Thefts of personal data are on the rise, and HR is the first line of defence, writes Sue Lingard
Phishing involves tricking someone into clicking on a malicious link, or responding to a seemingly legitimate request, in an email, usually with the goal of obtaining financial or personal information.
These attacks are on the rise, according to the UK government’s 2015 Information Security Breaches Survey, with half of all organisations surveyed attributing the cause of their worst single data break to inadvertent human error.
And it’s HR’s credibility that’s on the line here, as a few high-profile cases have demonstrated. Data storage firm Seagate is facing legal action from employees after HR was duped into handing over forms containing social security numbers, salaries, addresses and other personal information. Social media titan Snapchat was forced to apologise to employees earlier this year when a member of its HR team handed over payroll data to a phisher in response to what appeared to be an urgent email from the head of the company.
Phishing emails can appear to come from trusted organisations – like HM Revenue and Customs– and include a link to a bogus website or fake telephone number. Or, you may receive an email that looks as if it comes from someone senior in your organisation, with an urgent request for information, as was the case with Snapchat.
It’s an increasingly popular technique with cybercriminals because it’s far easier to trick someone into giving away sensitive information than to try to break through the multiple security layers that surround most modern computer systems. Here are five simple steps you can take to make sure your HR team isn’t caught out.
1. Be aware
Make sure that any staff who handle sensitive information understand the risks and their responsibilities. These extend beyond electronic communications, as a nursing home in Northern Ireland recently discovered – it was fined £15,000 by the Information Commissioner’s Office for ‘systematic failings’ following the theft from an employee’s home of an unencrypted laptop containing personal information about employees and patients.
If you don’t have data security training in place, start it now, and make sure that it’s refreshed on a regular basis. The CIPD offers a free online course, Cybersecurity for HR professionals.
2. Never take emails at face value
If you get an email asking for any employee-related information, always check that it is valid. There is never any harm in contacting the sender, even if it’s a terse message from the boss. However, don’t use the contact information provided in the email, and don’t reply to phishing attempts – you will probably only receive more.
Be wary of social media, too. In September, Telegraph Money reported that fraudsters had set up a fake Twitter profile for NatWest and were intercepting customers who were looking for help, encouraging them to hand over personal information.
3. Report it
If you think you’ve been phished, let your IT team know. They can check to see whether the email is genuine and, if not, block the domain that the email came from, as well as keep an eye out for any other suspicious activity. Warn the management team, other colleagues in HR or finance and, if relevant, external providers (such as your payroll service) so they can be on the lookout, too.
If the scam looks as if it’s coming from one of your partners or a major institution, report it to them. Most have sections on their websites with advice about what to do.
4. Share and store safely
If you do need to share sensitive information electronically, make sure it’s protected at every point of its journey. Spreadsheets are notoriously easy to hack, even when password protected. Rather than email attachments, use an end-to-end encryption service. Don’t store HR data on unencrypted laptops or other devices that could get lost or be stolen.
5. Use secure HR systems
If you have the option to share data via a secure HR system you may be able to avoid sending send sensitive information by email altogether. Roles-based security will allow you to decide who can view and/or edit different types of information (such as contact information, salary history or performance review). ‘Restricted’ security roles can also be defined for third parties – such as payroll providers – so they can access the relevant data directly from the system. Not only do you avoid the risk of sharing information by email, but the data will be up to date, too.
Sue Lingard is marketing director at Cezanne HR