The “WannaCry” ransomware cyberattack that began spreading last Friday quickly affected over 300,000 machines in 150 countries, mostly in Europe and Asia, making it the largest such attack in history and putting in stark relief the threat cybercrime now poses to organizations around the world. WannaCry exploited a vulnerability in outdated versions of Microsoft Windows, and as Washington Post tech writer Brian Fung explained earlier this week, some businesses were hit particularly hard because of a simple lack of resources and attention. There’s no question that if the affected businesses had kept their Windows systems up to date, they would have been protected from this threat, but doing so is often a lot less straightforward than many would assume, especially if cybersecurity isn’t properly ingrained in a company’s culture, or when cybersecurity efforts or IT upgrade initiatives lack the resources they need.
While the WannaCry attack appears to have been more sophisticated than a typical phishing scam, the majority of ransomware attacks (in which the attacker encrypts certain files on a user’s computer, locks them out of vital programs, or freezes their desktop, then demands payment to undo the damage) are conducted through phishing—a confidence scam in which the user is tricked into giving personal information or loading malicious software via email.
Why HR Should Care
Ransomware is—and should be—a major concern for HR departments: HR professionals are particularly vulnerable to such attacks, as they are often accustomed to receiving and opening innocuous emails from outside the organization. Cybercriminals know this and target organizations through their HR departments with malicious software disguised as a job application, résumé, or invoice. A recent phishing attack that compromised thousands of current and former employees at the newspaper publisher Gannett, for example, exploited this vulnerability.
The other reason HR needs to pay attention to cybersecurity is that rank-and-file employees are one of an organization’s foremost lines of defense against hacking.