Monday, May 7, 2012

Hackers Targeting Human Resources (HR) Departments

The Malicious Hacker's Ever-Sharper Eye (Tech News World)

Number one on Georgetown University's Information Security Office list of the  most dangerous things you can do online is opening attachments from unknown senders, which is pretty much a job requirement of many HR staff. Hackers, being the clever lot they are, are seizing on this by targeting HR staff with attachments delivering malicious software.

This development should keep HR executives and corporate officers awake at night.

As this earlier post about privacy, HR and biometrics discusses...

Employers record an employee's:
Legal name
Home address
Government issued tax ID number
Salary and other income information
Performance Reviews and Disciplinary Records

An employer that provides health benefits may also have private information related to the employee's:
Children
Spouse
Sexual identity
Certain medical conditions
Drug and Alcohol counseling

When pay checks are deposited directly to employee bank accounts, the employer also has bank account information.

Employers already have extremely sensitive information that, in the wrong hands, can be used for identity theft, harassment, discrimination and any number of other abuses...

Those who have concerns about the quantity and nature of the personal information maintained by employers might find a privacy ally in biometrics by requiring biometric verification of HR staff as a prerequisite to accessing records containing sensitive personal information.

We have repeatedly suggested (see this) that biometric verification of IT staff with Administrator access to data is a very good idea. Given their increased risk of being hacked and the type of data they manage, conditioning access to employee records upon biometric verification of HR staff is equally important.

Large organization administrators losing control of customer information is bad. Losing control of detailed employee records is awful. I pity the management team that has to manage both crises simultaneously.

If you'd like to protect your organization against this risk, please consider giving SecurLinx a call. We can help.