Morey Haber says he sleeps like a baby. That is, he’s up every couple of hours. It’s a touch of cybersecurity humor if there is such a thing. Haber is the chief security officer at BeyondTrust, an identity security firm with clients around the world, and in his line of work, he’s seen some nightmares—and HR needs to be aware of them.
Phishing attacks, for example, which aim to get the recipient to divulge sensitive information or enable malicious software. “The payload is anything from credential theft to ransomware,” says Haber. In 2022 alone, business email compromise (BEC) attacks racked up around $3 billion in damages, according to the FBI. This is one of the most expensive cybercrime categories and one that Haber says HR leaders need to be familiar with.
BEC attacks are centered on messages that look like they are from HR or someone in the organization’s leadership or administration. These sources are often trusted by employees—which makes them key targets of cybersecurity threats. With proactive steps, CHROs and company leaders can get ahead of these incidents and reduce the number of times employees are tricked—and company security is put at risk.
Implement cybersecurity training and build processes
Poor internal processes, particularly a lack of employee training, are a common reason for phishing breaches, according to Haber. In fact, a study from IT security firm KnowBe4 revealed that more than 33% of untrained users would fail a phishing test. HR leaders should encourage colleagues and managers to speak to employees about cybersecurity accountability.
Support training that teaches exactly what a valid message from human resources will look like and from whom it will come. Providing context helps employees see the relevancy of cybersecurity in their daily job functions, according to Ani Banerjee, chief human resources officer at KnowBe4. “By breaking down the training into micro-lessons, companies can ensure better employee engagement and retention of security-related information,” he says.
Haber shares that not only is email a point of entry, but bad actors are also using SMS. He’s seen false messages that appear to be a request from a higher-up: “I’m in a meeting. Can you please help?” Importantly, employees might be less careful when getting a message—an email or a text—on a mobile phone. Distraction, multi-tasking or hurrying might make a recipient hasty to open a message without paying attention.
Vulnerability is further complicated when people use their personal devices for work tasks. According to reports from the cybersecurity group Agency, 80% of C-level respondents are likely to send work-related messages from their own mobile phones or computers regularly. These might not be equipped with the security measures that are installed on company-issued equipment. HR should develop policies around messaging from personal devices and be clear that messages from your department won’t come from external addresses or numbers.
Include training in onboarding
While many companies do have adequate training in place, Haber says that new hires are a vulnerable population, as they typically aren’t as familiar with internal processes and perhaps haven’t yet undergone cybersecurity training.
An email that appears to be from a company leader or human resources staffer might not look suspicious because the new employee doesn’t recognize inconsistencies. Haber shares that predators use bots to scrape LinkedIn, looking for recent profile changes to flag likely new hires to target, perhaps even before their first day at work: “They will find the path of least resistance.”
HR must consider online security as a “crucial component” of employment says Banerjee. This should happen as early as onboarding. “Rather than treating cybersecurity training as an infrequent task, HR should focus on developing regular and engaging training programs.”
New hires should also know precisely how onboarding paperwork and I-9 form verification will occur. These documents are rich with personal information that thieves desire. Do all that you can, Haber advises, to ensure the security of this information on behalf of newcomers.
Widespread cybersecurity concern
Digital security is on the front burner in the U.S. now. In the summer of 2023, the White House announced the National Cyber Workforce and Education Strategy to address a gap in cyber workforce needs, while also issuing commitments to build cybersecurity defenses at the nation’s K-12 schools. Also, the SEC has enhanced its cybersecurity disclosure requirements for public companies, while the state of New York and the U.S. Department of Homeland Security have made news for dedicating resources to mitigate cybersecurity problems.
While many HR leaders might think this topic belongs on the desks of security and information tech staff, Haber says that human resources execs often have to get involved.
“If [phishing] happens to more than one person, then it becomes HR’s problem,” says Haber.