jamesteohart - stock.adobe.com
The Ukraine war raises cybersecurity risks, and HR may be the top target for attack, experts warned.
An entry point for an attack is an email attachment from someone posing as a job seeker. Attackers can write a believable email using language from a posted job ad and what they find on the web about a firm. The email may include a PDF or document with a malicious payload.
"This is one of the most dangerous entry points," said Steve Tcherchian, CISO and chief product officer at Xypro Technology Corp. "That's how the payload, in most cases, gets delivered onto the corporate network -- it's not any more sophisticated than that." The firm provides cybersecurity for mainframes and HPE NonStop systems and is based in Simi Valley, Calif.
HR is "on the front lines when it comes to this, especially right now," Tcherchian said.
Tcherchian's firm has created a "sandbox environment" for job applications -- a separate space not connected to a corporate network. "If there is something malicious in there, the only thing that's damaged is the sandbox environment, and you could throw that away," he said.
A U.S. cybersecurity advisory Saturday urged organizations and businesses to review their cyber posture. It highlighted destructive malware used in Ukraine that rendered systems inoperable and warned it may "unintentionally spill over to organizations in other countries." The Cybersecurity and Infrastructure Security Agency and FBI advisory made several business cybersecurity recommendations, including updating software, multifactor authentication and regular scans of antivirus and antimalware programs.
HR can also refresh cybersecurity employee training, review business continuity plans with third-party vendors and advise experts to increase business cybersecurity. But job application emails may pose the most immediate risk.
Attackers gather intelligence
Attackers posing as job applicants can mount sophisticated phishing scams because they can gather intelligence from a firm's website, said Eyal Benishti, founder and CEO of Atlanta-based IronScales Ltd., an email security company. An attacker has real information to work with and "can use the language that HR is using," he said.
HR "may be the weakest part of the attack surface," Benishti said.
HR is "constantly communicating with people that they don't know and don't trust," and "it's perfectly acceptable to receive a CV [curriculum vitae] in the format of Word or PDF file," he said.
Another business cybersecurity risk is a third-party disruption, illustrated in December by the UKG Inc. payroll ransomware attack. Resuming services took about a month.
The payroll outage problems prompted some users to turn to paper records, spreadsheets and hours worked estimates.
For HR, minimizing third-party vendor disruptions might mean ensuring backup procedures.
If an electronic benefits enrollment system goes down, for instance, it could delay benefits for a new employee, said Chad Sorenson, president of the HR Florida State Council, which represents 14,000 small to midsize firms and organizations in the state. He is also president of Adaptive HR Solutions, a consulting firm in Jacksonville, Fla.
A backup plan
"What's your paper backup, because the benefits still have to be done," Sorenson said.
Another option might be to turn to a backup provider. Shortly after the UKG payroll outage, WorkForce Software in Livonia, Mich., announced a backup service called the Rapid Response program for users that could be readied in 24 hours.
Steve TcherchianCISO and chief product officer, Xypro Technology Corp.
WorkForce provides pay calculations and scheduling, particularly for firms with hourly or shift workers with complex pay rules, said Sandra Moran, chief marketing officer at WorkForce Software. The system calculates the pay and then sends it to a payroll provider. SAP is a reseller of it, she said.
The Rapid Response program was offered at cost, and the firm is evaluating whether it will become a permanent backup offering.
Another step HR managers can take is to audit the data shared with third-party vendors, said Erik Ashley, who manages HR technology at Schellman & Co., a professional services firm in Tampa, Fla.
Schellman's audit, which began before the Ukraine crisis, reviews all the information it sent to third-party vendors. Ashley said it would ensure that vendors don't receive information about employees beyond what they need to provide a service.
Concerning vendor cybersecurity, Ashley said one of the first things he would do is "look at their security, and their commitment to security and data privacy," Ashley said.
A significant role for HR is business cybersecurity training, Ashley said. Developing a business cybersecurity program will likely be a collaborative job involving HR, IT and others, but training administration will fall on HR, he said.
The training must be effective, HR Florida State Council's Sorenson said. He said HR has to find out whether the training is improving security and may have to continually reinforce the training and test employees.
Sorenson said some HR organizations might believe that business cybersecurity is IT's worry, "but I think HR is a critical part in ensuring IT's success in whatever they do."
Patrick Thibodeau covers HCM and ERP technologies for TechTarget. He's worked for more than two decades as an enterprise IT reporter.