HR, beware.
New research on cybercrime conducted by internet security specialists Verizon makes disturbing reading for those in HR.
The report found 170 incidents of cybercrime this year, in comparison to 61 incidents last year, and 88 of these specifically targeted HR staff to obtain personal data for fraudulent tax purposes.
HR teams are therefore being increasingly targeted by “phishers”, who are out to trick you into handing over sensitive information about employees.
What is phishing and how can you avoid it?
Still think phishing involves a hook, some bait, and a lazy Sunday afternoon? Well here’s everything you need to know to get you up to speed:
Phishing involves tricking someone into clicking on a malicious link, or responding to a seemingly legitimate request, in an email –usually in order to obtain financial or personal information. It’s the approach thought to have been used by the ‘Russian hackers’ who have leaked the medical records of Olympic athletes.
It’s increasingly popular with cyber criminals, as it’s far easier to trick someone into giving away sensitive information by email, than trying to break through the multiple security layers that surround most modern technology systems.
These emails can appear to come from trusted organisations, and include a link to a bogus website or fake telephone number. Or, you may receive an email that looks as if it comes from someone senior in your organisation, with an urgent request for information, as was the case with Snapchat.
Here are five ways to help you and your HR team avoid being caught out:
1. Be aware
Make sure that any staff handling sensitive information understand both the risks – and their responsibilities. Obviously these extend beyond electronic communications, as a nursing home in Northern Ireland recently discovered. They were fined £15,000 by the Information Commissioner’s Office for “systematic failings” following the theft of an unencrypted laptop containing personal information about employees and patients from an employee’s home.
If you don’t have data security training in place, start it now, and make sure that it’s refreshed on a regular basis. GOV.UK lists some useful free online training courses to help business protect against cyber threats and online fraud – check them out here.
2. Never take emails at face value
If you get an email asking for any employee-related information, always check that it’s valid. There is never any harm in contacting the sender – using an independently-validated telephone number or email address. Don’t reply to phishing attempts despite the urge to. Chances are you will only get more.
3. Report it
If you think you’ve been phished, let your IT team know. They can check to see whether the email is genuine and, if not, block the domain that the email came from, as well as keep an eye out for any other suspicious activity. Warn the management team, other colleagues in HR or finance and, if relevant, external providers such as your payroll service, so they can be on the lookout too.
If the scam looks as if it’s coming from one of your partners or a major institution, report it to them. Most have sections on their website with advice about what to do.
4. Share and store safely
If you do need to share sensitive information by email, make sure it’s protected at every point of its journey. Spreadsheets are notoriously easy to hack, even when password protected, so don’t email spreadsheets (or any other documents) containing sensitive information, in the clear. Use an end-to-end encryption service, and don’t store HR data on un-encrypted laptops or other devices that could get lost or stolen.
5. Use secure HR systems
If you have the option to share data via a secure HR system, like Cezanne HR, you may be able to avoid the need to send sensitive information by email, altogether. Cezanne HR’s roles-based security allows you to decide who can view and/or edit different types of information (such as contact information, salary history or performance review). In addition, ‘restricted’ security roles can be defined for third parties – such as payroll providers – so they can access the relevant data directly from the system. Not only do you avoid the risk of sharing information by email, but the data will be up-to-date too.
Read more about how Cezanne HR helps you keep your HR data safe here.
Sue Lingard
Sue studied Personnel Management at the London School of Economics before taking on management roles in the travel, recruitment and finally HR software industry. She's particularly interested in how technologies enable HR teams - and the people they support - to work better together.