HR and IT Should Team Up to Fight Cyberattacks

​As cyberattacks proliferate, HR and information technology (IT) professionals need to work together to ensure that employees don't fall prey to phishing, spear phishing and ransomware attacks.

HR can help by making cybersecurity training part of new-employee orientation, said Brian Kint, an attorney with Cozen O'Connor in Philadelphia.

Relevant training can and should occur beyond that, added Jess Coburn, president and founder of Applied Innovations, a cybersecurity company in Boca Raton, Fla. The tactics for cyberattacks are constantly changing, he noted, so cybersecurity training should take place throughout the year.

Here are the top scams to be aware of.

Phishing and Spear Phishing

Most cyberattacks involve phishing, where employees are duped into clicking on links in e-mails from people who are trying to trick workers into providing personal or work information. The scammers may try to steal passwords to gain access to employees' e-mail or their computers.

[Visit SHRM's resource page on Cybersecurity]

According to the Federal Trade Commission, phishing e-mails or text messages often:

• Seem like they're from a company you know or trust. They may look like they're from a bank, a credit card company, a social networking site, a payment website or app, or an online store.
• Tell a story to trick workers into clicking on a link or opening an attachment. An e-mail may say there have been suspicious activities or log-in attempts, claim there's a problem with account payment information, or urge the recipient of the e-mail to confirm personal information.
• Include a fake invoice.
• Ask the recipient to click on a link to make a payment.
• Say the recipient of the e-mail is eligible to register for a government refund.
• Offer a coupon for free goods.

Spear phishing is the practice of sending an e-mail from someone who appears to be a trusted sender. Coburn said one employer lost $30,000 when an employee received an e-mail from a scammer posing as the CEO. The scammer, knowing the CEO was on a business trip, asked the employee to wire money right away. She wired the money to a bank in Alaska, and the scammer then transferred the money to somewhere in Ukraine. The money was "long gone," Coburn said. The employee hadn't been adequately trained to spot these scams, he added.

Spear phishing crops up in other ways, too. A scammer who gets access to an active employee's e-mail, for example, could send e-mail in this person's name and ask targeted individuals to send money to accounts set up by the scammer, Kint noted.

He recommends that employees call to verify e-mail requests to send large sums of money.

IT should send out fake phishing e-mails and see which employees click on those links, Kint said. The company can then identify those who may need to be retrained.

Ransomware Attacks

Ransomware attacks are on the rise, Kint said, and big companies aren't the only ones at risk. Small and midsize companies that lack robust security may be targeted as well.

Ransomware is a type of malicious software—malware—that denies access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing e-mails or when a worker unknowingly visits an infected website, according to the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).

Recovery of computer files or data can be a difficult process that may require the services of a reputable data-recovery specialist. Paying ransom doesn't guarantee individuals will recover their files.

CISA recommends the following precautions to protect users against ransomware:

• Never click on links or open attachments in unsolicited e-mails.
• Back up data regularly. Keep it on a separate device and store it offline.
• Update software and operating systems with the latest patches. Most attacks target outdated applications and operating systems.
• Follow safe practices when browsing the Internet.

Others recommend that employers:

• Restrict users' permission to install and run software applications.
• Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching end-users.
• Enable strong spam filters to prevent phishing e-mails from reaching the end-users and authenticate inbound e-mail to prevent e-mail "spoofing."

"Spoofing" e-mails are sent from outside the company but appear to come from co-workers. E-mails sometimes can appear to come from within a company if an "o" is changed to a "0" in the scammer's e-mail address, for example, or an "e" is changed to a "3." Many companies flag e-mails that come from external senders so workers know to scrutinize those messages more closely, Kint noted.

Training

IT should provide the training on cybersecurity in conjunction with HR, Kint said. "Coordinate between the two to ensure policies put in place by the company are being enforced."

Training shouldn't be limited to phishing, spear phishing and ransomware attacks, Coburn added. He noted that training also should educate employees about:

• Password spraying, where employees use the same password for multiple accounts, making them all vulnerable if one is compromised.
• USB device malware, which is now so common that the use of USB devices is on the wane.
• Data-loss prevention, which prevents the theft of work data by wiping company information remotely from a lost or stolen phone or computer.