Social engineering is the predominant cyber risk facing organizations today, and HR professionals are being heavily targeted. The most common attack vector for social engineering is to induce an employee to open a file or click a link that then installs ransomware. The second way, which disproportionately affects HR professionals, is the use of social engineering to trick someone to compile information such as W-2s and send it outside of the company.
The ransomware problem is rampant, and all signs point to it only increasing. For additional information about ransomware generally, see http://www.smithmoorelaw.com/ransomware-makes-cybersecurity-one-of-your-biggest-concerns, and relating to the disconcerting advent of the ransomworm, see https://innotechtoday.com/ransomworm/.
There are, however, steps you can take to protect yourself and your company. At an organizational level, robust backups, training, and preparation are key. Nefarious individuals are getting more sophisticated, which makes it much more difficult to discern “spoofed” requests from legitimate ones. Therefore, when it comes to any requests for compiled information or transfer of funds, it is imperative to take appropriate precautions.
Organizations should implement policies requiring at least secondary authentication (outside of e-mail) for any request for compiled information or transfers of funds and then aggressively train with respect to those policies. For such policies to be effective, it comes down to awareness, diligence, and the exercise of common sense by every employee who can potentially put the company at risk.
TIP: One of the best ways to defend against ransomware is to NEVER click on a link in an e-mail again. Retype or copy the link address in a new browser, search for it (searching for “Snyder ransomworm” should give you the second article cited above), or, if it is an institution or retailer where you have an account, go to the site and login. Additionally, to avoid inadvertently sending confidential information to unauthorized individuals, confirm all such transactions with a phone call or text message, even if your organization does not have a policy relating to such a request.