Some professions are simply more susceptible to cyberattacks than others, regardless of the type of business. Today, we\u2019re focusing on the cyberthreats aimed at professionals who work in human resources. The simplest, but far from the only, reason is that HR employees\u2019 e-mail addresses are published on corporate sites for purposes of recruitment \u2014 they\u2019re easy to find.<\/p>\n
In human resources, employees occupy a rather unusual position: They receive mountains of correspondence from outside the company, but they also tend to have access to personal data that the company cannot afford to leak.<\/p>\n
Typically, cybercriminals penetrate the corporate security perimeter by sending an employee an e-mail containing a malicious attachment or link. That\u2019s why we always advise readers not to open suspicious e-mails with attachments or click on links sent by unknown individuals. For an HR professional, that advice would be ridiculous. The majority of external e-mails they get are likely to be from strangers, and many include an attachment with a r\u00e9sum\u00e9 (and sometimes a link to sample work). As a guess, we\u2019d say at least half of them look suspicious.<\/p>\n
Moreover, portfolios or samples of past work sometimes come in uncommon formats, such as highly specialized CAD program files. The very nature of the job requires HR employees to open and review the contents of such files. Even if we forget for the moment that cybercriminals sometimes disguise a file\u2019s true purpose by altering the file extension (is it a CAD file, RAW photos, a DOC, an EXE?), not all such programs are kept up to date, and not all have been thoroughly tested for vulnerabilities. Experts often find security holes that allow arbitrary code execution even in widespread, regularly analyzed software, such as Microsoft Office.<\/p>\n
Large companies might have a variety of specialists responsible for communication with job seekers and for work with current employees, but small businesses are more likely to have just one HR rep for all occasions. That one person most likely has access to all personnel data held by the company.<\/p>\n
However, if you\u2019re looking to cause trouble, compromising just the HR specialist\u2019s mailbox usually does the trick. Applicants who send r\u00e9sum\u00e9s might explicitly or tacitly give a company permission to process and store their personal data, but they\u2019re definitely not agreeing to hand it over to unknown outsiders. Cybercriminals can leverage access to such information for blackmail.<\/p>\n
And on the topic of extortion, we also must consider ransomware. Before depriving the owner of access to data, the latest strains often steal it<\/a> first. If that sort of malware lands on an HR computer, the thieves can hit a personal data jackpot.<\/p>\n Relying on credulous or uneducated employees to make mistakes is risky. The more difficult but more effective business e-mail compromise (BE\u0421)<\/a> attack is now a major player. Attacks of this type often aim to seize control of an employee\u2019s mailbox and convince their colleagues to transfer funds or forward confidential information. To ensure success, cybercriminals need to hijack the mail account of someone whose instructions will probably be followed \u2014 most often, an executive. The active phase of the operation is preceded by the long and painstaking task of finding a suitably high-ranking employee. And here, an HR mailbox may come in very handy indeed.<\/p>\n On the one hand, as mentioned above, it is easier to get HR to open a phishing e-mail or link. On the other hand, company employees are likely to trust an e-mail from human resources. HR regularly sends applicants\u2019 r\u00e9sum\u00e9s to department heads. Of course, HR also sends internal documents to the company at large. That makes a hijacked HR mail account an effective platform for launching a BE\u0421 attack and<\/em> for lateral movement across the corporate network.<\/p>\n To minimize the likelihood of intruders penetrating the HR department\u2019s computers, we recommend following these tips:<\/p>\nA foothold for more convincing BEC attacks<\/h3>\n
How to protect HR computers<\/h2>\n
\n