Back to top

Why HR has Become More of a Target for Cyberattacks

An email titled ‘Job Application’ lands in your inbox. Naturally, you open it and click on the attachment marked ‘CV’.…

Why HR has Become More of a Target for Cyberattacks

2nd December 2024

laptop on desk in modern office with red glow and a padlock on the screen

An email titled ‘Job Application’ lands in your inbox. Naturally, you open it and click on the attachment marked ‘CV’. The next thing you know, your HR department has been hacked, your system has been compromised, and your company data is under attack from cybercriminals.

Cyberattacks of this nature are now so common they’re almost part of our daily working lives. Despite major advancements in cybersecurity and AI-powered defence systems, breaches of UK employee data rose by an alarming 41% in 2023, reaching a five-year high. The same research discovered ransomware attacks targeting employee data rocketed by 57% over the same period.

While HR systems are the bedrock of modern organisations with their ability to seamlessly manage workforce functions, they have become a prime target for cybercriminals due to the vast quantities of sensitive information and payroll data they store. Now, cybersecurity service providers, ramsac have identified vulnerabilities in HR teams that cybercriminals look to exploit while offering advice for tightening security.

Why do cybercriminals target HR?

HR teams are under constant threat of phishing and spear phishing attacks. Why? Because cybercriminals know that part of the job of an HR professional involves opening emails and attachments from unknown sources.

The fact is HR leaders have access to huge amounts of personal information about their colleagues that malicious actors will attempt to steal using increasingly complex and convincing phishing attacks. Not only that, but HR also stores a bunch of other valuable information used to verify identities such as names, addresses, dates of birth, or a mother’s maiden name.

If that wasn’t enough of a dangling carrot for cybercriminals, HR systems will often integrate with payroll systems and other financial resources that pique the interests of hackers even further. They could even hit the jackpot by convincing HR to transfer bank and salary details into another ‘safe’ account created by the malicious actor.

As is clearly evident, HR teams have a vital role to play in data security given the sensitivity of the information they’re responsible for. The following tips will help HR teams tighten their cyber defences and lower the risk of a data breach.

Adopt a ‘least privilege’ approach

According to research, 74% of data breaches can be attributed to the misuse of privileged credentials and access controls. Not only that, but nearly half (49%) of all businesses contain at least one worker with more access privileges than their job specification requires.

When granting team members access to private or sensitive information, HR should allow only the very minimum access required to perform a specific task, and use tools like security labels to block unauthorised access to emails, documents, and files. Similarly, before someone is granted administrator rights, always check for a less privileged account they could use as this will minimise the impact of a successful cyberattack.

Protect assets and accounts with multi-factor authentication

Usernames and passwords (single-factor authentication) are important elements of cybersecurity, but they’re vulnerable to cyberattacks. Multi-factor authentication provides a much higher level of system and data security and should be a basic requirement for all HR software and applications.

Whereas two-factor authentication (2FA) requires two steps to gain access to systems, accounts, and data, MFA takes the concept a stage further. It achieves this by requiring multiple layers of verification such as passwords, a mobile device, and facial identification. Therefore, even if one of the three authentication stages is compromised, the others provide additional layers of protection that hackers will fail to break through.

Create a secure backup

A backup system won’t protect you from a cyberattack, and increasingly sophisticated threats driven by AI make it harder than ever to stay ahead of the curve. However, a backup system can be instrumental when recovering from a data breach, especially in the form of a ransomware attack.

The most important factor for HR to consider is the quantity of data held by the business, how it is backed up, and if it stands up to thorough testing. If it does, your backup system should automatically kick in when an attack occurs which will minimise damage and reduce the time and cost associated with recovery.

Implement robust policies and procedures

The sign of a clear and effective policy is that it is well understood and easily followed by every member of a team. This has become an essential element of data security and mitigating the risks of a cyberattack.

While some policies can feel dull and pointless, good ones are simple to digest and convey a strong message. Policies should understand what they are being told, what they are doing, and why it is important to digital health and cybersecurity. Generally speaking, HR teams should deliver a password policy and access control policy as the bare minimum.

Provide cybersecurity awareness training

HR teams should ensure staff are trained in the latest cybersecurity practices and receive regular updates and refresher courses. HR professionals are under pressure from evolving threats, and that should be reflected in the level of training provided.

Following cybersecurity best practices will help HR teams and other departments build a solid human firewall that helps prevent and report any data breaches or malicious activity. The other advantage is that training does not need to be expensive and can be as simple as an occasional email to staff highlighting the latest threats and how to avoid falling into their trap.

From introducing least privileges in the workplace to organising training, these tips will help HR teams and other parts of a business strengthen their cybersecurity defences in the face of increasingly complex attacks.

Categories: Advice, Articles, Tech

Discover Our Awards.

See Awards

You Might Also Like