Attacks on HR systems are a growing trend that HR managers need to confront. In this Q&A, a security expert provides advice on where they can get started.
The employee data managed by HR is worth a lot of money to attackers. But HR data security isn't getting the attention it deserves, according to John Pescatore, director of emerging security trends at the SANS Institute, a nonprofit that specializes in security and cybersecurity training.
HR managers may not understand the value of the data in their control, according to Pescatore. They need to realize they are being specifically targeted by attackers because employee information is worth a lot of money. He recommends that HR managers work more closely with IT security and be more proactive to ensure HR systems are configured correctly.
Does HR understand the value of the data it manages?
John Pescatore: In general, HR recognizes the privacy importance of the data it collects. I do not think HR understands how valuable that data is to attackers. HR is often more worried about internal misuse of personnel data. I definitely do not think they quite understand the attractiveness of the data and how valuable it is to cybercriminals.
What is the value of this data?
Pescatore: They essentially have eBays out there for bad guys to sell stolen information. An individual record may range from tens of dollars to thousands of dollars, depending on how detailed and fresh the information is.
Typically, the people paying that amount are, most commonly, using it for account fraud. They're going to use that information to start up new credit cards and bank accounts. The person who broke in is often just quickly selling that information, and the actual thieves may not use it for years.
Why are attackers trying to breach HR data security and acquire employee information?
Pescatore: The reason we're seeing this increased interest or increased compromise of HR-type information is because a lot of those systems are now being housed in third-party applications or in cloud apps.
People in HR have to try to be a little more suspicious.
John Pescatoredirector of emerging security trends, SANS
Quite often, HR people that have administrative access are the targets of phishing attacks. Attackers go to places like LinkedIn to look for somebody who says they work in HR, and then do targeted phishing attacks against HR employees by trying to pretend to be the IT organization.
Targeted attacks, in general, are getting more and more clever these days. They're trying to be very specific to your role. I think what's key is that people in HR have to try to be a little more suspicious.
How can HR managers protect their data better?
Pescatore: Most HR systems are not built internally; they are procured. HR managers should ask the CSIO, 'We're going out with an RFP [request for proposal] for a new system. Can you give me the security requirements we should be asking about?'
When we see breaches for an application, there are three major reasons for it. First, they are using a product that does not have sufficient security controls. It has vulnerabilities and the attackers exploit them. Second, they may have bought a product that does have capabilities to protect data, but they never bothered asking about it or how to turn it on or how to use it. Third, their employees were phished, and even though the system was capable of protecting the information, once the employee with access has given away his username and password, then all the security controls are bypassed.
What should organizations do to mitigate the damage to employees after a breach?
Pescatore: There's a natural tendency for organizations to say, after a breach is discovered, 'Well, do we have to tell anybody? Nothing bad seems to have happened yet.' That's wrong; that's always wrong.
Notifying people quickly is the first step. Then there's the usual step about paying for credit monitoring and identifying theft type monitoring services for them for a year. Those services themselves are not penicillin and are nothing you can't do by yourself on your own and for free, but the service providers do it all for you and give you a consolidated report.
The final step is making sure this doesn't happen again.
Do HR and IT organizations have good working relations in terms of HR data security?
Pescatore: It's all over the board. In some areas, I would say yes. Most companies have learned that when an employee is being fired, we should immediately turn off all his IT access.
But the particular issue of HR working with IT or IT security to make sure the information systems and services they're using are secure -- no. That, I think, is a big weak spot
What's a key piece of advice you can give managers to improve HR data security?
Pescatore: I would tell the HR manager to make sure the CISO is your friend and the two of you can work well together. With those two working together, they can almost invariably get the CIO and the IT team to support them.
