It’s late in the afternoon, a couple of hours before the monthly payroll is due to be finalised, when an email drops into your inbox. An employee is requesting you manually change their bank details – they’re working from home and can’t access your organisation’s self-service system and they know the cut-off point is looming.
There are no links and no attachments. The name on the email is familiar and the way it is written seems plausible. It is, all told, a routine transaction even if it’s not all that regular. There seems little reason not to perform the simple task involved. But doing so, it hardly needs stating, could cost you dearly.
Requesting a change to employee information is an increasingly popular form of cyber attack known as a business email compromise attack. It enables scammers to hoover up a staff member’s salary – for this reason, it’s likely to involve a fairly senior employee – and it exploits a growing trend to target HR professionals, particularly those with responsibility for payroll, as an organisational weak link.
Finance and procurement departments have been targets of financially motivated cyber fraud for many years. But Crane Hassold, senior director threat research at cyber security firm Agari, says he began seeing cyber criminals switching their attention in early 2018.
“Instead of targeting an employee directly, scammers began targeting HR employees with ‘payroll diversion’ business email compromise attacks,” he says. Foregoing malicious attachments or links, it was easy enough for ‘phishers’ – those who engage in widespread, speculative fraudulent attacks via email or social media – to use social engineering techniques to persuade an HR professional to divert funds to their account.
Such attacks are hard to spot until the damage is done. And while it may seem they could be halted with the application of simple processes (such as asking for personal information to verify a request to change account details) or the application of common sense, the way they have spread from the US into the UK over the past year is proof of their ongoing efficacy.
It puts HR professionals even further to the fore in the war against cyber crime, forcing them into the role of potential victims in addition to their ongoing responsibility for encouraging organisational vigilance and inculcating the right sort of culture that will keep fraud at bay – whether it’s professional criminals attempting to breach your systems or an employee with a grudge who’s already inside.
The scale involved is significant. According to recent research from the FBI, business email compromise attacks have cost businesses around the world £9.52 billion over the past five years. In the UK, the government’s National Cyber Security Strategy says the average cost of a breach to large businesses is around £36,500, and 65 per cent of organisations suffered some form of breach in the past year.
It’s very difficult to estimate the number of business email compromise attacks actually taking place, says Mark Nicholls, chief technology officer at Redscan, not least because only a fraction of them are actually reported. But there have been some notable cases, including the Italian football club Lazio, which sent a €2 million transfer fee payment to a fraudster. “If such a high-profile organisation can be duped, you can imagine how susceptible most businesses are,” says Nicholls.
The risk of cyber attack is rightly rising further up the agenda, says Peter Cheese, chief executive of the CIPD. “It’s certainly very much in the minds of top business leaders that this can be a massive threat – everything from the reputational damage if records get stolen or lost, through to financial fraud and ransomware.
“When you then reflect on the fact the biggest sources of problems are to do with people, and they’re mostly unwitting, it really does put the whole question of cyber security much more into a HR space,” he adds.
“We’ve got two communities that really need to come together: the technology community, particularly the information security industry, and the HR profession. HR itself has not always been the most tech savvy and it needs to get better at working much more closely with technology in a number of guises, but this is a key one.”
The threats affecting HR departments can be broken down into two categories: insider and outsider. Insider threats are the risks posed by an organisation’s own employees, including both unintentional breaches – such as when an individual falls for a phishing scam – and malicious attacks, carried out by current or former staff.
This aspect of cyber security has been thrown into focus by the payroll leak suffered by supermarket Morrisons in 2014 and orchestrated by a staff member – not only did it highlight how vulnerable organisations can be to an individual with malicious intentions, it has potentially heaped additional liabilities on firms which suffer attacks.
There are other good reasons why the HR profession needs to get involved. “You can have the best technology in place, but if your staff aren’t trained in cyber security and they don’t have the right culture or behaviours, the technology’s not going to be of much benefit,” says Haroon Malik, director of cyber security consulting at Fujitsu.
It’s not computers that are the target of attacks, he adds, it’s people. “Think about how malware gets onto a laptop or a system. It requires the user to click on a phishing link and actually download it. So it’s the people who are attacked first, then the system.”
HR has become a target because of the data it holds. Any identifiable information is valuable to criminals, and payroll and other HR systems are a treasure trove of names, addresses and bank details. If this is compromised, not only can it affect individual employees, it also gives phishers more ammunition to target attacks on other parts of the business. “Maybe an attacker can hit the HR team, who they feel are a softer target, and get specific information which they then use against the real target,” says David Mount, director at Cofense.
