As calls for peace sound from every corner of the globe, the Russo-Ukrainian War continues. The conflict embodies several fronts, not the least of which is cyber warfare.
Even in the days preceding Russia's Feb. 24 invasion, U.S. authorities said they had linked a spate of distributed denial-of-service attacks to Russia's government, according to Cybersecurity Dive. Later, observers began detecting a series of destructive malware on Ukrainian machines.
Federal officials have been sounding the cybersecurity alarm for months. In late January, the Cybersecurity & Infrastructure Security Agency, an arm of the U.S. Department of Homeland Security, warned organizations that both private and public entities in Ukraine had suffered cyber incidents resulting in "severe harm to critical functions." CISA advised all organizations to take a series of steps to reduce, detect and prepare for potential cyber attacks.
Officials reiterated those concerns in February, warning of the potential for asymmetric cyberattacks against the private sector and critical industry partners. And on the day of Russia's invasion, President Joe Biden said in a speech that should Russia pursue cyberattacks against U.S. companies and critical infrastructure, "we are prepared to respond."
The conflict is still in its early stages, which may complicate employers' responses, said Marcus Christian, partner in law firm Mayer Brown's cybersecurity and data privacy practice. But a good place to start may be to ensure a baseline level of preparedness.
"Not every company had optimized cybersecurity before we had the Russian attack on Ukraine," Christian told HR Dive in an interview. HR leaders, he continued, should confirm whether teams have implemented measures like multi-factor authentication, which is "often at the top of the list of measures that companies implement after they've been attacked."
Employers might have response plans that designate the persons responsible for carrying out incident response, Christian said. Employees should be aware of basic precautions, such as using strong passwords for both personal and work accounts, and receive training to report mistakes when they do occur.
Broad-based cyber preparedness has its place, but HR teams also may want to communicate to employees the importance of remaining vigilant about everything they read, hear or see about the conflict online. According to Zach Eikenberry, co-founder and CEO of training software company Hook Security, cybersecurity professionals are beginning to see an uptick in the intention distribution of disinformation about events in Ukraine.
"When you see something shocking, when you see something that's too good to be true, take a moment, slow down," Eikenberry said. "Where is this source? What is their source? If a media report is quoting Twitter, slow down a second — where is that source? How are they getting that information?"
It can be important for employers to emphasize to employees the need for care in reacting to information they see, and to be discerning of sources, he continued, given that adversaries in a conflict may seek to spread disinformation and propaganda.
Phishing activities also may attempt to leverage current events to lure workers, Luke McNamara, principal analyst at cybersecurity firm Mandiant, said in an email. That could be part of the messaging HR and security teams push out to workers over the coming weeks.
However, the same lessons hold true for employers themselves. "HR professionals – especially for those in talent acquisition and recruitment roles – are often in the crosshairs of cyber criminals and nation-state intrusion groups," McNamara said. "It is not uncommon to see fabricated resume lures utilized for spearphishing HR personnel, giving the actor a way to get their foot in the door and then move laterally to other parts of the organization's network."
Employers might also consider making a statement or donating to causes related to the Ukraine crisis. Eikenberry advised such organizations to work only with previously known, reputable organizations and avoid responding to charitable inquiries that come through via email, direct messages or social media platforms.
Large employers and those with outsized brand presence are particularly at risk of unintentionally spreading misinformation or propaganda, Eikenberry said; "That's a very hard thing for employers to try to navigate — shoot, it's hard for society at large to try to navigate."