Home Depot Malware Attack Reinforces HR Challenges

Risk management meetings between HR and IT recommended

By Bill Leonard Sep 9, 2014
LIKE SAVE PRINT
Reuse Permissions

Home Depot’s compromised payment systems could turn out to be the biggest data breach of its kind, with as many as 60 million credit cards affected, according to experts. That would be far more than the 40 million cardholders impacted by the breach at Target stores in 2013. The company confirmed the breach Sept. 8, 2014.

Home Depot store customers in the United States and Canada from April to early last week could be affected, according to the company.

The news of data breaches at Home Depot and UPS Store locations has a very important HR management angle that many people may be overlooking, according to cybersecurity experts.

The latest round of data breach revelations began on Aug. 20, 2014, when officials with United Parcel Service confirmed that they had discovered a computer virus at 51 UPS Stores in 24 states. According to UPS officials, the virus compromised the stores’ point-of-sales systems, exposing customers’ financial data to possible theft.

Two days after the UPS announcement, the U.S. Secret Service issued an advisory about the “Backoff” computer virus. The advisory stated that the point-of-sale (POS) information systems for more than 1,000 U.S. retailers could be infected with the malicious software. POS systems typically control retailers’ electronic cash registers.

According to the Secret Service advisory, Backoff gives hackers access to customers’ financial data, such as debit and credit card account numbers. A virus similar to Backoff caused the massive 2013 data breach at Target stores.

Home Depot followed with its own initial announcement Sept. 2, 2014, that the company had launched an investigation of “suspicious activity” and a possible data breach.

“I read these news stories, and I just have to shake my head and wonder when are businesses going to wake up?” said Stu Sjouwerman, chief executive officer at KnowBe4, a cybersecurity consulting group in Clearwater, Fla. “HR should be prepared to take responsibility and assert [its] leadership now,” he said. “HR leaders should take the initiative, and during meetings with IT or with other top-level managers, they should ask: ‘What are we doing to get and stay ahead of this?’ ”

What Employers Must Do Now

The first step businesses must take now is to thoroughly check their systems for any malicious software. This advice applies to all businesses and not just retailers, according to Sjouwerman, because nearly every business has software and information systems that manage electronic transfers of funds.

“Wherever money transfers happen, that’s where the bad guys want to get to,” he said.

There are two angles to ensuring the security of your organization’s information systems and processes, according to Jeremy Ames, chief executive officer of Hive Tech HR, an HR information systems consulting group based in Medway, Mass. IT should first conduct security checks of your organization’s computer systems and assess system vulnerabilities.

“You have to check your networks and look at risks, and if malware protections and firewalls are adequate,” Ames said. “The second part of this is the HR angle, which is a much softer side to this. Computer systems are much more concrete, and something IT folks can easily get their arms around. The HR side involves educating people about safe and secure behaviors, which can often be a harder thing to get your hands on.”

Ames and Sjouwerman discussed the importance of securing the “human firewall” and admitted this often creates the most difficult challenge for employers. Employees who aren’t properly educated about good cybersecurity practices pose the biggest risk to a company’s information system. While no one knows for sure how the Backoff virus spread among retailers, Ames and Sjouwerman agreed it could easily have been a worker clicking on a bad link or falling victim to a “phishing” scheme, fake e-mails that try to get unwary recipients to click on a web link. The links are infected with a virus, which can corrupt a user’s computer and possibly spread through the organization’s entire network.

“You really must educate your employees about what phishing e-mails and links look like, and this kind of training should be mandatory,” Sjouwerman said. “One way to ensure your employees aren’t clicking on the wrong thing is to send out simulated phishing attacks, and then track who clicks on the links. Any employee clicking on a phishing link should be warned and possibly be required to take remedial training.”

Ames added that the increased mobility of the workforce is another risk that many employers are failing to manage correctly. As more employees work outside the office, some are falling victim to cyberattacks launched through unsecured wireless Internet connections.

“Mobile desktop software is especially vulnerable if you are working on a public and unsecured Wi-Fi connection,” said Ames. “More and more workers are having viruses planted on their laptops and mobile devices when they hook into an unsecured Wi-Fi connection in a restaurant or coffee shop. They may not know it, and if they bring their infected computer into the office and connect into the system, then that virus will now be behind the organization’s firewall.”

Sjouwerman and Ames agreed that HR’s role in educating employees about the risks and the need to practice safe and secure computer habits is vitally important.

“IT and HR’s cooperation on this is imperative,” said Ames. “Issues like this often move slowly between IT and HR. IT will jump on working to a solution now, but it can be six to 18 months before it moves to HR, and they respond by developing proper training and policies for the issue. And this is a gaping hole that cyber thieves are happy to exploit. Businesses, and HR especially, need to improve and ramp up the response time.”

Ames and Sjouwerman recommend regular monthly or even weekly meetings between IT and HR to discuss recent threats and risks. If an organization has a chief security officer, then IT and HR should work with that person closely and conduct regular risk assessments.

“The time to act is right now; businesses can no longer drag their feet on this,” Sjouwerman said. “It’s now apparent that the bad guys have penetrated much further than we first suspected and this is a business issue that can no longer be ignored.”

Bill Leonard is a senior writer for SHRM.

Quick Links:

SHRM Online Safety & Security page

Subscribe to SHRM’s Safety & Security HR e-newsletter
LIKE SAVE PRINT
Reuse Permissions

SEMINARS

HR Education in a City Near You

Find a Seminar

Job Finder

Find an HR Job Near You

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect