Keep Cyberspies Out
Here’s how HR can safeguard sensitive data and reduce the threat of cybercrime.
By Aliah D. Wright 7/1/2013
They lurk in a sea of online data - these anonymous cybercriminals - trying to reel in a big fish: you.
You're the unsuspecting HR professional who sits atop a treasure trove of information - Social Security numbers, addresses, electronic health records, strategic plans, trade secrets - that can help criminals in their quest to profit from stolen data.
It's getting harder to protect data from cybertheft. Security experts say three developments since early 2012 have led to an increase in hacker attacks:
The ease of using online "social engineering" techniques - taking advantage of human characteristics such as curiosity, helpfulness or greed - to trick and exploit people. Perpetrators often find victims through publicly identifiable information and then attempt to access sensitive corporate data through those individuals.
A shift to using mobile devices - a Wild West of security vulnerability.
An increase in the use of cloud-based services, which can have security holes.
Theft of corporate information threatens organizations of all sizes, and many are unprepared to detect or resolve such losses, according to the Ponemon Institute LLC, a research and consulting company in Traverse City, Mich., specializing in data security.
In The Post Breach Boom, a report released in February that reflects the responses of 3,500 information technology security professionals surveyed by Ponemon, 54 percent of the respondents said data breaches had increased in severity during the past two years. Another 52 percent said breaches had become more frequent.
Moreover, 45 percent of chief executive officers said their companies experience cyberattacks daily or hourly, according to Ponemon's nationwide 2012 study, The Business Case for Data Protection.
Determined Cyberthieves Use Many Tools
Data breaches often involve multiple techniques, according to the 2013 Data Breach Investigations Report, an analysis of more than 47,000 security incidents from Verizon Communications Inc.:
76 percent of network intrusions exploited weak or stolen credentials, such as usernames or passwords.
40 percent incorporated malware - malicious software, script or code used to steal information.
35 percent involved physical attacks, such as ATM skimming.
29 percent leveraged social engineering tactics, such as phishing.
Cyberattacks are typically outside jobs. In a 2013 analysis of more than 47,000 security incidents, Verizon Communications Inc. researchers found that "external attacks remain largely responsible for data breaches, with 92 percent of them attributable to outsiders." These attacks came from organized crime, activist groups, former employees, lone hackers and even organizations sponsored by foreign governments, according to the 2013 Data Breach Investigations Report.
"There isn't just one type of criminal operating online. It's a robust, complex and very healthy ecosystem composed of many different types of attackers, all looking for different things to buy and sell," says Eric M. Fiterman, founder of Spotkick, a Washington, D.C.-area cybersecurity company.
"Today's spies no longer need to sneak in anywhere with a microfilm camera under the cover of darkness. They do their spying job without ever leaving the comfort of their high-tech offices," says Michael Burtov, CEO of Cangrade, an applicant tracking and assessment company in the Boston area.
HR professionals must be vigilant when it comes to protecting their organizations from this new breed of cyberthieves.
"I work closely with our IT administrator to make sure that we're protecting the integrity of our data," says Ben Eubanks, PHR, HR manager for Pinnacle Solutions Inc., an aviation training and logistics support company in Huntsville, Ala. The company is a government contractor, and "data security is highly important to our business," he says.
Information gained in cyberattacks can be used to perpetrate identity theft; commit espionage, financial crimes or insurance fraud; or circulate false information. The potential harm of such crimes was apparent this spring when someone hacked the official Twitter account of the Associated Press and tweeted falsely that President Barack Obama had been injured in an explosion at the White House, which led to wild swings in the stock market.
Phishing for Access
Experts say online social engineering poses one of the greatest risks to companies whose information resides on servers or mobile devices or in the cloud. According to the Verizon analysis of security incidents, the proportion of breaches incorporating tactics such as phishing - the practice of tricking users into clicking on a link presented as that of a seemingly legitimate website - was four times higher in 2012 than in 2011.
Social engineering attempts hinge on fooling people into believing they're going to benefit in some way or prevent a negative consequence by clicking on a link or divulging confidential personal or proprietary information.
For instance, a hacker may breach a network and learn that an employee has high health care costs. The hacker could then create an e-mail that looks like it comes from the employee's physician and reads something like, "I need you to come to our office ASAP. Our recent scans show something I need to discuss with you. Click here for an appointment," says Stu Sjouwerman, CEO at KnowBe4 LLC, a network security firm in Clearwater, Fla. The target might think, "Oh, my God! Do I have cancer?" and then click on a link that could put the company's sensitive HR data at risk.
That's because tracking programs - keystroke loggers, Trojans, worms, cookies, adware, viruses and malware - can be introduced when a user clicks a link.
Alfred Saikali, an attorney and co-chair of Shook Hardy & Bacon's Data Security and Data Privacy Practice Group based in Miami, says criminals are targeting three types of data:
- Personally identifiable information such as name, Social Security number, financial information, driver's license information and date of birth.
- Sensitive proprietary information such as trade secrets.
- Health data such as medical records and other information protected under the Health Insurance Portability and Accountability Act.
