Human resources will serve as the go-between with their companies’ IT departments and the entire staff, so preparing for any cyberattacks needs to be a top HR priority, HR Dive reports. “HR has historically been responsible for communicating policies and work expectations even if they aren't produced through a written policy,” said Elizabeth Chilcoat, an associate at Sherman & Howard. “That’s really what's necessary for cybersecurity to be effective.”
Chilcoat also notes it's up to HR to explain in simple English what the policy is following a cyberattack to ensure there is calm and to ensure they are in compliance. “As a lawyer, it's very easy to sit in my ivory tower and say what employers should do is be totally risk-averse. 'Let's go back to the old days, where we did paper time cards and manual calculation.' That's not realistic,” she said. “The best thing a company can do is be prepared for how it is going to deal with the worst-case scenario.”
Last month, the U.S. Cybersecurity and Infrastructure Security Agency warned in its Shields Up campaign that Russia’s attack against Ukraine has included cyberattacks on its government and critical infrastructure. At the time, the agency noted that there was no known cyber threats against U.S. entities, but that “every organization—large and small—must be prepared to respond to disruptive cyber activity.”
“When cyber incidents are reported quickly, we can use this information to render assistance and as warning to prevent other organizations and entities from falling victim to a similar attack,” the agency noted on its website.
On February 26, the CISA and FBI released a joint alert warning organizations of “destructive malware” used against Ukraine organizations and that could be used to target U.S. entities. “Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries,” the CISA and FBI noted in the release. “Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.”
The bad news for HR is that they may be high value targets for cybersecurity attacks via fake job seekers reaching out to companies with an email attachment, TechTarget reports, citing experts.
“This is one of the most dangerous entry points," said Steve Tcherchian, CISO and chief product officer at Xypro Technology Corp. “That's how the payload, in most cases, gets delivered onto the corporate network—it's not any more sophisticated than that." Tcherchian adds that HR is "on the front lines when it comes to this, especially right now.”
Attackers posing as job applicants can take information from a company’s website to create very credible phishing scams, said Eyal Benishti, founder and CEO of Atlanta-based IronScales, an email security company. That means savvy attackers “can use the language that HR is using” in selling themselves as a real job applicant, he added.
HR is “constantly communicating with people that they don't know and don't trust” and "it's perfectly acceptable to receive a CV [curriculum vitae] in the format of Word or PDF file,” Benishti said.
The reality facing HR is that “the only way to attack-proof the system is to make sure that nobody can access it,” Chilcoat told HR Dive. “And that's just not practical.”
In light of this challenge, HR departments need to implement a top-notch response plan. This may entail, for example, providing employees free auditor services should social security numbers become compromised. Companies may also want to bring in forensic experts to help them understand the specifics of an attack, Chilcoat said.
HR staff also need to be upfront with workers and steer clear of speculation, she said. “Be sure that you maintain your credibility,” she said. “You're letting employees know that you don't know the answer to some of these questions and that you will answer them as soon as you can.”