pogonici - Fotolia
The ability of Iranian cyberattackers to do some serious damage to U.S. systems is not in doubt. They have crippled U.S. cities and businesses with ransomware attacks, malware that encrypts data until a ransom is paid. One question is whether HR security efforts are being deployed to respond to potential threats like this one.
The U.S. is warning of increased peril from Iranian cyberattacks because of recent tensions between the two countries. In general, HR personnel are at greater risk for cyberattacks, according to security experts. HR manages valuable employee information, including payroll, and its employees interact with file attachments from job seekers that can infect a system.
To reduce the risks, some HR departments have stopped allowing employees to make benefit and payroll changes online, said Rahul Mahna, managing director of process, risk and technology solutions at accounting and advisory firm EisnerAmper LLP in Cambridge, Mass.
"They are asking that those [benefit and payroll changes] be made only in-person or directly on the phone with the person," Mahna said. He called it a new HR security trend that emerged last year by some "forward-looking" departments. It was prompted by the near-constant attacks on business systems, he said.
HR departments "are actually eliminating IT out of the mix and saying this should be done in a traditional manner where we can validate that this is a real person," Mahna said. Hackers often use fake emails to seek changes in an employee's direct deposit, he said.
HR responses to threats
But HR departments aren't eliminating IT completely. HR is also seeking more training from IT on how to guard against phishing attacks, Mahna said.
HR departments also have shared responsibility for protecting the company, which includes engaging employees on security issues.
Iranian-based hackers have already proven their skills. From 2015 to 2018, two hackers used a ransomware attack against some 200 victims. The cities of Atlanta and Newark, N.J., hospitals and businesses, were among those hit.
The Iranian cyberattacks crippled IT systems. Users could not access data and the hackers collected more than $6 million in ransom payments, according to a federal indictment filed in late 2018. More than $30 million in damages resulted from lost data.
HR's broader security role is to work with IT and help build awareness of threats and risks on a continuing basis, said Kayne McGladrey, a cybersecurity professional and member of the Institute of Electrical and Electronics Engineers Inc.
HR needs to communicate the risks to employees, McGladrey said. "Training is meaningless unless people actually know there's a problem," he said. He is also director of security and IT at Pensar Development, an industrial design firm in Seattle.
McGladrey pointed to a new Forrester Research report that found 48% of all data breaches happen because of insiders. Almost half of those breaches are accidents.
Indeed, McGladrey advocated for "persistent engagement" with employees on cybersecurity risks as well as testing. Testing can include fake phishing attacks to see what "your users are susceptible to," he said. The IRS has warned that phishing attacks are a top HR threat.
HR can act before IT
If HR is concerned by the potential for Iranian cyberattacks, it doesn't have to wait for IT to take the lead, argued Will Mendez, director of CyZen, a security consulting firm that's part of New York-based Friedman LLP, an accounting and consulting firm.
HR departments can ask IT if they should be "doing something special to protect [themselves]," Mendez said.
He said he believes cybersecurity training should be continuous and include efforts to "make sure security is top of mind" such as in reminders and on posters.
HR and IT should be teaming up and using each other's strengths to improve security, particularly on training employees, Mendez said.
Matthew Burr, who runs HR consulting firm Burr Consulting in Elmira, N.Y., believes that HR needs to do a lot more work with IT on security.
"HR people don't understand technology, in my opinion," Burr said. "They understand the bare minimum from an HR perspective.
"I don't think that they truly understand or partner as well as they should with the IT department," he said.