being contacted and sent attachments (like resumes) from unknown sources,” O Murchu said.

Because many organisations lack role-based access management process – whereby individuals only have access to resources dependent on their role within the company – hackers who gain access to one of these workers’ accounts, may gain access to a whole host of sensitive data. “What companies need to realise right now is that once attackers get inside the perimeter of their network, they're going to spread out," O Murchu said. “Your defences should not be focused primarily on the perimeter of the network. You should access controls set up correctly on all of your valuable data. And you should have applications in place that can watch for the loss of valuable data.”

HR takeaways to ensure security

  • HR must take steps and devise such policies and procedures that ensure complete workplace confidentiality. The policies should cover their work as well, i.e. protection of employee records.
  • Simply devising such policies is not enough. They must also be communicated to all the employees, supervisors and managers. Employee confidentiality training through handouts, seminars, and workshops, etc is also a good way of ensuring confidentiality in the long run.
  • It is important to make employees aware of the specific actions that comprise breach of confidentiality. They must also be educated about the consequences of the same, to deter them from doing so.
  • Considering the growing use of electronic methods to save information, the organisation must initiate efforts to fool-proof their data using advanced or sophisticated electronic methods such as firewalls, password protection, encryption, etc. This will keep access, usage, and transmission of the protected data, safe.
  • There must be strict policies regarding disposal of sensitive information. Any information, once redundant, must be disposed of in an appropriate manner. It may not serve any purpose to the organisation any longer but that doesn’t make it less sensitive. The HR team or the organisation must erase these records in such a way that there are no potential leaks.


Most Read