Phishing attacks occur when cybercriminals trick their victims into sharing personal information, such as passwords or credit card numbers, by pretending to be someone they’re not.
IT leaders count on Human Resource (HR) departments to be partners in promoting an organizational culture that values security. From setting device usage policies on an employee’s first day to facilitating security training and awareness, HR has an important role to play in the adoption of IT policies.
In their day-to-day roles, HR is critical to security in its own right. Because it handles the sensitive personal information of employees, contractors, vendors and others, HR personnel are high-value targets for cyber attacks.
PII Data is Essential to HR — and Valuable for Cybercriminals
The Personally Identifiable Information (PII) of employees and contractors falls into HR’s purview from the first point of contact. When job candidates share resumes or LinkedIn profiles with recruiters, they’ve shared their first piece of personal information.
Some common types of employee PII shared with HR include:
- Social Security Numbers (SSNs)
- Driver’s licenses
- Passports
- Taxpayer Identification Numbers (TINs)
- Home addresses
- Personal financial information (like salary or equity), bank accounts and credit/debit cards
- Medical records
- Email addresses and phone numbers
- Insurance information
The value of the above PII differs, but all the same, HR is responsible for safeguarding it.
HR teams collect, manage, handle, aggregate and share all this data — internally among the HR team and at times, across other parts of the organization, as well as externally with third parties such as tax collection agencies, benefits providers and HR consultants and contractors.
Cyber threats Against HR Teams
By necessity, HR teams process sensitive and confidential information from external sources. For convenience and efficiency, HR often treats this exchange of sensitive information like any other. It’s one of the reasons why HR is a fragile point in an organization’s security posture — and why cybersecurity defenses must be holistic.
It’s not just email or instant messaging that is risky. Used the wrong way or with more expansive privileges than necessary, HR tech tools expose organizations to costly legal and reputational risks.
The Risks of HR Software Leaking Employee Information
The modern HR stack includes a variety of tools that automate or more efficiently manage rote tasks and record-keeping.
HR tools can be risky for a few reasons, including that many systems are attractive targets for cybercriminals as they:
- Process significant volumes of sensitive employee data
- Integrate with other critical systems like enterprise resource planning (ERP) software and bank accounts
- Are accessible online, making them vulnerable to cyber attacks
Many HR stacks include the tools below, depending on the requirements of an organization and its industry. When an HR stack syncs data between separate tools, the integration can expose secure data through vulnerable information systems. HR tech tools can include:
-
Applicant Tracking System (ATS)
- An ATS helps recruiting and extended hiring teams automate pipelines for new candidates, ensuring an efficient screening and routing process.
-
Applicant assessment or talent management tools
- Often a feature of an ATS, these tools offer digital assessments, insights and automated communication with candidates — saving time and money on evaluating candidates.
-
Onboarding tools and learning and development software
- Companies introduce new employees and contractors to their business practice, strategies and policies with onboarding tools. These tools are key to establishing a repeatable process to hit the ground running, saving on administrative costs for HR and speeding up a new hire’s time to competence.
-
Employee Compensation Software
- One of the most essential tools in any organization, compensation software automates many parts of the payroll management process. Payroll and tax are complicated areas of compliance that can be marked by errors. The rise of remote workforces, with more companies employing people in different tax jurisdictions, has added to this complexity.
Many of these tools also provide data compensation equity and ensure that businesses are equal-opportunity employers.
-
Benefits administration software
- These tools allow employees to elect coverage options — whether it’s enrolling in one plan or another for health insurance, life insurance, a health savings account or a retirement plan.
-
Workforce management software
- HR teams and managers use workforce management software to track attendance, time cards and calendars. Companies depend on this software to plan, report on and improve workforce efficiency in line with company policies and labor regulations.
-
Performance management platforms
- Performance management and culture software bridge the communication between managers and their reports, standardizing evaluation throughout an organization.
-
HR analytics software
- As in other departments, HR analytics and reporting capabilities uncover where HR teams have the opportunity to improve administrative efficiency, productivity and employee satisfaction.
Unsecure Document Sharing
W2s, 1099s and other tax forms and employee records are full of sensitive, personally-identifiable information. Many HR teams and their outside partners, such as benefits providers and state agencies, make a habit of sharing these documents through unprotected means — including email, instant messaging and unencrypted file storage services.
In a hybrid work environment, these traditional ways of sharing records violate zero-trust and zero-knowledge security best practices.
Social Engineering and Phishing Attacks
Because HR teams are used to receiving sensitive documents through unprotected communications, they are vulnerable to phishing and social engineering cyber attacks.
In some instances, cybercriminals impersonate a job candidate or current employee and send a fake email with an attachment for download. When HR downloads the attachment with malware, the bad actor can take over workstations and gain access to internal systems, particularly when login credentials aren’t protected.
For information cybercriminals missed with the initial breach, bogus security checks on web pages appearing to be popular job sites have also captured the login credentials of recruiters, which were then used to target payroll software.
