HR professionals are privy to an organisation’s most sensitive information. The personal information of current employees as well as applicants is exactly the kind of private data cyber criminals are hunting for, and hacking into HR’s online files can be a ‘one stop shop’.
According to one cyber security intelligence manager, the first line of defence is becoming more aware of just how common it is to unwittingly download viruses and spyware. HR professionals who use group inboxes (e.g. email@example.com) to receive applications are at a higher risk of coming into contact with spyware because generic email addresses are easier to target. In addition, opening unsolicited employment applications which include attached documents can be risky, and may carry spyware which then infects a company's entire network. Sneakier still, it is also possible for cybercriminals to embed code into documents which can then infect systems – or perhaps even return data to the hacker – which in turn can be used for corporate espionage.
Savvy HR professionals should also remain vigilant in reviewing content from outsourced recruitment consultancies. UK-based Paul Wood from Symantec also warned that cybercriminals are aware that recruitment agencies use automated systems to match candidates to appropriate positions, and will tailor fake job applications with documents containing malicious code, which may ultimately find its way back to its intended target. “Criminals will have carried out research on their intended targets upcoming vacancies and will use their preferred recruitment partner to gain access to their systems,” Wood said.
It's essential that HR professionals understand that cybercrime is not just a threat to large organisations – small and medium sized businesses can in fact be easier targets.
Symantec research recently revealed that attacks on SMB's increased from 18 to 31% in 2012 – this is in part due to the valuable intellectual property they hold as well as the potentially less stringent security measures in place.
To keep the threat at bay, ensure you:
Educate staff about the risks and ensure your team is aware of the common tricks.
Update your policy to ensure there are clear guidelines on how staff should manage unknown or suspicious messages, and ensure employees understand their responsibilities with regard to doing their utmost to mitigate potential attacks.
Security technology should always be should be viewed as the last line of defence – questionable content should be thoroughly checked before being opened in the first instance.