HR a Target for Cyber-Crime, Must Defend Itself

Stay informed and ready to meet both everyday challenges and long-term planning and policy-making goals, with focused news, practical information, and strategic insights on all HR-related developments.


By Martin Berman-Gorvine

Sept. 7 — The human resources department is a target for cyber-crime because it controls employees’ personal information, so it must take an active role in its own defense, consultants say.

“Yes, there are associated risks that other departments may not face, as HR holds some of the most valuable data in an organization—the personally identifiable information of their employees,” said Shawn Neibaur, systems administrator at Lindon, Utah-based HR software company BambooHR.

“In addition, HR often controls the onboarding of employees, meaning that an attacker who compromises HR could register themselves as an employee and gain access to other systems. Also, HR is a facilitator for the entire company, so attackers may try to impersonate HR personnel to gain compliance from other departments,” Neibaur said.

“HR is an essential part of the security training process and needs to be involved and invested, not only in protecting their own data, but also in training other departments in basic information security and social engineering techniques,” he told Bloomberg BNA in an Aug. 31 e-mail, referring to manipulative methods cyber-criminals use to impersonate someone their victim trusts and thereby gain unauthorized access.

“Proper security buy-in and support from HR is just as important as support from the executive team,” he said.

Susan Vitale, chief marketing officer for Matawan, N.J.-based talent acquisition software provider iCIMS, said HR should take special steps to protect itself, over and above following IT’s instructions.

“Ensuring that roles within HR are clearly defined, both organizationally and within any computer systems that HR uses, is especially important to ensure that data is only accessible to those who need access to it,” she told Bloomberg BNA in an Aug. 31 e-mail.

For example, “it is important that a hiring manager for a certain department doesn’t have the same access settings as an HR manager,” Vitale said. “Be sure to ask your vendor if these settings are configurable. Also, reviewing audit trails for unexpected activities quarterly is effective. These two relatively straightforward activities can dramatically decrease the risk of a security compromise.”

In small organizations that may not have a full-fledged IT department, HR needs to be even more proactive about its own defense, Neibaur and Vitale said.

However, Neibaur said, “while there are many technical aspects to information security, the most important security controls require little more than common sense and a healthy sense of skepticism. By educating staff on the hazards of social engineering, the HR department can mitigate the most common intrusion method without needing to write a single line of code or harden a server.”

Said Vitale: “It is important for smaller organizations to understand the security posture of their service providers, especially if they don’t have a dedicated IT or information security department of their own. If this is the case, understanding the security capabilities provided by the software vendor should be a top priority.”

Questions she suggested asking the software vendor are:

  •  “What security controls are available to me?”
  •  “Do you adhere to any security standards, such as ISO 27001?”
  •  “How do you manage and test for vulnerabilities and can you provide proof that you do so?”
  •  “Do you have a process to handle security incidents?”

“A vendor committed to security will have implemented a much stronger security environment than a smaller organization could actually afford themselves,” Vitale said.

To contact the reporter on this story: Martin Berman-Gorvine in Washington at

To contact the editor responsible for this story: Tony Harris at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.