Targeting HR with cyberthreats

Some professions are simply more susceptible to cyberattacks than others, regardless of the type of business. Today, we’re focusing on the cyberthreats aimed at professionals who work in human resources. The simplest, but far from the only, reason is that HR employees’ e-mail addresses are published on corporate sites for purposes of recruitment — they’re easy to find.

Cyberthreats targeting HR

In human resources, employees occupy a rather unusual position: They receive mountains of correspondence from outside the company, but they also tend to have access to personal data that the company cannot afford to leak.

Incoming mail

Typically, cybercriminals penetrate the corporate security perimeter by sending an employee an e-mail containing a malicious attachment or link. That’s why we always advise readers not to open suspicious e-mails with attachments or click on links sent by unknown individuals. For an HR professional, that advice would be ridiculous. The majority of external e-mails they get are likely to be from strangers, and many include an attachment with a résumé (and sometimes a link to sample work). As a guess, we’d say at least half of them look suspicious.

Moreover, portfolios or samples of past work sometimes come in uncommon formats, such as highly specialized CAD program files. The very nature of the job requires HR employees to open and review the contents of such files. Even if we forget for the moment that cybercriminals sometimes disguise a file’s true purpose by altering the file extension (is it a CAD file, RAW photos, a DOC, an EXE?), not all such programs are kept up to date, and not all have been thoroughly tested for vulnerabilities. Experts often find security holes that allow arbitrary code execution even in widespread, regularly analyzed software, such as Microsoft Office.

Access to personal data

Large companies might have a variety of specialists responsible for communication with job seekers and for work with current employees, but small businesses are more likely to have just one HR rep for all occasions. That one person most likely has access to all personnel data held by the company.

However, if you’re looking to cause trouble, compromising just the HR specialist’s mailbox usually does the trick. Applicants who send résumés might explicitly or tacitly give a company permission to process and store their personal data, but they’re definitely not agreeing to hand it over to unknown outsiders. Cybercriminals can leverage access to such information for blackmail.

And on the topic of extortion, we also must consider ransomware. Before depriving the owner of access to data, the latest strains often steal it first. If that sort of malware lands on an HR computer, the thieves can hit a personal data jackpot.

A foothold for more convincing BEC attacks

Relying on credulous or uneducated employees to make mistakes is risky. The more difficult but more effective business e-mail compromise (BEС) attack is now a major player. Attacks of this type often aim to seize control of an employee’s mailbox and convince their colleagues to transfer funds or forward confidential information. To ensure success, cybercriminals need to hijack the mail account of someone whose instructions will probably be followed — most often, an executive. The active phase of the operation is preceded by the long and painstaking task of finding a suitably high-ranking employee. And here, an HR mailbox may come in very handy indeed.

On the one hand, as mentioned above, it is easier to get HR to open a phishing e-mail or link. On the other hand, company employees are likely to trust an e-mail from human resources. HR regularly sends applicants’ résumés to department heads. Of course, HR also sends internal documents to the company at large. That makes a hijacked HR mail account an effective platform for launching a BEС attack and for lateral movement across the corporate network.

How to protect HR computers

To minimize the likelihood of intruders penetrating the HR department’s computers, we recommend following these tips:

• Isolate HR computers on a separate subnet if possible, minimizing the likelihood of threat spread to the corporate network even in the event that one computer gets compromised;
• Do not store personally identifiable information on workstations. Instead, keep it on a separate server or, better yet, in a system made for such information and protected with multifactor authentication;
• Heed HR professionals’ advice regarding cybersecurity awareness training for the company — and place them first in line for that training;
• Urge HR reps to pay close attention to the formats of files sent by applicants. Recruiters should be able to spot an executable file and know not to run it. Ideally, work together to draw up a list of acceptable file formats for résumés and work samples, and include that information in listings for bona fide applicants.

Last but by no means least, adhere to basic security practices: Update software on HR computers in a timely manner, maintain a strict and easy-to-follow password policy (no weak or duplicate passwords for internal resources; change all passwords regularly), and on every machine install a security solution that responds promptly to new threats and identifies attempts to exploit vulnerabilities in software.