The “WannaCry” ransomware cyberattack that began spreading last Friday quickly affected over 300,000 machines in 150 countries, mostly in Europe and Asia, making it the largest such attack in history and putting in stark relief the threat cybercrime now poses to organizations around the world. WannaCry exploited a vulnerability in outdated versions of Microsoft Windows, and as Washington Post tech writer Brian Fung explained earlier this week, some businesses were hit particularly hard because of a simple lack of resources and attention. There’s no question that if the affected businesses had kept their Windows systems up to date, they would have been protected from this threat, but doing so is often a lot less straightforward than many would assume, especially if cybersecurity isn’t properly ingrained in a company’s culture, or when cybersecurity efforts or IT upgrade initiatives lack the resources they need.
While the WannaCry attack appears to have been more sophisticated than a typical phishing scam, the majority of ransomware attacks (in which the attacker encrypts certain files on a user’s computer, locks them out of vital programs, or freezes their desktop, then demands payment to undo the damage) are conducted through phishing—a confidence scam in which the user is tricked into giving personal information or loading malicious software via email.
Why HR Should Care
Ransomware is—and should be—a major concern for HR departments: HR professionals are particularly vulnerable to such attacks, as they are often accustomed to receiving and opening innocuous emails from outside the organization. Cybercriminals know this and target organizations through their HR departments with malicious software disguised as a job application, résumé, or invoice. A recent phishing attack that compromised thousands of current and former employees at the newspaper publisher Gannett, for example, exploited this vulnerability.
The other reason HR needs to pay attention to cybersecurity is that rank-and-file employees are one of an organization’s foremost lines of defense against hacking.
Crystal Eye Studio/Shutterstock
Nearly 18,000 current and former employees of the newspaper publisher Gannett may have had their personal information compromised after hackers broke into the email accounts of members of the company’s HR department, the Associated Press reported this week:
The company says there is no indication sensitive information was taken, but it can’t be sure. Gannett says it learned in March that several people in its human resource department were victims of a phishing attack, in which hackers try to steal personal information through emails. It says hackers accessed email accounts and were able to send other phishing emails from there. There was also an unsuccessful attempt to wire transfer corporate money.
When the attacker attempted a fraudulent wire transfer, Gannett’s finance department flagged the request as suspicious and thereby uncovered the breach, the Wall Street Journal adds. The company quickly locked down the affected accounts, launched an investigation, and notified federal law enforcement. It is offering current and former employees a free year of credit monitoring services, and is taking steps to strengthen its cybersecurity protocols and train employees on how to better protect themselves against phishing scams.
In addition, as many as one million Gmail users were targeted this week by a very sophisticated phishing scam exploiting Google Docs, which has also rattled many IT departments.
Furthermore, cyberattacks are increasingly targeting organizations rather than individuals, and HR departments have become a favorite entry point for hackers as HR professionals typically have access to a lot of employee data and are accustomed to opening emails from outside the organization, where it is relatively easy to conceal malicious code in the guise of a résumé or invoice.
Every Friday afternoon, Facebook CEO Mark Zuckerberg gathers employees at the company’s Menlo Park, California, headquarters for an all-hands talk and Q&A that is recorded and broadcast to thousands of other Facebookers in remote offices across the US and around world. The topics of these chats are wide-ranging and surprisingly open, Recode’s Kurt Wagner writes, covering everything from unreleased products, to strategic initiatives, to Zuckerberg’s thoughts about Facebook’s competitors and even its board members—the kind of stuff tech reporters (or competitor CEOs) would kill for.
Yet despite all the juicy details contained in these talks, they very rarely leak outside the company. How, Wagner wonders, does Zuckerberg manage to be so candid with his employees without compromising Facebook’s information security? The answer, it seems, has a lot to do with how much employees appreciate having a direct connection with their CEO, which engenders a deep respect for the need to keep these communications internal:
“That level of transparency is alarming when you see it at first,” said one former employee. “But there’s something [special] about knowing you’re getting an unfettered response.”
The Defend Trade Secrets Act, which President Barack Obama signed into law on Wednesday, helps businesses protect their secret sauces by expanding their ability to sue anyone who steals them—a phenomenon that costs the US economy over $300 billion a year. Jon Hyman at Workforce breaks down what employers need to know about the new law in brief, while Andrew McIlvaine at HRE Daily relays the views of some employment law experts on what it means for HR:
Trade secret claims have long been a key component of employee non-compete agreement lawsuits, writes Chris Marquardt, a partner at Alston & Bird’s labor and employment law group. For this reason, the new federal law “not only gives employers another tool to protect their confidential business information, but will also likely shift many routine employment-agreement lawsuits into the federal court system,” he writes. …
Brett Coburn, also a partner with Alston & Bird, writes that one of the less-frequently discussed aspects of the new law is one that will impact nearly all employers: “The law grants both criminal and civil immunity under both federal and state trade secrets laws to individuals who disclose a company’s trade secrets to the government” if the person has reason to suspect that a legal violation has occurred. It also requires employers to notify employees of this immunity “in any agreements that govern the use of trade secrets or other confidential information.”