Human Resource Executive December 22, 2020 – 4 tips for HR to reduce the risk of cyber attacks
Recent cyber hacks on government and private employers should prompt HR leaders to ensure their data security defenses are up to snuff.
Earlier this month, news broke of a massive, months-long cyber attack, likely carried out by Russia, that targeted the U.S. federal government and many private businesses, including Microsoft and dozens of its clients. On its face, the news may not seem directly connected to HR, but the dangerous hacks serve as a good motivator for employers to revisit HR data security matters, experts say.
Recruiting, for example, presents one very specific
vulnerability, according to Steve Tcherchian, chief information security officer at XYPRO, a cybersecurity analytics provider.
“An organization’s recruiting functions are typically the entry point for outsiders—both legitimate job seekers and those looking to cause harm,” he says. “HR is on point to collect resumes and fill open positions.”
This usually means, and especially now with no shortage of job seekers, that employers are fielding an influx of resumes and cover letters in a variety of formats, Tcherchian says. Attackers know this and can use the volume of job applications to their advantage.
Often, he says, it’s easy for an HR recruiter to overlook clues and open an attachment or click on a link (often disguised as a LinkedIn profile) that could unsuspectingly infect a workstation or, worse yet, introduce ransomware or some other potentially damaging payload into the corporate network.
With that in mind, Tcherchian says, HR departments should:
- Be hypervigilant about recruiting: Don’t simply open any and every attachment received from job applicants. Engage your IT and security departments for an additional layer of defense.
- Revisit policies and procedures: In particular, make sure your “Cybersecurity Incident Response Plan” is up to date and has been rehearsed. Everyone should know their roles.
- Have security teams review and advise on best practices for tool and application usage.
- Review and revoke access for employees on a periodic basis: Implement the policy of least privilege. Allow users only enough permission to do their jobs. For hackers, getting through the front door is easy. Don’t make their job even easier by allowing them to roam freely within the enterprise.
“With the recent attack on government agencies, HR departments should heighten their vigilance regarding their processes, especially around candidate recruitment,” Tcherchian says.
To read the full article visit Human Resource Executive.
Steve Tcherchian, CISSP, PCI-ISA, PCIP is the Chief Product Officer and Chief Information Security Officer for XYPRO Technology. Steve is on Forbes Technology Council, the NonStop Under 40 executive board, and part of the ANSI X9 Security Standards Committee.
With over 20 years in the cybersecurity field, Steve is responsible for the strategy and innovation of XYPRO’s security product line as well as overseeing XYPRO’s risk, compliance, and security to ensure the best experience for customers in the Mission-Critical computing marketplace.
Steve is an engaging and dynamic speaker who regularly presents on cybersecurity topics at conferences around the world.