In the wake of the recent high-profile ransomware attack on UKG’s Kronos Private Cloud and its payroll system, which sent some clients scrambling to pay their employees just before the holidays, industry experts are urging HR and HR information systems leaders to update their business continuity plans and re-evaluate their third-party risk exposure to vendor solutions.
U.S. organizations are the prime target for ransomware attacks with 732 cases reported last year, followed by the UK with 74 cases, Canada at 62, and France and Germany at 58 and 39, respectively. NordLocker estimates that 37% of businesses worldwide became victims of ransomware cyberattacks in 2020.
To address this growing risk, here are nine things HR leaders and HRIS leaders need to know and need to accomplish when preparing for a ransomware attack.
Ransomware attacks are real. When ransomware events began to occur in the last decade, the consensus was “this won’t happen to me,” says Laura Hoffner, chief of staff for security and risk management firm Concentric. Now that they’re frequently in the news, the consensus seems to be “not much I can do about it, anyway,” she adds.
(As a reminder, a ransomware attack is a type of cybersecurity violation where a hacker encrypts a person or company’s computer systems and data, rendering them mostly to completely useless. The hacker then issues a demand for payment, typically in Bitcoin or another form of cryptocurrency, to free the data and systems.)
“Ultimately, hackers and bad actors are looking for the easiest way in,” says Hoffner. “If you or your company makes it even partially more difficult than their next opportunity on their list, they will more than likely move on to a less security-conscious victim.”
Look inside. Like the 1979 thriller When a Stranger Calls, the ransomware might be coming from “inside the house.” In other words, former and current employees might be instigating these types of attacks—and HR and HRIS leaders must be aware of who has access to compromising information and vulnerable systems in which they are housed.
“The vast majority of ransomware attacks are a result of an employee’s purposeful or neglectful actions that put the organization in danger,” says Hoffner.
Paying the ransom might be illegal, and it doesn’t guarantee a return of data or systems. While the temptation to pay the ransom might be strong, it is often illegal to do so. A 2020 ruling of the U.S. Department of Treasury’s Office of Foreign Assets Control and the Financial Crimes Enforcement Network declared it illegal to pay in (most) cases, writes Joshua Beitler, a tech analyst for wealth advisory firm Gross Mendelsohn.
“Keep in mind that paying doesn’t always mean the data is unencrypted, and if the data has been stolen there is no reason to not expect further ransom demands, as in ‘pay now or we will release that data we stole,’” says Mark Stamford, founder of cybersecurity consultancy OccamSec.
Organizations considering paying the ransom should ask the following questions:
- Under what circumstances would you decide to pay a ransom?
- Has company data been stolen? Has the company’s reputation or credibility been damaged? Are you being blackmailed?
- Are you able to recover your data/reputation through other means if you don’t pay?
- How long can your organization afford to be “down?”
Run those drills. Basic cyber security training will illuminate common mistakes and vulnerabilities, advises Hoffner, adding that phishing emails are the easiest way for a bad actor to get immediate access to a network.
“With everyone working from home still, individual security measures may have lapsed such as the use of a VPN. Regularly train and remind everyone that it’s everyone’s responsibility to be alert,” she says.
Business continuity planning should also be conducted at least annually to ensure that the HR teams using these systems, and the IT teams that support them, have a plan for how to minimize impact during outages or cyberattacks, says Dylan Border, director of cybersecurity for IT specialist firm Hyland.
Lastly, HR leaders should be active participants in planning for a worst-case scenario that includes an attack, identifying actionable steps to take to mitigate damage post-attack and keeping key internal HR processes running.
Create a crisis response plan. This will include backup communication methods that are regularly tested, pre-existing chat rooms with relevant parties, and a phone list for external players that will need to be involved such as a forensics team, legal counsel, and payment facilitators. “Within this is developing and approving emergency playbooks. Who has delegated authority to do what during the crisis?” says Hoffner.
Buy cyber insurance. “Yes, rates are going up, but that’s because of the likelihood of incidents. This shouldn’t be a deterrent, this should be an accelerator as to why you need insurance,” Hoffner says.
Put experts on retainer. Identifying an IT forensics team, legal counsel and payment facilitator before a crisis can ensure a timely response. “These teams are being overworked these days and worst-case scenario, you could go in their long queue of new companies to support if you haven’t worked out a relationship with them previously,” says Hoffner.
Back up employee data. With the constant looming threat of ransomware, backups are more important than ever before. Organizations generate vast amounts of digital information without any physical copies to fall back to, the destruction of the digital data can be devastating to organizations and may even result in regulatory fines, says Erich Kron, security awareness advocate at IT security firm KnowBe4.
Holding onto older HR and payroll systems is rarely the answer, as the information and data within them are likely outdated and useless. “More important is understanding what data you would need to have a manual process, then working to ensure it’s available if the main system goes down,” says Kron.
Know your systems. HR and HRIS leaders need a strong understanding of the different systems inside their organization and how to operate if the system is unavailable. “This is a very important part when considering the adoption of new software or adding new features to existing software suites,” says Kron. “Whenever a process is automated, we should ask ourselves if we have the capability of doing it manually if we need to.”