Are HR Employees The Most Likely Target for Threat Actors?
Here’s a question haunting CISOs, IT security team members, and other decision makers regarding cybersecurity: what department in your enterprise is the most vulnerable to a digital threat?
Employees are well-known to be the largest attack vector in any enterprise’s digital surface. The prevalence (and continuing success) of phishing attacks and social engineering serves as proof of this. If the most vulnerable employees and departments could be more adequately protected, your entire enterprise could breathe a much needed sigh of relief.
Most cybersecurity observers and experts would assume their finance departments are threat actors’ primary target. Granted, finance is certainly a lucrative and popular target. Hackers often will send phishing emails to finance team members, hoping they will fill fulfill false invoices without realizing the deception.
However, the most likely digital threat target in your enterprise may surprise you; it’s likely your HR department.
Your HR department handles some of the most sensitive information in your enterprise: employees’ social security numbers, tax information, salary information, etc. According to the Verizon 2018 Data Breach Investigations Report, a phishing email to the HR department could give hackers the tools to file false tax returns.
Hackers could then direct the subsequent fraudulent tax refunds to their own bank accounts…causing potential losses in the hundreds of thousands.
Indeed, the Verizon 2018 Data Breach report has noted a worrying uptick in HR department-directed attacks in 2018. In their article on the matter, Business Insider attributes the increase in attacks to a lack of cybersecurity training for HR employees. This reinforces the constant cybersecurity refrain that every employee receives continual and engaging cybersecurity training.
The digital marketplace is a perilous place, and every employee (including your HR department) needs the tools to conduct themselves safely while working within it. Cybersecurity training is a short-term and long-term investment, the benefits of which can be felt for years to come.