How Next-Gen Technology Can Keep HR Data Safe

In 2018, the FBI reported having 350,000 complaints of internet crimes, which is a rise of 23 percent over five years. With an increase in internet crimes, HR departments are turning to security approaches that are powered by artificial intelligence (AI). Read this blog post to learn more about how artificial intelligence is helping companies with cybersecurity.


As hackers grow ever-more inventive and data privacy laws are enacted around the globe, HR leaders are faced with the challenge of protecting and storing sensitive HR data but not curtailing employees' ability to use that data to make timely workforce decisions.

But there may not be enough cybersecurity colleagues to call upon for advice and technical assistance, which compounds those challenges. Approximately 65 percent of companies reported a cybersecurity staff shortage last year, according to the 2019 Cybersecurity Workforce Study conducted by (ISC)2, an international nonprofit association for IT professionals. As a result, more companies are turning to security strategies that don't require human intervention, such as cybersecurity powered by artificial intelligence (AI) that can proactively monitor and neutralize new kinds of cyberthreats.

New Strategies for More-Sophisticated Attacks

Research suggests that concerns over data security are occupying more of HR leaders' time and resources. The 2019-2020 Sierra-Cedar HR Systems Survey found a 17 percent increase from the prior year's survey in the number of respondents deploying cybersecurity strategies, with 70 percent of HR organizations reporting they have and regularly update such a strategy. That's good news, because the FBI reported receiving 350,000 complaints of Internet crimes in 2018, a rise of 23 percent over five years. Those crimes caused an estimated $2.7 billion in financial losses.

Security experts say the loss of sensitive data like payroll information, Social Security numbers and notes from internal investigations or employee assessments has implications far beyond the HR department.

"When HR systems are breached, it goes beyond the personal data stolen, because HR is central to so many processes across the organization," said Corey Williams, vice president of marketing and strategy at Idaptive, a cybersecurity firm in Santa Clara, Calif. "HR systems are the starting point for much of the access employees have throughout the organization. HR data doesn't sit on an island like other data, and when you have vulnerabilities at the HR level, you're exposing the entire enterprise to wider attacks."

AI-powered security tools represent a new approach to combating threats to HR data. While not a cure-all, these technologies can protect against malicious attacks driven by automated malware and have capabilities, such as pattern recognition, that can identify suspicious behavior and block potential problems or threatening online traffic in real time.

To protect against insider threats, whether malicious or from workers not following sound security practices, some AI-based cybersecurity tools can be trained to learn employees' behaviors when using corporate networks. Research shows that such threats are a growing problem. Insiders caused 48 percent of reported data breaches in organizations in 2019, according to a recent benchmark study from Cambridge, Mass.-based Forrester Research, up from 26 percent of total data breaches in 2015.

More companies are adopting "zero trust" policies that feature a "never trust, always verify" approach to network access or identity authentication and employ tools like multifactor authentication (MFA). MFA is a way to confirm user identities through at least two different factors. In the last year, according to the Sierra-Cedar survey, large organizations increased their use of MFA by 20 percent, and approximately 55 percent of small organizations reported using MFA for HR applications.

Williams said stolen or weak user credentials is still the top cause of data breaches in organizations. "We've seen growing sophistication in the way passwords and credentials get stolen," Williams said. "That includes malware, hackers writing more convincing phishing e-mails that get employees to click on harmful links and other approaches. Companies have found that depending on passwords alone for access is becoming untenable."

Balancing Security with the User Experience

HR leaders have to strike a balance between taking the right data-security measures and ensuring employees can still use HR networks and software in efficient and user-friendly ways—a balance that ideally won't make the workforce feel excessively monitored or handcuffed when using technology.

"Security is often viewed as a teeter-totter, where you are either increasing data security or you are improving the user experience with technology," Williams said. "But it doesn't have to be an either-or scenario."

For example, employees who typically access the same corporate networks or applications in the same fashion likely don't need additional security oversight, but someone accessing that same system from a country he's never been to before and with a different device would need more controls.

"We're seeing more innovation in applying security tools to separate high-risk from low-risk system access," Williams said.

HR leaders also can help enhance security by encouraging their companies to re-evaluate user access policies, experts say. "As people work for a long time in companies, they tend to accumulate access to systems, and that access doesn't necessarily get taken away as they move up or around a company," Williams said. "Employees are often 'over-provisioned' in terms of their access to sensitive data in systems, which can create increased vulnerability for companies." Automated processes tied to the life cycle management of employees can ensure system access is changed or removed as people change roles in a company, he said.

James Graham-Cumming, chief technology officer for Cloudflare, a cybersecurity company in San Francisco, said being more judicious in granting data access is a wise but sometimes overlooked security strategy. "It's not uncommon for CEOs or other senior leaders in a company to have access to all or most corporate systems because they simply feel a need for that access," Graham-Cumming said. "Yet these are more-visible or even public figures who are often targets for hacking. The reality is your C-suite or vice presidents may not need access to all of your systems."

Managing Vendor Risk

Data security and privacy threats can grow as HR functions add more technology platforms to their ecosystems and create more integrations with third-party providers. A recent study by research and advisory firm Gartner found that because human capital management systems are built to integrate with many third-party services—such as LinkedIn, for example—those integrations can expose organizations to risk through "misconfigurations" that result in unintentional data leakage. Depending on the level of integration, problems with security in vendor systems can open the door for attackers, the Gartner study found, as was the case with the retailer Target in 2014.

Security experts say HR leaders should ensure vendors have best-practice data security and privacy protocols in place, such as MFA, in addition to passing an external Service Organization Control, or SOC, 2 audit, which confirms they're in compliance with recommended practices for data security, processing integrity, ensuring privacy and more.

Jared Lucas, chief people officer with the cybersecurity firm MobileIron in San Francisco, said security-related employee training also is more important than ever as malware grows more sophisticated, phishing attacks increase and bad actors use AI-powered methods to hack corporate systems.

"Effective, regularly updated training in what to look for and what to be wary of can close a lot of holes in a company's data security strategy," Lucas said.

SOURCE: Zielinski, D. (10 February 2020) "How Next-Gen Technology Can Keep HR Data Safe" (Web Blog Post). Retrieved from https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/next-gen-technology-can-keep-hr-data-safe.aspx


4 FAQs about W-2 business email compromise attacks during tax season

Has your business been a victim of tax season cyber attacks? The most popular time of the year for W-2 related cyber attacks is during tax season. Read this blog post to learn more.


The most likely cyber attack a company will face will come in the form of an email. One of the most common forms of email attack is the business email compromise (BEC), and the most popular time of the year for the W-2 version of BEC is right now — tax season.

A BEC attack involves attackers sending emails disguised as coming from high-level executives within a company, such as the CEO, to lower level personnel. During tax season, the spoof email will often request that W-2s for employees be provided by return email.

While the email looks identical to the executive’s email, it is coming from — and then returned to — the criminal, not the executive, along with the W-2s and the personal information associated with the documents.

If an employee falls for the scam, the company now has experienced a serious data breach and must comply with certain legal requirements. Worse yet, the company’s employees’ sensitive personal information has been given to the attackers and they have this problem to worry about instead of performing their job. The disruption is substantial in their personal lives and for the company’s operations.

How do attackers use W-2 information?

In most cases, once the attackers have that W-2 information, they use it to attempt to file fraudulent tax returns for those employees and have their tax refunds sent to them instead of the employee. They also use it for traditional identity theft.

The attackers act very quickly once the information is obtained. In some cases, they have begun to fraudulently use the information on the same day they obtained the W-2 information from the company. Time is truly of the essence in responding to these attacks and legal assistance is necessary for properly responding to these data breach events.

Why do so many attacks happen during tax season?

Law enforcement officers and cybersecurity professionals report a drastic increase in these types of attacks during the beginning of each year because of tax season. This is consistent with what is seen in helping companies with these cases in past years, as well. The reason this type of attack is so common during tax season is because of the tax-related fraud aspect of this type of attack. That is, the attackers monetize their attacks by using the fraudulently obtained information to file fraudulent tax returns and obtain refunds from innocent victims.

And the sooner they can do this, the better their chances are of getting the refund before the taxpayer files and receives their tax refund.

If a company has not yet been targeted, it is likely that it will be very soon so it is important to be prepared.

What can you do to protect your company?

Educating employees is critical because they will be the ones who receive the emails from the attackers.

  • Make them aware of this issue by sharing the information in this article with them so that they understand the threat, how it works and how it could affect them personally.
  • Train them by having appropriate personnel discuss this threat with them and help them understand that they should be very suspicious of any requests to email out anything of this nature (or make payments, such as with the very similar wire transfer version of the BEC).

Have appropriate internal controls in place to protect against these types of attacks. These controls can include:

  • Limit who has access to your company’s W-2s and other sensitive information as well as who has the authority to submit or approve wire payments.
  • Have established procedures in place for sending W-2 information or other sensitive information as well as for submitting or approving wire payments so that dual approvals are required for these activities.
  • Require employees to use an alternative means of confirming the identity of the person making the request. If the request is by email, the employee should talk to the requestor in-person or call and speak to the requestor using a known telephone number to get verbal confirmation. If the request is by telephone or fax (many times they are), then use email to confirm by using an email address known to be correct to confirm with the purported requestor. Never reply to one of these emails or call using a telephone number that is provided in one of these emails, faxes, or telephone calls.

What to do if your company is hit by an attack

  • Immediately contact experienced legal counsel who understands how to guide a company through these incidents and, ideally, has appropriate contacts with law enforcement and the IRS to assist in reporting this incident quickly.
  • Report the incident to the FBI or Secret Service and appropriate IRS investigators so that the IRS can implement appropriate procedures to protect the employees whose information was exposed in the W-2s.
  • Prepare appropriate notifications to the people whose information was exposed and comply with all legal and regulatory reporting requirements. This should be a part of an existing incident response plan. Companies should have such a procedure in place to be better prepared if and when a security breach occurs.
  • Inform employees that the IRS will never contact them directly, for the first time, via email, telephone, text message, social media or any way other than through a written “snail mail” letter.

SOURCE: Tuma, S. (19 February 2019) "4 FAQs about W-2 business email compromise attacks during tax season" (Web Blog Post). Retrieved from https://www.benefitspro.com/2019/02/19/4-faqs-about-w-2-business-email-compromise-attacks-during-tax-season/