Not a Member? Get access to HR news and resources that you can trust.
Don't leave the task of calculating total cost of workforce to the finance department.
Is your employee handbook ready for the changing world of work? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
60+ new SHRM Seminar dates in 10 U.S. cities and virtually.
Expand your influence and learn how to become an effective leader -- Join us in Phoenix, AZ, October 2-4, 2017.
Be careful out there, all you web surfers; cyberspace can be a dangerous place.
Even though the Internet has evolved into one of the most effective tools for companies to connect with customers, communicate with employees, identify talent and recruit new workers, an active online presence has become risky business. Malicious software and viruses have proliferated across the Web and are now lurking in innocuous-looking e-mails, file attachments and websites.
As business use of the Internet has grown more sophisticated with better and faster connections, cybercrime has kept pace, and the cleverness of computer hackers is breathtaking to many cybersecurity experts.
“The sophistication and creativity of hackers today is pretty scary,” said Jonathan Villa, a cybersecurity consultant based in Milwaukee, Wis. “You really have to be on your toes and pay attention because the types of viruses, malware and computer security threats change almost daily.”
Villa and other sources for this article said hacker sophistication leapt a notch or two in late summer 2013 when a virus called CryptoLocker began appearing on personal computers, tablets and smartphones around the globe. The malicious software is transmitted through e-mails, which have virus-laden attachments or include a link to an infected website. When an unsuspecting user clicks on an infected attachment or link, the virus is downloaded automatically and encrypts all personal data files stored on the device.
Once the encryption is complete, victims are locked out of the files on their own computers, and then they receive a message demanding a ransom of several hundred dollars. To regain control of their computers, victims have to pay the ransom within a few days or the files will stay locked and useless forever. The extortionists require that payments be made with hard-to-trace pay cards or bitcoins. Several law enforcement groups have estimated that the ransom schemes have netted close to $100 million for the cyberthieves.
“The sudden appearance of this ‘ransomware’ really upped the ante on cybercrime targeting individuals,” said Stu Sjouwerman, chief executive officer at KnowBe4, a cybersecurity consulting group in Clearwater, Fla. “Cybercriminals who essentially hijack and then hold your computer for ransom had not been heard of before, but they made a very big splash.”
Since bursting on the scene in September 2013, CryptoLocker has infected nearly a quarter million computers around the globe—more than half of them in the U.S.
Although ransomware targets individuals, these attacks have hit businesses hard.
“Many of the infections have been employees of small to medium-sized companies, and it has taken a toll by locking up and destroying work files,” Sjouwerman said. “Just imagine the headache of losing all your work files on your computer, and what it will cost in time and effort to replace all that work.”
Most victims have decided to pay the ransom, which typically runs between $500 and $800, while some have chosen to let the deadline pass.
If you or your organization routinely backs up data files, then restoring the files can be a relatively easy process. In addition, firewalls and spam detection software can provide protections to employees who use devices connected to their employer’s computer systems. However, the large numbers of workers who telecommute, work remotely or travel extensively pose increasing security challenges to businesses. The weakest link in any cybersecurity system is an employee, according to Villa and Sjouwerman.
“The growing numbers of telecommuters definitely have upped the security risks because they typically operate their computers outside the protective umbrella of their employers’ firewalls,” Villa said. “But this doesn’t mean businesses should cut back or eliminate telecommuting. It is proven to be an effective and cost-efficient way to work, so the answer is to work smarter and learn how to reduce exposure and eliminate risks.”
Employees who lack awareness and aren’t trained in good computer security habits pose the greatest risks and are tempting targets for cybercriminals.
“These ransomware schemes target the lowest hanging fruit first, and these usually are people who open e-mails and attachments or click onto links without thinking first, because they just aren’t aware,” Sjouwerman said. “By using common sense and sticking to some safe practices, you can really save yourself from some major headaches.”
Raising employee awareness through cybersecurity training is the best step any employer can take, according to Eric Schwartzman, president and CEO of Comply Socially Inc., a social media and cybersecurity consulting group located in Santa Monica, Calif.
“Good cybersecurity training is very affordable, and it’s money well-spent, especially when you consider the expense of being hit by something like a ransomware attack,” he said.
Dozens of businesses around the U.S. offer good cybersecurity training. HR people interested in setting up a training program for their organization should seek out recommendations first.
“Don’t just rely on the word of the consultant or vendor; ask around,” Schwartzman said.
Sources for this article agree that social media sites, such as LinkedIn, are a great resource for finding recommendations. In addition, any local HR-oriented groups, like a chapter of the Society for Human Resource Management, can be sources for suggestions on the best consultants and training programs.
“It’s all about raising awareness,” Sjouwerman said. “More employers are getting the message, and are very interested in what cybersecurity experts have to offer—but sadly these employers are in the minority. I think we really are just getting started and interest will only continue to expand.”
Often cybersecurity programs offer more than training, and some vendors will assess your organization’s spam filters and security readiness. Simulated phishing attacks (e-mails that tempt you to click on a virus-infected link or to send personal information) can provide a lot of information about an organization’s vulnerabilities, according to Sjouwerman.
“You can see right away who in your company is falling for the phishing schemes,” Sjouwerman said. “So you will get a pretty good idea which employees need more training.”
Recently, law enforcement agencies in the United States, Australia and Europe worked together and dealt a serious blow to ransomware hackers. Officials with the FBI announced on June 3, 2014, that agents working with a multinational cybercrime task force had identified the ringleader and developer of the CryptoLocker malware as Russian computer hacker Evgeniy Bogachev. According to the FBI announcement, agents seized and shut down the computer servers that were running his worldwide ransomware schemes.
The FBI said that Bogachev, age 30, is one of the most prolific cyber crooks in the world and issued a “wanted” poster that lists his online aliases. However, Bogachev and several of his colleagues have evaded capture and remain at large somewhere in Russia, according to the FBI spokesperson.
While the shutdown of the CryptoLocker network is good news, the bad news is that copycat malware is already appearing, such as one called CryptoWall. Also, the agents hunting Bogachev have issued a dire warning that he has the resources and know-how to set up a large-scale hacking operation from scratch in less than a month. In addition to creating CryptoLocker, the FBI said Bogachev is responsible for the malicious software called GameOver Zeus, which steals computer login information so that hackers can gain access to bank accounts and even corporate HR or payroll systems remotely.
“One thing is certain, cybercrime is here to say, and hackers will only get more sophisticated and more innovative,” said Sjouwerman. “Proper cybersecurity training should be a top priority for every business that has a presence on the Internet, which today is nearly every employer.”
Bill Leonard is a senior writer for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 3,200 companies