Bad actors have targeted LinkedIn users with scam emails phishing for personal information in response to a job offer or an inquiry from a job candidate.
Unauthorized Personal Device Usage
HR handles a wide range of sensitive information. Along with PII, there are also trade secrets, business records and confidentiality agreements. HR is no stranger than their colleagues in working on unauthorized personal devices. However, doing so without the approval of IT places security at risk.
External Partners Fail to Meet Security Standards
HR contractors and partners may not boast defenses as secure as your organization’s. This is particularly true if they don’t use a password manager, and therefore, don’t have a way to securely share login credentials.
For example, when HR works with government agencies, like state unemployment offices, the entire HR team often has to do so with a single account. Without a secure means to share these types of login credentials, HR teams put the PII of current and former employees at risk.
Small-to-midsize businesses (SMBs) are especially vulnerable to breaches. Lack of resources and preparedness help explain why 60% of SMBs go bankrupt within 6 months of being breached.
Lacking Security Training for HR Teams
Despite its close working relationship with IT, HR is just as vulnerable as the rest of the organization to poor security hygiene.
According to Keeper’s 2022 Cybersecurity Census, 54% of IT leaders would prioritize investing in security awareness training, with 50% saying that they are looking to invest in projects that promote a culture of compliance. Given the responsibility of HR to manage an organization’s personnel and leadership in organization-wide training, their adherence to good security practices is critical.
Privacy Regulations and Employee PII
The challenges of HR technology and poor security hygiene can also entangle organizations in costly penalties, fines and litigation for privacy violations.
The privacy guidelines established for consumer data include employee data as well. In the European Union, and now in California, consumer data is defined to include HR data.
Organizations are subject to civil penalties for violating these privacy laws. In California, companies face a civil penalty of $2,500 for each violation and $7,500 for each intentional violation after notice.
In addition to the penalties and fines for not complying with privacy laws, organizations may be liable for negligence if their PII is breached, because it exposes employees to an increased risk of identity theft. In 2019, the Pennsylvania Supreme Court held the University of Pittsburgh Medical Center liable for a breach that leaked the HR data of over 60,000 employees. The suit alleged that proper firewalls, data encryption and authentication could have prevented the leak.
Investment in the protection of PII and other sensitive HR data safeguards a business from paying out heavy penalties, fines and litigation. It also protects the value of a company’s brand equity – its public perception- one of its most important assets.
How Keeper Security Protects HR Employee and Organizational Data
Just as IT often counts on HR to strengthen compliance and security awareness, HR needs IT’s support to properly vet external partners and manage sensitive data.
HR has a critical example to set in the protection of passwords, secrets and credentials. It’s one of the many reasons why HR teams, in partnership with their IT departments, have turned to Keeper Security to secure their employees’ information from cyber attacks. Keeper Password Manager secures the login credentials to HR stacks, protects employee PII and safeguards a company’s liability and reputation.
Enterprise Password Management (EPM) provides IT admins with centralized visibility, security and control. Role-based access control policies set by the IT team can restrict access to the least privilege necessary for an employee to do their job. Admins are also able to configure enforcement policies, such as platform restrictions and IP listing, to further ensure that only select personnel can access HR tools.
And with user decommissioning and account transfer policies through Keeper, IT and HR teams alike can automate part of the offboarding process and prevent disgruntled former employees from accessing critical information.
HR Data Storage and Sharing
In addition to protecting login credentials and delegating access permissions, Keeper’s powerful Secure File Storage and One-Time Share capabilities are popular among HR teams.
- Secure File Storage encrypts all uploaded files individually, using zero knowledge and encryption methods to ensure only the user can access and decrypt their stored files. HR managers can simply drag and drop files into their vault, where stored files like tax paperwork and employee records are individually encrypted.
-
One-Time Share enables HR teams to securely send sensitive documents in a time-limited manner. It’s particularly useful for transmitting files with large volumes of private data.
- Many audits, compliance reports and other data files require sensitive information such as SSNs and birthdays for all employees. In cases such as these, One-Time Share enables HR to securely share this required information with third parties.
- One-Time Share is also popular among employees who need to share private files with HR. Many employees are rightly uncomfortable with sending a copy of their social security card with a personal device, over email or through instant messaging.
Protect your HR Team and Employee Data with Keeper
Employees expect their personal data to remain secure and confidential with their employers.
Working with IT, HR can properly protect employee and organizational data — securing their organization from breaches and the business, legal and reputational fallout that comes with them.
Keeper ensures HR teams, as well as departments throughout an organization, have a full range of identity and access management solutions to protect every user on every application and device. Whether it’s securely transmitting payroll information to government agencies for tax purposes or enforcing two-factor authentication (2FA) for critical HR software that processes employee data, Keeper equips HR – and IT Teams – with the security to mitigate the cyber threats against them.
Getting started with Keeper is easy. Talk to one of our cybersecurity experts to see how you can protect your employees today.