Policy is the first point of call in preventing such attacks, and it’s an area most organisations will have tackled. It covers, but is not limited to, rules around who can access what data, what devices employees can use, what passwords are allowed and how often they need to be changed. But informing employees of your security policies is useless if they aren’t enforced.
One area where HR could do more, according to Nigel Parker, partner at Allen & Overy, is when policy breaches are not appropriately addressed. A slap on the wrist and an informal warning won’t cut it if an employee is a repeat offender. Even unintentional offences are a serious issue if they happen again and again. “A regulator, when they look at a [data breach] later on – if they see a company wasn’t enforcing its policies, and the HR function was perhaps encouraging forgiveness rather than actually taking action, that would be viewed quite dimly,” he says.
Training is critical, adds Malik. “You can’t just do tick-box training and leave it. Cyber security is something where the threats are constantly changing, so the training HR need to deliver, it needs to be almost constant – maybe once a quarter.” This extends to managers and executives, who can often be the highest risk individuals in a company.
Many senior employees would also do well to remember the security of their business extends beyond their working hours: the information they give freely on social media accounts about who they are meeting or where they are taking holidays can be used to make a phishing attack appear more legitimate. “We’ve had a healthcare organisation, they were targeted with a phish that looked like it came from their chief exec,” says Mount. “The attacker had clearly done their homework because the email looked like it came from the CEO – the language and tone was very consistent with the way the CEO typically communicated with their staff.”
Phishing attacks are still the most common type of cyber attack: it’s likely that more than 90 per cent of data breaches are initially caused by phishing, and many of them are ‘credential harvesting’ campaigns, says Mount. They often come disguised as an important policy change sent out by an HR leader or another individual, asking employees to follow a link and login through a fake website. These details can then be used for further hacks, potentially aimed at stealing data or launching a ransomware attack.
“Attackers have a choice. They can either be really noisy and try breaking into a place, or they can follow somebody through the front door. That’s where those credential harvesting attacks come in: they harvest credentials and then use them to just walk through the door,” says Mount.
Anyone can be a target, but there is a growing awareness that some people are more susceptible to an attack than others, says Dr Helen Jones, lecturer in experimental social psychology at the University of Central Lancaster. Along with colleagues, she has been running experiments that involve asking participants to rank the likelihood an email is malicious while operating in different environments and under different pressures.
While some people are naturally better at others at identifying scams, which is probably linked to whether they typically deploy impulsive or more reflective decision making processes, outside stimuli can also have an effect on scores. Working under time constraints, perhaps unsurprisingly, made people perform worse.
Multitasking was another danger sign, however the impact differed depending on which tasks were involved. When Jones set verbal secondary tasks, such as speaking out loud, participants were more susceptible than those performing motor tasks such as pressing key sequences, potentially because we use the same cognitive resources while speaking and reading an email.
Time constraints and distractions are “a big factor, and something that is really relevant given the kind of pressures people are under in the workplace environment,” says Jones. “But I don’t think it can be said that’s the one and only factor, because there are quite a lot of things at play here when we’re talking about susceptibility to cyber security and it’s quite hard to pinpoint one specific thing.”
Intriguingly, Jones’ studies suggested telling people to expect phishing emails did not make them any more or less vigilant. In one experiment, participants were given tasks in a mock office environment. Half were told at the start that the hypothetical company they were working for was being targeted and they should expect an influx of spam emails.
“[We wanted] to see if this really, really explicit priming about phishing would reduce their susceptibility, and it didn’t. They showed the same amount of susceptibility as everyone else, which baffles me,” says Jones. It has led her to believe priming campaigns are not effective in workplace environments. When you’re focusing on the task in hand, she suggests, even the most important messages drop to the back of your mind.
Jones thinks the true answer to activating our cyber vigilance might lie in nudge theory, the art of using gentle suggestions. It might mean telling people that 75 per cent of their colleagues spotted a particular phishing email, or even deploying small pop-ups on an email system to warn someone if they’re sending a message to an external account. “There are various different things from social psychology that have the potential to work really well, but in all honesty, they’ve not been tested in much detail yet,” Jones adds.
