Are you tired of hearing about data breaches yet?
Thought so. It seems that the monthly data breach story has turned into the weekly data breach story. As our systems grow more complex, and we further integrate into the digital world, there are more opportunities for our sensitive data to be stolen. Additionally, cyber criminals are finding new ways to monetize their illicit activities, such as through ransomware and illicit Dark Web marketplaces where stolen data can be bought by identity thieves and sold by hackers. As a result, cybercriminals have never had so much opportunity and monetary incentive for their activities. So, for the foreseeable future, we can expect to see more of the same.
Unfortunately, Human Resource departments make great targets for cyber thieves because of the sensitive employee data they store, which may include:
- Personal Health Information
- Personally Identifiable Information
- Payroll data
- Employee performance ratings
- and much more What’s In Your Files?
W-2 data is especially valuable. If it is stolen, it can quickly be converted to ill-gotten gains by filing a fraudulent tax return, used to obtain a loan or credit cards, or any other variety of identity theft. Every tax year, we see dozens of reports about companies that fall victim to W-2 scams and accidentally send their employees’ W-2s to an attacker posing as an insider.
So, what can be done to minimize the risk of data theft from HR departments?
In 2015, three Google researchers published a study that highlights the differences in what experts and non-experts think are the top three things an Internet user can do to stay safe online. There are many lessons from this that HR departments can leverage to improve their security. As you might expect, there are areas where experts and non-experts agree and others where there is a significant divergence. Let’s take a look at the key chart from this report and see what sort of lessons we can learn:
1. Update System
The biggest lesson from this chart is the first metric shown on the left. One of the most effective cyber-defenses is staying up-to-date with your security patching, yet most people believe this to be unimportant . Many of the businesses that are victimized by ransomware and other cyber-attacks, are victimized because their systems are not patched with the latest security fixes that prevent those attacks from functioning.
Many modern exploits take advantage of weaknesses in Microsoft Office, Microsoft Windows, Adobe Acrobat/Reader (pdf files), Adobe Flash, and other popular software. These exploits are discovered by hackers and security researchers, and generally the big software vendors fix the exploits quickly. But we as users need to configure our software to allow for automatic updates, and, even though it is annoying, allow the updates to install and reboot the computers when practical so they are protected.
What is interesting is that the system update data point is roughly the inverse of “Use antivirus.” I’d speculate that the divergence of thought between experts and non-experts is due to the non-experts having been exposed to antivirus as the center point of home cybersecurity for 20+ years. Antivirus is still a corporate cybersecurity necessity, but experts believe it to be less important than it was in the past, probably due to so many virus detection mechanisms that reside at network layers placed between users and the internet (such as in SPAM filters and firewalls).
2. Use Unique Passwords
In preparation for this article, I logged into my password manager to see how many sites for which I had login credentials stored. I was shocked to see that I had 184 sites stored. That is 184 businesses that need to keep, maintain, and secure my account information. And there’s probably others not in there!
Many people reuse the same password at a number of websites because the human brain is not great at storing long strings of random characters. Let’s pretend I reuse the same password in each of those 184 sites. Then let’s pretend one of those sites was hacked and my user ID, email, and password is stolen. That information will likely be sold on the Dark Web to identity thieves who would take that email, user ID, and password, and start using them to try to log into popular banks, trading accounts, email accounts, and others to try to gain access to sensitive information and ultimately try to monetize my data for themselves. By reusing the passwords in 184 websites, I have created the conditions for widespread damage if there is a data breach in only one.
By using unique passwords, we guarantee that if our user ID and password is stolen from one business, it cannot be used to gain access to another account at another website.
For HR staff who have access to benefits systems, payroll systems, and other systems that store sensitive data, are you using the same password to log into those systems as you use in other personal online accounts? If so, you might be increasing the risk of data theft to your fellow employees.
Okay, I need unique passwords. But how do I remember all these passwords? I alluded to it before; password managers can be great to generate and store long, complex, and unique passwords. A password manager securely stores your passwords in a way that makes them retrievable by you and hopefully nobody else. They generally also have user conveniences that make it so that you don’t have to manually key in the long password.
What happens if the password manager gets hacked? This is a valid concern and ultimately it boils down to a personal decision. You have to ask yourself if you think the security benefit from having long, complex, and unique passwords from a password manager is greater than the risk that the password manager is hacked and all the data is stolen and decrypted.
The general consensus among security experts is that the benefit does outweigh the risk. Just looking at the chart above, we can see that four of the top five recommendations all relate to having strong authentication, and number five is “Use a password manager.”
3. Use two-factor authentication
Another area of great divergence between experts and non-experts relates to something called two-factor authentication (2FA), also sometimes called multi-factor authentication (MFA). Most 2FA solutions typically require three pieces of information from users to access their accounts:
- a user ID (something the user knows)
- a password (something the user knows)
- a token of some variety that is generated by a device carried by the user (something the user has)
The third item can be an access card, a mobile phone, or a key fob with a rotating pin code. Here’s an example of how they work:
You visit a website, enter your user ID and password, and authenticate. The website sends a temporary authorization pin code to your mobile phone in a text message. You receive the text on your phone, enter the pin code into the website, and access the account online. Without your phone, you would not have been able to log in.
An attacker who wants to bypass these protections needs more than just your user ID and password; they also need a physical device. With 2FA, the risk of unauthorized access from stolen or sold login credentials is greatly reduced. And yes, employees do sell passwords.
The great news with 2FA is that it is becoming more widely adopted every day. Many of the HR systems providers, such as payroll and benefits websites, offer the option to set up 2FA quickly and easily. HR departments should look into the online systems they use and try to enable 2FA if it is an available function. If it is not available, try to encourage your service provider to add the capability. User feedback is critical for developers to improve software.
There is obviously much more to think about with respect to corporate cybersecurity, but HR departments would be wise to consider the highly rated security measures identified by Google and discussed in this article to help keep their data safe.
Article Contributed to Inspiring HR, LLC by Chris Moschella, CPA, CISA with Keiter.
Keiter provides a wide-variety of cybersecurity services to their clients including, but not limited to: cybersecurity risk assessments, policy analysis, audit, penetration testing and vulnerability scanning, security awareness testing, custom phishing campaigns, and more. Organizations ready to tackle cybersecurity for the entire business can download Keiter’s free whitepaper.