Earlier this month, news broke of a massive, months-long cyber attack, likely carried out by Russia, that targeted the U.S. federal government and many private businesses, including Microsoft and dozens of its clients. On its face, the news may not seem directly connected to HR, but the dangerous hacks serve as a good motivator for employers to revisit HR data security matters, experts say.
Recruiting, for example, presents one very specific vulnerability, according to Steve Tcherchian, chief information security officer at XYPRO, a cybersecurity analytics provider.
“An organization’s recruiting functions are typically the entry point for outsiders—both legitimate job seekers and those looking to cause harm,” he says. “HR is on point to collect resumes and fill open positions.”
This usually means, and especially now with no shortage of job seekers, that employers are fielding an influx of resumes and cover letters in a variety of formats, Tcherchian says. Attackers know this and can use the volume of job applications to their advantage.
Often, he says, it’s easy for an HR recruiter to overlook clues and open an attachment or click on a link (often disguised as a LinkedIn profile) that could unsuspectingly infect a workstation or, worse yet, introduce ransomware or some other potentially damaging payload into the corporate network.
With that in mind, Tcherchian says, HR departments should:
- Be hypervigilant about recruiting: Don’t simply open any and every attachment received from job applicants. Engage your IT and security departments for an additional layer of defense.
- Revisit policies and procedures: In particular, make sure your “Cybersecurity Incident Response Plan” is up to date and has been rehearsed. Everyone should know their roles.
- Have security teams review and advise on best practices for tool and application usage.
- Review and revoke access for employees on a periodic basis: Implement the policy of least privilege. Allow users only enough permission to do their jobs. For hackers, getting through the front door is easy. Don’t make their job even easier by allowing them to roam freely within the enterprise.
“With the recent attack on government agencies, HR departments should heighten their vigilance regarding their processes, especially around candidate recruitment,” Tcherchian says.
According to David Pignelot, CEO at SecZetta, a third-party identity risk and lifecycle management software solution, safeguarding an organization from cybercrime has become vastly more difficult given how digitized and, as a result, interconnected, the world has become.
Adding complexity to this already daunting scenario is the fact that organizations have become “perimeter-less,” Pignelot says, meaning they often are compelled to grant access to internal systems and data to more non-employees (contractors, partners, “things”) than actual employees.
See also: Gig workforce driving talent challenges
“This, in turn, has posed new challenges for HR teams,” he says, noting that most businesses do not have the necessary resources and systems in place for quickly and effectively collecting and processing non-employee information for such important activities as onboarding and meeting regulatory compliance needs.
“This practice is particularly challenging to accomplish for non-employees because, unlike full-time employees, non-employee data must be collected in a collaborative fashion, often from different sources inside and outside of the organization,” Pignelot says. Yet, data shows 59% of all data breaches can be traced to third parties, and only 16% of organizations say they can effectively mitigate third-party risks.
Pignelot says HR and IT can work together to mitigate these risks and potential breaches, such as through automating “non-employee” onboarding and auditing those with access.
Finally, cultural changes driven by the COVID-19 pandemic—primarily more work-from-home employees—have placed even more pressure on HR leaders to ensure that data security is up to snuff.
Jeremy Bernard, recently appointed CEO North America for essensys, a global technology platform designed to optimize flexible workspaces, says that despite the fact that IT is not the traditional purview of HR, the hybrid workforce and the rise of flexible office space have put it in their wheelhouse.
“HR professionals are in charge of wellness and health, so physical security is always top of mind,” Bernard says. “However, the recent widespread data breach that impacted even top government offices makes it clear that privacy protections at work are an equally important part of the overall employee experience of confidence and trust.”
Bernard explains that HR is tasked with shaping and maintaining a positive corporate culture. And the spaces that his company works in involve a key component of culture. By 2030, 30% of commercial office space is predicted to be flex space, with the pandemic accelerating the shift from the current 2% of corporate offices.
“The silver lining is that flex space has a strong technology component that automates and manages functions such as touch-free building access (and) printing and, most importantly, has strong cybersecurity protections in place to ensure that employees are fully protected when in office or collaborating with colleagues from a remote location,” he says.
Bernard believes HR professionals and IT staff will collaborate more closely in the future to meet the needs of staff, from both a physical and a cybersecurity standpoint.
“Offices are moving towards a ‘space as a service’ model, so these HR/IT functions will converge more in the future,” he says.