The more common way to foster a culture of awareness around threats is to run phishing simulations in which an external provider looks for vulnerabilities. If it’s done right, says Mount, it can help engage employees with the threat. But he adds: “When you phish test and you have this mindset of ‘pass or fail’, it can be challenging from an employee engagement perspective. Employees don’t like to feel tested – they want to feel they’re actively participating in the programme.” It’s better to ‘gamify’ phishing tests so they feel enjoyable, track scores by team or even offer financial bounties for reporting attacks.
But a safeguarding culture is also about how an organisation’s technical safeguards mesh with its people. Many inadvertent data breaches can be prevented simply by walling in data, says Abi Dakin, cyber assurance and compliance manager at Leeds City Council. Self service HR systems, for example, are one small way to prevent payroll intercept scams, as they cut out the middleman and leave an employee in control of their own data.
Even this isn’t infallible, however. Many breaches happen because employees find safeguards are too cumbersome and inhibit their ability to perform their jobs, so they circumvent them. Reducing user burden is the easiest way to counteract this. “It’s applying those sensible and psychological rulesets. Understanding how people work is fundamental to good security – there’s no point making something so difficult and arduous that people find their way around it,” Dakin says.
“If you create a 16-step process to access your computer, you’re going to leave it on all night and not log out. If it’s too difficult to use a virtual private network (VPN) or to print something, people will email stuff home to print it out. That’s what people do.”
Malicious attacks are harder to stop, but far from impossible. Offboarding procedures here are key, says Sarah Henchoz, partner and HR expert at Allen & Overy. Make sure you revoke any privileges and passwords when employees leave, remind them of restrictions they are still subject to and keep an eye out for suspicious behaviour.
“If somebody leaves in what might be suspicious circumstances or if someone refuses to say which organisation they’re going to join, those are the kind of things that might trigger a review of their email accounts to see what data they’ve been accessing prior to their resignation and whether there is information they’ve been sending home or to third parties,” Henchoz says.
With vigilance to the fore and a voice in IT security discussions, HR departments can shift cultures around cyber security and begin to anticipate the increasing sophistication of attacks. But it’s important to be aware that the stakes are getting ever higher.
Morrisons has been ruled vicariously liable after internal auditor Andrew Skelton stole personal data including names, addresses, salaries and bank details of almost 100,000 staff during the course of his employment and leaked them after he left the business.
Thousands of staff are seeking compensation from the supermarket. The Court of Appeal found it was vicariously liable for the breach despite the fact Skelton, who was jailed, acted intentionally. Morrisons is challenging the ruling in the Supreme Court, but the shockwaves are already being felt.
“The ICO [the information watchdog] essentially came to the conclusion that the company did have in place appropriate security measures, and that it had reacted appropriately,” says Parker. “But the court, in applying the vicarious liability standards, is applying a much higher standard. It’s much harder to avoid [liability].”
More than ever, it makes it crucial to put policies and procedures in place and enforce them. Skelton had raised flags during the course of his employment but, as Parker points out, you can’t fire everyone that breaches a policy. “The message is it’s almost impossible to design policies and procedures that will absolve you of responsibility. The only way to avoid responsibility is to avoid the thing happening in the first place by actively enforcing policy, actively monitoring networks and monitoring staff behaviour to make sure you detect the wrongdoing before it happens.”
For HR departments who instinctively want to place trust and empowerment at the heart of the employment relationship, that is a tough message to swallow. But the conversation is increasingly business critical and the stakes are ever higher. If you aren’t part of a conversation about cyber security in your organisation, you can be sure cyber criminals are.
The fridge that ate our data
How do you get employees’ attention? Tell them their lunch is at risk. One phishing test carried out by a cyber consultancy saw staff sent an email – purportedly from the HR department – informing them a webcam had been installed in an office fridge after a spate of thefts.
They were invited to click the link and see more – and, fascinated by the chance to watch their lunch sitting in the dark, dozens logged on.
The mirror that heard everything
When a leading London law firm refurbished its boardroom, decorators stumbled across something unexpected.
A large mirror hanging on a wall turned out to be home to a recording device – and further investigation by a cyber security consultancy suggested an audio stream was being transmitted to an unidentified overseas destination.
The cities held to ransom
Two Florida municipalities paid a total of US$1.1 million in ransoms to hackers who stole vital data over the course of two weeks. The ransomware attack first hit Riviera Beach, a city in Palm Beach, when a city employee clicked a malicious link in an email. The authority was forced to move back to paper documents and eventually voted to pay the ransomers $600,000 in bitcoin, despite there being no guarantee the data would be released.
A second town, Lake City, suffered a similar fate and agreed to stump up a total of $500,000.