Stepping Up Internal Communications to Manage Threats
Awareness of cybersecurity within corporates has increased fast, but still has a long way to go.
Changed legislation including GDPR, has forced companies to make timely disclosures relating to data privacy breaches, and the resulting steady stream of related news has certainly caught and focused the attention of the “C-Suite” to start adopting more stringent data handling and classification policies regarding their PII data (Personally Identifiable Information).
Unlike other detailed aspects of IT, all HR teams are at the heart of this battle, but many are still not fully aware that they have a vital role to play.
● Employees of an organisation are increasingly vulnerable to a cyber-attack and one point often not fully appreciated is that an employee at any level can be targeted and impacted by such activity. This is because the aim of the threat actor, once they breach your system, is to subsequently move horizontally through your underlying connected systems using other types of system vulnerabilities that they can leverage from the “Dark Web”, to get to your higher value target data assets. An attack at server level is certainly less attractive for most due to higher execution costs, the required execution skills, and the potential effectiveness of cyber protections that may already be in place.
● Organisations in Hong Kong are also particularly vulnerable to attack due to geographic location, plus it being a global financial powerhouse with constant throughput of overseas transactions, thereby making it harder for anyone to quickly identify fraudulent activities.
Two macro types of cyber-attack are typical against employees:
● An ad hoc scattergun approach, where the threat actor might be looking to cryptolock any data that it finds for subsequent ransom demand payment(s).
● The second being highly specific orchestrated events with the aim of making you divert funds, perhaps through a simple contact change request to a bank account controlled by a threat actor.
A successful breach often leads to a second or third breach etc if systems remain vulnerable to the same style of attack, but timelines for execution can be long way apart, thereby giving one a false sense of security should the underlying threat vector not be fully fixed.
#WFH initiatives have further extended attack surfaces for threat actors to operate within, and this has been further exacerbated by the fact that this operational change has been so sudden for all, with little effective time to think through all the practical aspects of it.
The role of HR in the context of functional organisational structures has meant that general employees have not always been fully briefed as to the vital cybersecurity role that they play. Specifically that careful consideration needs to be taken by general employees before clicking on any attachment within an email.
Cybersecurity awareness needs to be ingrained across the organisation and further expanded upon for some functional areas or processes such as employee or vendor onboarding. Within finance, for example, the handling of special situations such as changes in supplier / employee bank details or requests for new payment routings should each point to the requirement for deeper checking actions to authenticate such requests. (See below within Contextual Notes for some example pre-click checks that can be undertaken by employees and financial staff).
However when $ rewards are seen to be high threat actors can invest a lot more for the attack. This might see the interception by them of the reference validation calls mentioned above, and more recently but rare so far, the use of AI (artificial intelligence) to create realistic authentic audio and / or visual mimicking of callers within a corporate to fully achieve the deception during any intercept.
Threat actors put in more work for these higher value payment breaches especially where an attack type is proven to work, and news of any success spreads fast on the Dark Web. They can specifically target regional treasury functions, large outgoing cash movements of any type ie large deposits, executive bonuses at certain times of the year, and also supply chains where the change of supplier and payment details are changing all too frequently to arouse specific suspicions on any one off change request, at least upon their initial scrutiny.
Core HR system processes need to be designed end to end with cybersecurity in mind, but typically there is a push / pull environment in any corporate entity as various parts of the global organisation come together with different, but complementary domain skills knowledge, which is particularly relevant today as cyber skills are in such short supply across the world.
Skillsets are typically spread at global, regional or local levels across HR, finance, IT etc and also across a variety of specifically focused security compliance teams, including red and blue cyber intrusion teams. This is to ensure that security is built fully end to end within the process, noting that this activity should be an ongoing process and not a one off exercise. For example cyber scoping see contextual notes below.
Sounds daunting but critical as HR touches everyone within the organisation through the life cycle of each employee within a company, so due diligence and care needs to be undertaken and reinforced on a rolling basis, especially when new functionality and depth is continually evolving or added, for example within the Employee and Management Self Service Systems (ESS/MSS). In other words reinforcement of cyber responsibilities is also an ongoing responsibility that will evolve in both breadth and depth over time as highlighted above with those #WFH experiences.
Two more examples come to mind that further illustrate change as corporates move to a digitally interconnected world, compared with HR systems simply being used in isolation. The first one where HR data and financial data are reviewed together and in context with one another for ongoing workforce planning, and for operational metrics within and across multiple entities. The second for API’s where for example Open Banking API’s are being enabled for the underlying local, regional and global payroll treasury functions, which whilst providing greater transparency / speed / agility of cash management to a corporate, also open up risks that need to be managed. API’s are increasingly being used within HR for other areas as well ie onboarding, employee development etc so a broad skills base for systems integration within your vendor is a prerequisite for success.
HR continues to expand its role and is increasingly seen as being pivotal to the success of an organisation. Going forwards the importance of HR will continue to grow, initially from the hopefully short term handling of social distancing at its operations today to the longer term drive to combine HR and Financial data sets for the purposes of workforce planning and value creation. All must be handled with a companywide mindset on cybersecurity that is constantly reinforced by HR, as it is in a unique position to reinforce messaging on an ongoing basis throughout an employee’s lifecycle in the organisation. Important to get right!!
Contextual Notes for Sharing
● Example Pre-Click Steps for Staff. Looking closely at the address line of the sender to see if it matches the sender name in broad terms; assessment of email construction in terms of spelling and jargon used; checking other recipient emails from the same corporate for communication legitimacy to assess whether the email is in fact authentic; or indeed undertaking direct phone calls to the sender when appropriate. Structured software solutions are available from cybersecurity vendors.
● Example Pre-Click Steps for Critical Financial Data Request Changes. A deeper review of past email addresses that have been used in communications ie their structure, a detailed review of historical transactional frequencies and payment amounts, contact names used, and critically important the making of validation reference phone calls. Structured software solutions are available from cybersecurity vendors.
● Example Cyber Scoping for HR Deployments : Zero trust operational frameworks; Multi cloud support to ensure that the data location of PII complies with local laws and regulations (ie thinking through the logical, legal and practical aspects of data location, including allowable use of biometric data); Testing mobile apps, both iOS and Android, against OWASP security frameworks particularly for the handling of attachments; Single Sign On (SSO); Multi Factor Authentication (MFA); Encryptions of data @rest and @transit; Data Loss Protection; HTTPS; IIS etc; Allowable IP ranges for corporate network access for remote workers; Mobile Device Management (MDM) for deleting work related data lost phones; Backup and Restore functions, particularly the currently often overlooked area of having a fail-safe offline backup to safeguard against ransomware. Lastly a working knowledge of the Cyber Incident Response Plan so that in the event of any breach related activities can be started without delay.