Why tech is important for protecting HR data

In terms of data value for hackers, HR data is the jackpot.

It provides hackers with a wealth of personal information, including names and addresses, tax file numbers, banking data, pay and super details. It can also reveal driver's licence/identity information, health issues and Medicare/private health insurance information, marital status, next of kin details, educational achievements, referee contact details, and often biometric and profiling data, to mention a few. There is enough data to create a complete (fake) identity or several.

With HR data, hackers can create a complete spider diagram of an employee, making it much easier to perpetrate their nefarious schemes and identity fraud undetected. In short, HR data is a hacker's lottery win. On steroids.

A single ‘passive crawler’ can sit quietly in the HR data system and syphon off a few nominal dollars per pay packet from each employee for ‘super payments’ or something else that looks legitimate. A passive crawler is a scan that involves navigating around an application (such as HR software and data), following links, submitting forms, and logging in where necessary. They can sit there quietly accumulating data and passwords for months, slowly getting greater access to more information. The average dwell time passive hackers sit lurking in a system is 229 days, and odds-on there’s someone reading this article whose business will be currently compromised without their knowledge.

Often, they gain initial access through an inadvertent employee action. Hackers are adept at mimicking well-known HR software platforms (I won't name names here), and it might be as simple as an employee email asking them to log in and make a minor change to their details to give hackers access. From there, it's like a game of Snakes and Ladders, with hackers gathering more data and passwords, to provide them with increased access rights until they collect everything they need to win the game.

The consequences for HR leaders are immense. There's a loss of faith in the HR function, the custodians of employee data (HR) who could not protect it, and erosion of employee trust and morale in the broader business. It further creates massive compliance issues for the company, not to mention the implications for individual employees who will need support to replace key identity documents and financial counselling.

How to use tech to protect your employee data

It's impractical to revert to old-school filing cabinets and manila folders; frankly, the world has moved well beyond that point, so technology is the key to protection. Fight fire with fire.

Network monitoring software is a must for any company. As HR leaders are not necessarily IT gurus, it's something that the tech team and Chief Cyber Security Officer (CCSO) should manage, with HR as evangelists for the cause. Network monitoring allows you to monitor network access, routers, firewalls, and switches, and analyse KPIs like CPU data.

A Tripwire is also a good idea. It's a security and data integrity tool for monitoring and alerting specific file change(s). A tripwire enables you to see which files are being accessed or moved. Are there chunks of static data you can see being accessed or moved to other parts of the server?

Implement a removable media policy, which restricts the data that employees can remove from the system with an external hard drive or USB. It has additional advantages in protecting your CRM and other databases from being harvested by disgruntled employees or salespeople who may be leaving the company. Internal actors can also be a threat to your data.

Ensure you control access to your most sensitive employee data. Data should be segmented and password-controlled access granted to those on a ‘need-to-know’ basis.

Speaking of password control, one of the most prevalent ways hackers enter a company's system is with a seemingly authentic email from HR linking employees to a fake version of the HR platform and asking them to change their passwords. The fake HR note might even cheekily mention that the change is required due to cybersecurity concerns. How can the real HR team cut through with its messages on password control if one of the most significant problems is fake emails from HR? I always recommend my clients install Multi-Factor Authentication, which most people probably already do on their banking apps. It reduces risk and makes it harder for hackers to scam.

I also recommend that businesses engage an external cybersecurity consultant to undertake a penetration test at least once a year. The consultant will mimic a hacker's actions to try and gain access to the company's most sensitive data and then advise on additional security measures.

As I mentioned in my previous article, everyone in your organisation must be part of your cybersecurity team. While HR is responsible for creating that culture, it must also have buy-in from the board, C-Suite and senior managers and down. Part of your internal communication strategy needs to highlight the implications of a cybersecurity breach and ensure the whole team understands how the company will genuinely disseminate information versus how to identify fake messaging.

Ultimately while hackers' use of technology can be your enemy, the only way to effectively combat that is to use technology as your weapon of choice.

Ben Jones is the Managing Director of Continuum Cyber.

Note from the editor: This article has been prepared for informational purposes only and is not to be construed as advice (legal or otherwise).