5 Top Cybersecurity Concerns for HR in 2019

​Artificial intelligence, bring-your-own-device (BYOD) policies and application programming interfaces that connect disparate HR systems have brought important new benefits to the workforce. But the adoption of these technologies—along with a rise in sophisticated new forms of cyberattack—also has created new risks to the security and privacy of sensitive human resources data.

A December 2018 study from Cambridge, Mass.-based Forrester Research found that 55 percent of enterprise network security decision-makers reported experiencing at least one data breach in the past 12 months. Forty-four percent of the breaches were caused by employees who—intentionally or not—exposed sensitive data to hackers or data thieves.

Security experts say there are a number of data security issues human resource information technology (HRIT) leaders should pay close attention to this year. Here are their tips for minimizing risk.

[SHRM members-only platform: SHRM Connect]

1. Phony Chatbots

Hackers are now creating malicious chatbots that attempt to trick job candidates or employees into clicking links, sharing confidential company data or downloading files, said Marc Laliberte, a senior security analyst with WatchGuard Technologies in Seattle.

In 2016, for example, a bot presenting itself as a "friend" on Facebook conned 10,000 users into installing malware that hijacked the users' Facebook accounts and gained access to their personal and financial data.

"Many chatbots are now used to help recruit, to answer frequently asked questions from employees and for other uses in HR," Laliberte said. "They open up a new avenue for phishing attacks from hackers because they can make fake chatbots pop up on a site and steer unsuspecting users toward giving up sensitive information by tricking them into thinking they're interacting with a company-created bot."

WatchGuard's 2019 Security Predictions study found that hackers primarily use basic text-based chatbots but could go after human speech bots like Google Duplex in the future.

Joe Nocera, leader of the Financial Services Cybersecurity practice at consulting firm PwC in Chicago, said companies should use penetration-testing methods with their AI applications in the same way they look for security vulnerabilities in other technologies. Penetration tests are simulated cyberattacks against your own system to check for exploitable vulnerabilities.

"It helps you understand what can go wrong and how bots react when they are being abused or created for malicious purposes," Nocera said. "That kind of simulation testing is a best practice when it comes to rolling out new bots."

2. Spear Phishing

Laliberte also expects more spear phishing attacks—a practice where e-mails are sent from supposedly known or trusted senders for nefarious purposes—largely because of how successful those methods have been for bad actors.

"Hackers have learned that it's much easier to hack people than to hack technology," Laliberte said. "Hackers may use information from a corporate website or other sources to find out who executives are, for example, and send out very convincing e-mails that can trick employees into giving up sensitive data or lead them into a bogus authentication portal to steal their credentials."

Companies should conduct phishing awareness training for workers, Laliberte said, particularly for those employees who have access to sensitive data.

3. Mobile Malware

Mobile devices will continue to be a top target of hackers' attacks, the Forrester study found.

The trend is rooted in part in poor "vulnerability management" by device manufacturers that cease supporting certain devices when new versions come out or that are slow to make security updates available.

There also continue to be security risks in BYOD policies, although modern security practices have reduced the chance of such dangers. Mobile device management allows companies to add important safeguards to mobile devices that employees use for work, Laliberte said, like data encryption, password enforcement and remote wiping.

The results of Sierra Cedar's 2018-2019 HR Systems Survey revealed that organizations with formal BYOD policies are more likely to employ security processes and technology such as multi-factor authentication (MFA) and remote wiping to protect both employees and the organization from hackers. MFA requires users to present multiple forms of evidence to authenticate their identities before accessing a network; remote wiping technology allows network administrators to send commands to delete stored data if a device is lost or stolen.

4. Internal Risks

Security experts say it's just as important to review employee use of internal systems and software as it is to focus on threats from the external environment. "It's not enough to perform external scans of systems, particularly user systems, because attackers aren't gaining access through exposed network services, but through the software your users use to read e-mail, to surf the web, and open documents," wrote senior data security analyst Josh Zelonis in the Forrester study.

Laliberte said threats can arise from modern features built into software that employees use every day. "There have been times when I've almost accidentally sent an e-mail to the wrong person when using the auto-complete feature in Outlook because I started filling in the name and didn't wait to see the last name pop up," he said. "If there is sensitive information in those misdirected e-mails, it can potentially present a big issue."

5. Balancing Access with Security

HRIT leaders will continue to face the balancing act of ensuring that employees have access to information they need to do their jobs while not exposing any sensitive data in the process. Security practices like data masking, encryption and roles-based access to data can help.

"Employees should only have access to that data they specifically need to complete their job tasks and nothing more," Laliberte said. "I would rather make an employee jump through one extra hoop that takes a small amount of time than run the risk of someone stealing all of my data."

Dave Zielinski is a freelance business writer and editor in Minneapolis.