"Sometimes, the easiest way into a company's network is through its people," says Fiterman, a former FBI agent. "The more information I can identify about people in an organization, the easier it makes my job as an attacker. I can use intelligence gathered from social networks, for example, to send highly targeted e-mails with malicious links or attachments to high-value targets" such as CEOs.
"An employee's employment history, any derogatory or personal information, financial information, or personally identifiable information all have value to someone," Fiterman adds.
A stolen medical identity has a $50 street value, whereas a stolen Social Security number sells for only $1, according to Kirk Herath, chief privacy officer at Nationwide Mutual Insurance Co. Yet most people don't protect their medical information as diligently as they protect their Social Security number.
Mobile Security Challenges for HR Despite repeated warnings and reports about data breaches, employers continue to fail miserably when it comes to protecting employee data and corporate information, experts say. Many organizations put themselves at risk by allowing employees to take unencrypted data out of the office on devices such as cellphones, laptops and tablet computers.In addition, myriad apps that allow employees to work remotely can increase cybertheft risks. "Many of these apps will remember IDs and passwords, therefore placing personal and company data at risk if the device is stolen or misused by others," says Gregory Rogers, SPHR, vice president of human resources for GS1 US, an information standards organization based in Lawrenceville, N.J. The possibilities of proprietary information ending up in the wrong hands are endless, he says, and can lead to "payroll and identify theft, retirement plan/401(k) manipulations, medical plan fraud, inappropriate company intranet access, and company data theft - all through the use of mobile apps.
"Caution employees to always use a password to access their mobile devices, particularly if these devices provide access to company sites," Rogers says. "Employees should also be cautioned not to store ID and password information on the device or have the device 'remember' this information."
Mobile Security Tips
Alex Bobotek is co-chairman of the Messaging, Malware and Mobile Anti-Abuse Working Group, a global organization based in San Francisco that targets messaging abuse, and the lead for messaging anti-abuse architecture and strategy at AT&T Labs. To decrease threats from mobile devices, he suggests HR professionals make sure employees:
Install a mobile anti-virus product from a leading vendor. Many are free.
Download applications only from reputable application stores. Don't download apps from unknown sources such as unofficial app stores or the Internet.
Realize that even if an app comes from a reputable app store, it may not be safe. "Some have hidden Trojans that can cost you money or steal your information," Bobotek points out.
Consider any communication to be suspicious - whether in an e-mail, text message or in-phone ad - that asks you to download an application.
Treat as suspicious any notification of a problem with an account that requests a phone call or a visit to a website to provide account information.
Report spam and other unwanted text messages by forwarding them to 7726 (the numbers that spell out "spam" on a phone keypad). The reports go to the GSMA, an association of mobile communications providers, which relays the information to providers.
Ponemon reports that 68 percent of companies allow employees to use their own devices in the workplace. Sixty percent of employees, however, circumvent their devices' security features by ignoring warnings not to click on links or failing to download security software.
A bring-your-own-device policy, "from a security perspective, is a rat's nest," Sjouwerman says. Business leaders who support BYOD policies should limit the types of devices they support, he says, noting that Apple devices are more secure than Android devices, for instance. "Using enterprise mobile device management software can help companies manage the degree to which employees can access corporate networks," he adds. With such software, HR and IT staff members can secure, monitor and manage mobile devices that access the company's systems.
Cristian Florian, project manager with GFI Software in Cary, N.C., adds that "some managers may choose to deploy separate wireless networks, to be used by mobile devices, [that] do not allow full access to company IT resources, such as virtual private networks and databases."
Experts note that users are downloading a host of social networking, financial and productivity apps to mobile devices and that malware threats are increasing apace. "There is an enormous growth in malware for mobile devices," Sjouwerman says.
"Over 100,000 new [malware] variants are created on a monthly basis, which makes detecting them very difficult," says James Bower, founder and CEO of Ninja Technologies, an information security company in Atlanta.
Users can thwart infection of their devices by purchasing apps directly from retail outlets such as iTunes, Google Play or BlackBerry World. In fact, when fashioning a mobile device policy, HR professionals may want to consider requiring employees to buy apps from reliable vendors - but it's probably only a matter of time before those apps, too, are compromised.
How to Make Your Data More Secure
Members of the Society for Human Resource Management's Technology & HR Management Special Expertise Panel identified several best practices HR professionals, along with IT professionals, should follow to keep data secure.
Use firewalls and virus protection software.
Establish and enforce a variety of password policies. For example, don't allow everyone to have the same level of access to certain types of information. Restrict network access for departing employees.
Use encryption software.
Make sure backup systems are in place, and have onsite and offsite storage, in case of an attack.
Make sure employees log off or lock computers when not in use.
Other threats facing mobile devices include the low-tech danger of their being lost or stolen.
Sjouwerman says employees should be required to contact HR if a device goes missing. If the device is lost or stolen, it should be locked and its contents deleted as a security precaution.
