Study: HR Can Be First Line of Defense Against Cybercrime


By Greg Wright May 18, 2016

A recent study from Verizon says cybercriminals are increasingly using ransomware to hold valuable information hostage, but experts say human resource professionals can take steps to ensure that their companies do not fall victim to a data hostage situation.

“Training people to detect and resist attempts to trick them into sending sensitive data or money to criminals is a top action all companies should be taking right now,” said Kip Boyle, founder and president of Cyber Risk Opportunities in Seattle.

The Verizon 2016 Data Breach Investigations Report says cybercriminals are continuing to trick workers into clicking on links or providing unsolicited information in order to steal information from companies. That information can then be converted into cash or some other commodity.

Companies surveyed by Verizon reported 144 cases of ransomware fraud in 2015, up from 133 in 2014 and just 22 in 2013, said Gabriel Bassett, a senior information security data scientist with Basking Ridge, N.J.-based Verizon.

“Phishing” also continues to be a popular cybercrime, the report says. Phishing occurs when criminals pose as a trustworthy source and use electronic communications to get credit card information, account logins and other sensitive data. The phishing e-mails or texts that cybercriminals send can also include links to websites that are infected with malicious software.

Despite the fact phishing is a fairly well-known cybercrime, many workers continue to fall for the ruse, Bassett told SHRM Online in a phone interview.

“Humans aren’t perfect,” he said. “We can try to decrease phishing, but the reality is there are some departments at organizations [where it is part of workers’ jobs to open] taking e-mails from people they don’t recognize.”

Experts said HR departments can be especially vulnerable to security breaches because they handle a lot of sensitive data, including Social Security numbers, bank routing numbers, addresses and insurance information.

Experts offered the following tips on what HR professionals can do to help prevent their companies from falling victim to ransomware, phishing and other cybercrimes:

Talk to employees. Companies need to have a strong international communications campaign to educate staff not to fall victim to cybercrimes, Boyle told SHRM Online. Companies should also use a good software-as-a-service, anti-phishing testing service, which should cost about $20 per user per year, he said.

Abandon manual processing. HR professionals should stop relying on manual processes that expose them to unnecessary risk, such as using spreadsheets that do not have restricted access, said Chris Bruce, co-founder and resident data security expert at Thomsons Online Benefits, a global benefits administration company based in London.

Limit data access. HR departments should limit access to important data to only a few users and ensure that those users are well-informed about ransomware and phishing, said Mark Gilmore, president and co-founder of Wired Integrations, a strategic technology consulting firm in Northern California’s Silicon Valley.

Secure e-mails. HR departments should consider adopting e-mail security solutions, such as encrypted e-mails, to ensure that criminals can’t access their data, said David Wagner, CEO of the ZixCorp e-mail encryption provider company in Dallas.

Vary storage options. Don’t put all your HR data in one place. Marc Voses, a partner at Kaufman, Dolowich and Voluck in New York City and co-chair of the law firm’s data privacy liability and technology services practice group, recommends storing information on multiple servers and using firewalls to help prevent cybercriminals from assessing it.

Always back up data. Perhaps most important, back up your data to recover it quickly if a cybercriminal uses ransomware to hijack it. Otherwise, you may end up having to pay the ransom, experts said.

“The primary key to recovering from a loss of data is to regularly back up data,” Voses said.

 Greg Wright is a Baltimore-based freelance writer who has covered Congress, consumer electronics and international trade for Gannett News Service, USA Today, Dow Jones and Knight-Ridder Financial News. He can be reached at


Job Finder

Find an HR Job Near You
Search Jobs
Post a Job

Earn a SHRM Talent Acquisition Specialty Credential.

Do you have what it takes to win the war for talent? Find out.

Do you have what it takes to win the war for talent? Find out.