HR as a Cybersecurity Partner: Defending Your Organization from Risk

When you use email, the Web, social media, messaging and other communication and collaboration systems, you put yourself and your company at risk of a cybersecurity data breach. Whether it be malware, phishing, Trojan horses, spam, hacking, copycat mobile apps or the like, cyber criminals are focusing on the weakest links in the security chains of a company…its individual employees. What does this mean? It means we’re all responsible for protecting ourselves – and our employers – from cyber attacks.

We did some digging around to gather statistics and came across a White Paper  published in partnership with Osterman Research by ThinkHR to highlight how serious the threat of cyber attacks can be.

  • Since April of 2005, The Privacy Rights Clearinghouse (PRC) has recorded nearly 4,800 data breaches and the breach of more than 895 million records.
  • McAfee Labs saw a 165% increase in new ransomware and a 317% increase in samples of Adobe Flash malware during the first quarter of 2015.
  • The Business Email Compromise, or CEO Fraud, is a scam that starts when business executives or employees have their email accounts hijacked. It’s created 2,126 victims resulting in nearly $215 million in losses.
  • A major survey found that 19% of organizations in the United States lost anywhere from $50,000 to $1 million to cyber-related fraud during 2014.

How You & Your Team Can Protect Valuable Personal & Corporate Information

There are many steps that can be taken to protect against cyber attacks. Being that email is the most common way cyber criminals attempt to access information, President of ThinkHR, Michael Osterman, offers four best practices employees can implement so that they are aware and equipped to defend themselves.

  1. Be Skeptical: Never assume that any email, Web page or social media post is valid. If it appears to be even remotely suspicious, makes an offer that is too good to be true, or contains strange information, do not engage with it.
  2. Ask Questions: When you receive an email, ask yourself some of the following questions.
    • Do you recognize the sender’s email address? & Would you normally receive an email from this individual?  Do you recognize anyone else copied on the email?
    • Is the domain in the email address spelled correctly or is it simply close to the actual URL (e.g., bankofamerica.com vs. bankofarnerica.com).
    • Is the email a response to an email you never sent (e.g., does it begin with “re:”)?
    • Does the URL in the email (if there is one) match the URL in the tag when you hover over the link with your mouse cursor?
    • Does the email contain an attachment that ends in “.exe,” “.zip” or some other possibly dangerous attachment type?
    • Is the sender asking you to keep the contents of this email or any requests within it a secret?
  3. Be Careful When Reviewing Quarantined Messages: If an email that seems to be valid is been captured by a spam quarantine,  be very careful before deciding it was ‘mistakenly’ identified as spam and bringing the email out of quarantine. These “false positives” are not the norm, and so the spam quarantine that has captured a phishing email probably did so correctly
  4. Don’t Click: Never click on a link in an email or open an attachment until you are absolutely certain that the link or attachment is valid. Don’t give away personal information when prompted over email. If you’re not sure, call the vendor and ask if they are the original sender.

As an HR professional, it may be beneficial to consider how your company is educating employees on the various ways that cyber criminals access information, either through in person lectures or online trainings, and develop a communication strategy to help employees protect both their own financial security and that of the company for which they work. Whether it’s the loss of a personal device like a mobile phone, or a computer that has a company’s employees sensitive information that gets stolen from a car, everyone plays a role in the defense against data breaches, malware infiltration and other security risks.

Leave a Reply