HR professionals should make sure their companies' IT departments have policies "governing the use of mobile devices," Fiterman adds. "Standard guidance usually states, 'Have a password on the device, don't use it for sensitive data storage, and encrypt data when possible.' "
The Air Up There in the Tech Clouds
IT experts say HR data hosted by a third party in the cloud is only as safe as the provider hosting it.
Traditionally, companies have been responsible for securing their own data, says Dave Dalva, vice president at Washington, D.C.-based Stroz Friedberg LLC, a security risk consulting and investigations company. But when data are moved to the cloud, the process results in "a dissolving security perimeter," he notes.
HR leaders need to make sure their vendors have conducted "an appropriate security analysis of their cloud environment so they're not putting their customers at risk," Dalva says, "especially if they have multiple customers with data residing in the same cloud environment. There needs to be a separation of customers' information to prevent cross-pollination."
Cloud providers, he says, "need to do the technological due diligence to make sure their systems are meeting best practices for security."
Due diligence includes making sure "the cloud provider's security requirements are certified by recognized authorities such as the International Standards Organization on Data Privacy and Protection," says Paul Belliveau, SPHR, managing director and global human capital management advisor at Avancé-Human Capital Management in Bedford, N.H. Good cloud providers will also have protocols for keeping data secure, such as encrypting files or spreading the data out among different systems.
"Cloud computing is only increasing in scope. And it's critical that companies invest in cloud partners with the highest level of backup and data encryption services," says Shari Missman Miller, business manager at NogginLabs Inc., a custom e-learning software developer based in Chicago. Miller manages the company's human resources. The Cisco Global Cloud Index (2011-2016), issued in 2012, predicts that cloud traffic as a percentage of total data center traffic will increase from 39 percent in 2011 to 64 percent in 2016.
Experts suggest that HR leaders might want to consider storing really sensitive HR data in-house. The data that falls into this category depends on what's most important in a company's business, Belliveau says. "Is it pay structures or strategies that deal with human capital? You want to bring that in-house so you're not sharing it," he explains.
Keys to Planning Data Protection
Having a data security plan is critical. "Plan for the inevitable," including theft and loss, Dalva says.
Miller agrees, adding, "There isn't really any way to completely guarantee the safety of corporate data."
HR and IT professionals can reduce the possibility of an attack by making sure software for routers, wireless devices, printers, laptops and desktops is current and patched when necessary. "In more than 90 percent of cases, keeping systems up-to-date would have avoided a security breach," says Florian of GFI Software.
HR and IT professionals also need to know where network vulnerabilities exist to decrease the probability of a breach. This includes being aware of how people access and transmit corporate data and recognizing that a virtual private network (VPN) is more secure than a standard Internet connection.
Systems security audits - reviewing applications, quizzing employees, scanning for security vulnerabilities - should be conducted for all those who access HR data, including third-party sources, says Belliveau, a member of the Society for Human Resource Management's Technology & HR Management Special Expertise Panel.
Miller advises HR leaders to focus on prevention and training and to ensure that employees "follow strict security directives when handling data, especially in mobile platforms."
"Policy, procedure and security awareness training is essential," Florian adds. It's HR's job to create a policy and to be "instrumental in making sure that policy is applied. From the onboarding process through annual security awareness trainings, employees need cybersecurity training."
One way to protect your organization: Train employees to think critically before they click on e-mailed links. Simple skills, such as knowing that hovering your mouse over the link will show the link's destination, can go a long way toward preventing infection, Florian says. The more employees know about the risks, the more secure data will be.
Verizon reports that 97 percent of breaches "were avoidable through simple or intermediate controls," such as by training employees not to click on suspicious links and by changing administrator passwords or making them more secure.
HR and IT professionals should make sure password policies are well-enforced, recommends Sorin Mustaca, a security expert and vice president of product development with Avira Operations GmbH & Co. KG, a data security company based in Germany. "Many users are simply unaware how simple their passwords are and that they are endangering the entire company" if a password is guessed by a hacker. Two-factor authentication should be required on systems that handle customer data, he says. With this method, the user provides a keyword or other special knowledge that proves he or she has the right to access sensitive data.
Requiring employees to access corporate data only over VPNs instead of using free Wi-Fi hot spots, or using a security token that generates new passwords to provide an additional layer of identity protection, can also help, experts say.
A strong data security plan and effective training aren't always enough.
"If I send one e-mail, I've got about a 25 percent chance that somebody is going to click on a link in that e-mail. If I increase that to six e-mails, I've got an 80 percent chance that someone will click on that link," says Chris Porter, co-author of Verizon's 2013 Data Breach Investigations Report and managing principal for Verizon's Risk Team. "Even with training, people will still click on dubious links."
Experts say there was a time when installing anti-virus protection on all computers was sufficient to prevent breaches, but not anymore.
"All it takes is one simple mistake for an attacker to find and exploit," Fiterman says, noting that attackers are highly motivated and working 24/7. "So there's no simple answer, other than understanding that malicious action is inevitable. Plan, plan, plan."
Aliah D. Wright is an online editor/manager for SHRM and author of A Necessary Evil: Managing Employee Activity on Facebook, Twitter, LinkedIn... and the Hundreds of Other Social Media Sites (SHRM, 2013).