Cybercriminals are continuing to carry out ransomware attacks on organizations at a greater frequency, according to two new reports highlighted by Cnet’s Laura Hautala this week:
According to Verizon’s annual Data Breach Investigations Report, released Tuesday, ransomware attacks doubled in the last year. That’s especially alarming considering that they doubled the year before, too. … Ransomware accounted for 39 percent of all new malware infections tallied up in the Verizon report, which looks at more than 53,000 security incidents drawn from Verizon cybersecurity customers as well as reports from the US Secret Service and an international consortium of private sector companies.
The numbers match up with findings released Monday by cybersecurity company Malwarebytes, which found that while hackers are targeting consumers with ransomware less frequently, they’re hitting businesses with more of the attacks.
The threat of ransomware was thrown into stark relief last year, when the WannaCry attack, the largest such cyberattack in history, struck over 300,000 machines in 150 countries, exploiting a vulnerability in outdated versions of Microsoft Windows to lock victims out of their computers and demand ransoms of hundreds of dollars to restore access to their documents and data. Most ransomware attacks are much less sophisticated than WannaCry, which the US government ultimately blamed on North Korea, and rely on phishing scams that trick users into handing passwords or other personal data over to hackers, who can use this information to gain control of their devices.
Phishing and ransomware are of concern for HR departments in particular, first because this part of the organization is often a soft target for cybercriminals and second because employee behavior is the main weak point in most organizations’ cybersecurity strategies.
A series of massive data breaches at major companies, including the recent theft of over 140 million Americans’ personal data from Equifax, has put questions of cybersecurity at the front of every CEO’s mind. At the Wall Street Journal last week, Vanessa Fuhrmans noted that the threat of losing their jobs or even seeing their business destroyed was pushing more chief executives to give cybersecurity their personal attention.
Their motivations are twofold: First, the frequency of data breaches is increasing at an alarming rate, and second, CEOs are increasingly getting blamed for them. After last month’s crisis, Equifax’s board moved quickly (though some argue not quickly enough) to remove Richard Smith from the CEO role he had held for 12 years. Yahoo CEO Marissa Mayer, for example, had her bonus for 2016 rescinded as punishment for a 2014 security breach that compromised hundreds of millions of user accounts and to which an internal investigation found her management team had not responded properly.
The bottom line, Fuhrmans hears from various chief executives, is that they can no longer afford to pass the cybersecurity buck to the IT department and hope to escape unscathed if their company’s data is eventually compromised. That means developing good cybersecurity habits themselves (given how much information is publicly available about them, CEOs are attractive targets for phishing scams), learning more about how their organizations’ security systems work, and taking on a more direct oversight role.
Here’s an area where CEOs could be leveraging their relationship with the HR department to be more proactive about solving the problem. Rather than investing more in firewalls to prevent external breaches, many organizations should also be looking inward, as employee errors account for nearly 60 percent of privacy failures. There’s a big role for HR in helping employees avoid the errors and bad habits that make cyber attacks more likely to succeed.
The massive data breach at the credit reporting agency Equifax affected 2.5 million more Americans than previously thought, the agency revealed last week. The breach, first revealed last month, exposed the data of 145.5 million US consumers in total, plus some 400,000 in the UK and about 8,000 in Canada.
This event, which Equifax has blamed on employee error, has raised concerns over not only what hackers might do with the data that was compromised, but also what other data Equifax and other credit agencies have on hand that could be put at risk by similar oversights in data security. Equifax, for instance, owns a database of payroll information from 7,100 companies, which was not exposed in the recent breach, and major employers seem to have no intention to stop entrusting the firm with their data, Jennifer Surane reported for Bloomberg last week:
In the wake of the breach announced last month, Bloomberg News contacted the 40 largest U.S. employers — representing some 12.5 million workers — and asked if they would continue dealing with the service, which helps them with unemployment claims, employment eligibility and tax credits. None said they will sever existing ties.
Several — such as Wal-Mart Stores Inc., the nation’s largest private employer — confirmed they will keep sharing information with Equifax. Others declined to comment on their relationships or didn’t respond to messages. Only about a half-dozen said they didn’t provide that information prior to this year’s hack.
On September 7, the credit reporting agency Equifax revealed it had experienced a cybersecurity breach in late July that potentially exposed the sensitive personal data of 143 million Americans to unidentified hackers, and the agency said this week that it had suffered another breach in March.
The data exposed in the breach included millions of consumers’ names, birth dates, addresses, Social Security numbers, and in some cases driver’s license numbers. The hackers also obtained 209,000 credit card numbers and documents with personal information used in disputes for 182,000 people. “On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” Avivah Litan, a fraud analyst at Gartner, told the New York Times when the July breach was disclosed earlier this month
With so many people affected, most US organizations likely have victims of the breach among their employees, whose data could be used to steal their identities and commit fraud. Employers that offer 401(k) plans should contact their third-party administrators to ensure that employees are notified of any vulnerabilities in their accounts, Edward McAndrew, an attorney with Ballard Spahr in Philadelphia and former cybercrime prosecutor for the Department of Justice, tells Allen Smith at SHRM:
The TPAs should notify employees to monitor their account statements for fraudulent activity and start using multifactor authentication to access their accounts, McAndrew said. HR shouldn’t provide the notice itself or it will get inundated with questions from employees about Equifax’s breach, he said.
Crystal Eye Studio/Shutterstock
Nearly 18,000 current and former employees of the newspaper publisher Gannett may have had their personal information compromised after hackers broke into the email accounts of members of the company’s HR department, the Associated Press reported this week:
The company says there is no indication sensitive information was taken, but it can’t be sure. Gannett says it learned in March that several people in its human resource department were victims of a phishing attack, in which hackers try to steal personal information through emails. It says hackers accessed email accounts and were able to send other phishing emails from there. There was also an unsuccessful attempt to wire transfer corporate money.
When the attacker attempted a fraudulent wire transfer, Gannett’s finance department flagged the request as suspicious and thereby uncovered the breach, the Wall Street Journal adds. The company quickly locked down the affected accounts, launched an investigation, and notified federal law enforcement. It is offering current and former employees a free year of credit monitoring services, and is taking steps to strengthen its cybersecurity protocols and train employees on how to better protect themselves against phishing scams.
In addition, as many as one million Gmail users were targeted this week by a very sophisticated phishing scam exploiting Google Docs, which has also rattled many IT departments.
Furthermore, cyberattacks are increasingly targeting organizations rather than individuals, and HR departments have become a favorite entry point for hackers as HR professionals typically have access to a lot of employee data and are accustomed to opening emails from outside the organization, where it is relatively easy to conceal malicious code in the guise of a résumé or invoice.