Spear Phishing Impacts from the HR Perspective
Adrien Gendre
—January 14, 2016
—3 min read
Spear Phishing Impacts from the HR Perspective, the email-borne hacking technique that targets specific individuals and tricks them into clicking on malware links and disclosing information, is now being recognized as one of today’s more serious corporate security threats. Phishing accounts for an estimated 91% of attacks. Some of the most high profile data breaches in recent memory are attributed to phishing and spear phishing.
In this article, we are going to look at spear phishing from the perspective of Human Resources (HR), a department that has a tangential, but quite important relationship with IT. What should HR managers know about spear phishing? What can — or should — they do about it?
First, to illustrate how a spear phishing attack might affect a business, we will use an example that shows how HR itself can be used as cover for social engineering. Imagine that Manny, Kathy and Jacqueline all work on the same team at a business. One day, Manny gets an email from “Jono D/HR Dept.,” which contains the subject line “URGENT — We need to reset your login for the HR system.” The email reads, “Manny, your HR system accounts, along with Kathy’s and Jacqueline’s, have all been erased due to a server maintenance error last night. We need to reset your accounts. Please provide us with your old user ID and passwords so we can close those out and get you new ones.” Manny doesn’t see that the email actually comes from a Gmail account. The address is masked by his email client and he’s too busy to look, anyway. Jono’s name looks familiar. He’s worked with Jono in the past, so he fires back a quick email with his user name and password. Manny doesn’t realize it, but he’s just shared his log in with a spear phishing hacker.
How does the hacker know that Manny, Kathy and Jaqueline work together? How does he know that Jono works in HR? It’s easy. He looked it all up on LinkedIn, Facebook and the company website. Equipped with some basic knowledge, the attacker can take advantage of the fact that most employees are busy and trying to handle a large volume of email to sneak through their attack messages. And, their messages are difficult for most email security software to see because they don’t contain any obvious spam, viruses or malware links. They’re conversational and personalized.
HR Impact of Spear Phishing
Phishing has many potential impacts on a business, including loss of data and intellectual property, reputation damage and financial losses. For HR, spear phishing presents a number of unique implications:
- Risk of breach of confidential personnel data – Any data breach is a serious problem for a business, but a leak of HR records can be particularly painful. Given how important people are to a business, there can be a major business impact if employees feel a breach of trust with the company. Morale can suffer. Talent may defect. There is the potential for litigation as well.
- The need to update the Acceptable Use Policy – The emerging best practice in HR is to include specific references for phishing in the company’s Acceptable Use Policy for devices, email, software and the Internet. Language should be added to policies that address the risk of impersonation and social networking.
- Incident reporting – Spear phishing incidents need to be reported to the IT department, information security managers and beyond. The IT department may want to report the incident to various global security bodies that track phishing threats. While most security policies already mandate reporting, the phishing risk should be specifically called out, especially since the incident may be harder to detect than other types of incidents. For example, if an employee suspects that he or she has been targeted by a spear phishing attack, that should ideally be reported even if there is not evident impact at the time.
There is also the potential for a seeming conflict of interest at the employee level when it comes to reporting. Employees may feel that they did something wrong and resist reporting a phishing incident for fear of being blamed for causing a problem. This needs to be addressed proactively, with HR assuring phishing targets that they will not be penalized for bringing a phishing attack to the attention of the IT department – even if the attack was the result of not following an established policy, such as using a company device for personal reasons. The impact of a non-reported phishing incident could be devastating as it will give hackers much more time to compromise a larger percentage of the network.
- Conflicts between “Personal Device” policies and a “Bring Your Own Device” approach to device support – Though many HR policies forbid use of personal devices for business, or personal use of business devices, the reality is that these policies are often in conflict with the emerging “Bring Your Own Device” reality. The issue is that phishing tends to thrive in the ambiguity of personal device usage. The “I’m on my mobile using a gmail account” cover story enables phishers to send high risk emails without having to be inside the company’s actual domain. This conflict should be addressed at the policy level.
Solving Spear Phishing Impacts from the HR Perspective
The best way to manage the HR risk of spear phishing is to make it as difficult as possible for an attacker to contact your employees in the first place. However, standard anti-spam email filtering software is not set up to catch a spear phishing email. Vade offers a unique countermeasure.
Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.