No matter how prepared you are or how early you start, tax season is stressful, particularly for HR professionals.
Adding to the anxiety is the threat of cyberattacks, which seem to spike during the weeks leading up to the filing deadline. Tax time is hunting season for online criminals. This year alone saw a notable rise in cyberthreats with phishing and malware incidents up 400 percent.
As tax season finally comes to a close, corporate cyberattacks are on my mind even more than usual. The reality is, tax season isn’t the only time when companies are at risk – the threat is always there, particularly for HR professionals. Why? Because HR data is perhaps some of the most useful and vulnerable in an organization’s network. A single breach would give a cybercriminal access to critical information about every employee at a company in one fell swoop.
Alarmingly, many companies don’t take the necessary precautions to prevent these incidents or train employees on how to avoid them. Cybersecurity is the responsibility of everyone in an organization, and the best way to hold people accountable is through company-wide employee education.
At most organizations, executive leadership and the IT team will likely lead the development of an employee security training program given their areas of expertise. However, HR professionals should be involved too, as they’re often the driving force behind employee education. With that, HR pros need to come to the table armed with an understanding of how cyberattacks happen and a baseline plan of action that can actually be understood and implemented by all employees.
Not sure where to start? Let’s begin with the basics.
In a cyberattack, hackers attempt to steal or alter data and ultimately, destroy a computer network. The results of a corporate cyberattack can be devastating to a company’s finances and reputation. To put the effects into perspective, the cost of cybercrime in the U.S. equals an annual average of $15.4 million per company.
The takeaway: The damage of a corporate cyberattack is tremendous and sometimes irreparable. Organizations must take proactive measures to help prevent attacks, as well as handle and contain an attack, should one happen. Implementing preventive plans – such as an employee security awareness and training program – and reactive plans – such as an employee crisis response checklist – is a good place to start.
Phishing emails are one of the easiest and most common ways for hackers to gain access to data, and everyone is at risk. In one recent, widespread attack, the perpetrator used a fake email address to impersonate company executives. From there, they were able to con payroll and human resources departments into forwarding W-2s and other tax forms, putting employees’ social security numbers and other personal information in enemy hands. While it may sound like an easy scam to spot, hackers can be convincing and know how to blend in online.
The takeaway: Employees at every level could be a target for hackers. Organizations need to invest in educating employees on how to recognize these emails. A useful approach is to implement a mock attack by sending employees spam emails from someone within the organization. This allows the company to see how many people open the emails and click on the links, which can then be used to demonstrate risks and educate employees on how to adjust their behaviors moving forward.
Keep in mind that cybercriminals are relentless. They continue to evolve their tactics in order to surprise and confuse potential victims. This means that education has to take place on a regular basis and keep pace with new developments so that employees are aware of the latest threats.
Though many attacks happen via email, there is no limit to the ways hackers can get into a company’s data network. Weak and stolen credentials are a common culprit, as are application vulnerabilities and “backdoors,” which allow perpetrators to bypass standard authentication to access a computer system. And the risks aren’t contained to online. Some hackers use “old school” techniques, like the phone, to ploy for information.
The takeaway: Employees should always be on the lookout for threats and question anything that seems suspicious or out of the norm. The IT team should be informed immediately when an employee loses their credentials, or if a device appears to have a virus, so that action can be taken to prevent further damage.
Social networking is fueling the bad guys today. Before they make their move, cybercriminals learn as much as possible about the organization they plan to attack. They go to LinkedIn to understand the organization’s hierarchy and figure out how they can get the most money out of the scam.
The takeaway: It’s imperative to train employees how to keep their social profiles secure. In particular, anyone who serves as a face of the organization should be extra diligent about their social media presence, including who they connect and engage with.
To learn more, check out our white paper on data security, and stay tuned for future posts about the intersection of HR and technology.