Human Rights Defender, are you aware of being cyber targets?

HR departments handle hundreds of sensitive data items on a daily basis. Payroll, sick leave, resume, RIB…so much information that is goldmines for online attackers. Between risk analysis and awareness, here are some tips to protect yourself.

This is obvious, but it is still necessary to take action regarding cybersecurity: by its position within the organization, the human resource function occupies a central place, which also makes it a preferred target for cybersecurity. In fact, no matter the size of the organization, human resource management is at the crossroads of much highly sensitive information. Insights from our experts, Benoit Grunenwald, cyber security expert at ESET and Maitre Claire Poirson, associate attorney at New Technologies Law at BERSAY.

Lots of sensitive data passes through the human resource department

Judge for yourself: salaries, personal situations, illnesses, layoffs, health insurance, income returns… There is a lot of data going through HR, at the crossroads of financial issues.

Whether it is conducting business development, acquisitions, searching for new talent, or financing a development plan, human relations are at the heart of expansion and restructuring projects.

In fact, the list of sensitive data passing through human resources is long and attracts the interest of hackers. It opens a wide range of possibilities, from social benefit fraud to bank fraud.

Remote working has increased digital risks for human resource advocates who must be vigilant about the remote tools they provide their employees.

Where does the threat come from?

Threats can be external: ransomware, defacement, denial of service, or fraudulent attacks. For example, denial-of-service attacks on French and European companies have doubled since the beginning of the Ukrainian crisis.

Often the threats are internal, too. Thus, the theft of strategic corporate data can come from a finance or marketing executive who is not diligent or even malicious in the context of espionage, competition, or unfair competition.

But there is also another threat that is often forgotten: subcontractors who can sometimes be the weakest link in a company. In fact, a subcontractor does not necessarily have the same operations, the same security plans, or the same business continuity or recovery plans as the company. With this, the cyber attacker often attempts to hack the system.

Protect yourself with actions and awareness

How to watch out for this threat? First by working on employee awareness.

Develop human resources, put feedback around you, so that employees do not respond to the first requests that come. In the era of popularizing remote work, increasing employee awareness of digital security by communicating best practices and incorporating these commitments into social documents has become vital to ensuring a company’s data security policy.

We know that phishing will often come via email. Nous savons égallement que les cyber-attaquants sont de plus en plus rusés, certains allant même jusqu’à user de deepfake vocaux – des outils d’intelligence artificielle usant la technique du clonage vocal afin de se faire passer au téléphone pour des dé ‘a company.

Learn how to grade any request, and ask yourself the right questions before acting: Is it normal for this person to ask me to do such an action while forgetting to go through the applicable procedures? Get in the habit of emphasizing something unusual, applying measures agreed in advance and known only to you. To deal with unexpected situations, practice and test actions to make them evolve.

Protecting Yourself with Technology: Anticipating and Simulating Cyber ​​Attacks

Other means of protection are of a purely technical nature.

Protect your email first, because this is where phishing will start – especially as these elements are increasingly collaborative.

Also consider activating security solutions during video conferencing.

Protect all tools connected to your HR department and equipped with hard disks. Have you thought about your connected printers? Did you notice the fleet of cameras? In both cases, these tools are widely used to disseminate sensitive information – letters from employees, resumes, payment receipts, ID cards, etc.

It is also advisable to conduct a review of the current system beforehand. What type of data do you have? What are you dealing with? How sensitive is this data? Are personal data regulations complied with? What data security commitment does the company have with its subcontractors and employees? Has the company’s IT and telecommuting charter been implemented with regard to employees? What security systems are already in place in your company? Do you have an effective enough security cell? Does your public administration provide adequate financial resources to ensure a cyber compliance and resilience plan?

It is also a matter of proper management of the comings and goings among HRDs and staff, even with candidates applying for positions. Pay special attention to the exchange of sensitive emails between your email and personal messages of a candidate: I’m not at all sure that the latter’s computer is not infected.

Also consider setting up a procedure when the candidate is not selected: How long does he keep his CV in relation to the regulations on the protection of personal data (the famous General Data Protection Regulation (GDPR))? Should this data be placed in the cloud or on an offline medium? At this point, HR advocates are advised to conduct a data compliance audit, including personal data, to prepare an electronic resilience plan that will allow any crisis and data leakage to be managed when the time is right. Indeed, we recommend storing their data on “cool” gadgets, that is, outside the cloud until they are erased.

Human Resource Development, you will understand that: Your data, as well as the movements you make within your organization, are far from trivial. Reconsider using your tools as your daily practice in light of the cyber risks that now exist on a large scale. Think in terms of security, including with your teams or across functions with your CIO: There are certainly some opportunities to protect the data of your employees or future employees, and at the same time “employer brand”.

Leave a Comment