I've been on the phone for a few moments when an email appears in my inbox that is apparently from me.
It's convincing. Gmail marks that the person who has sent it is "me," which is correct, and it has my correct email address as the sender. It otherwise looks like an email I would send myself, except one problem: I never sent this email.
Within minutes of talking to Stu Sjouwerman, founder of KnowBe4.com, he has 'spoofed' me — sent an email that appears to be from one person but is actually from a completely separate third-party out to trick recipients into clicking on bad links for nefarious purposes, like stealing data or extorting a company. (Luckily, his email is titled 'spoof test,' and has no questionable links within it.)
While the shift to digital has enabled HR and the business world to do more good, generally, it's created a powerfully bad conundrum for employers. More digital access to company resources improves flexibility and innovation — but spoofing is just one scarily simple way for hackers and other malcontents to obtain access as more and more systems go completely digital. If one employee clicks on a bad link from a convincing email, an employer could spend three to four days "in the stone age," without access to their systems — or computers.
HR doesn't normally have to deal with IT issues. But who manages what, when people are the problem with technology?
That's why many experts are saying HR may need to step up — and why more HR spaces are talking about it (like in yesterday's SHRM #nextchat).
The common errors to protect against
Spoofing and its various cousins are wicked for a reason.
"I could have gone into LinkedIn, found your managing editor, and sent you an email that looks like it was from them with a link that says 'check and correct,' " Sjouwerman said. "That would give you pause."
He's not wrong. Spoofing is dangerous because it can trick even the most careful and hygienic of digital denizens, and many other recent hacker tricks are just as subtle, he noted. Anyone could click on a bad link or a poisoned ad on a website, resulting in "much heartache and lost time and money."
HR needs to be especially wary, as W-2 and tax information is a favorite target amongst hackers, Sjouwerman said.
"W-2s are gold to those people, and if they can spoof an email to look like it is sent from the CEO, someone could lose their job for falling for a trick like that," he added.
Spoofing can lead to infection with ransomware, one of the biggest problems facing companies right now. Ransomware will infect a computer after an employee clicks on a bad link or downloads an infected file, and will then encrypt a company's files. The hacker will claim not to release the data — often business-critical data — until the company has paid an appropriate amount of money in bitcoin, which is notoriously untrackable.
Another big risk right now is CEO fraud, which essentially tricks employees into thinking the CEO is requesting data. W-2 attacks and fraudulent wire transfers are all similar hacker tricks, and many of them use spoofing or a similar tactic to obtain their goals.
Why employers aren't aware
Do employers just … not know that these can be problems?
"They don't," Sjouwerman said. "It is well-known that the user is the weak-link in IT security, but it has not yet quite penetrated that you really need to train employees to apply their knowledge on a day-to-day basis."
When the crux of the problem is poor training, the issue enters a grey space, as IT is usually seen as responsible for tech crises. It doesn't help that many employers enter a "false sense of security" that since nothing bad has happened to their organization, nothing ever will, said Francis Li, VP of Information Technology at Softchoice.
"They don't see the urgency in protecting themselves from cyberattacks or data loss, and only act once the sky has already fallen," he added.
Some of this comes down to a simple fact: True cybersecurity can be seen as somewhat onerous. While most have heard the advice not to use the same password for everything or not to store passwords anywhere that other people could see or not to download any apps on work computers or devices without telling IT, real life occasionally gets in the way. More simply: people are stubborn.
"It's in our nature to want to take the path of least resistance," Li said. "It's up to HR and IT to help employees see the risks involved in these bad habits, and show them the productivity benefits of doing things the right way."
Michael Overly, partner at Foley & Lardner, offered a checklist for employers to follow when considering cybersecurity policies.
- Know your data and where it resides. How do people create, access and destroy data? Keep proprietary data encrypted or secured. Determine which media is removable and if that's allowed. If allowed, keep it encrypted and then properly erased to ensure attackers can’t retrieve it. And don't use mobile storage devices, like CDs or USB drives.
- Monitor. Keep track of network activity and review any behavior that looks out of the norm, like a user that normally works days logging on in the middle of the night.
- Keep track of third parties, including vendors and consultants. Third-party users should not be able to access systems without explicit supervision. This is especially true for any service providers accessing personal devices to repair them, etc.
- Only allow authorized software. Don't download anything unapproved from the internet, and never install remote access or encryption software without "express approval" of security personnel. Always check the source of downloaded software — hackers can "create fake websites and even 'hijack' visitors from official sites where applications can be downloaded."
- Exercise great caution with social media and public email (like Gmail, Microsoft, etc.). Be careful what you send, think before you submit to outside websites, and be wary of any services that record your communications or allow the posting of pictures and videos. Simply: Be mindful.
How to implement training that works
Training on cybersecurity has required a bit of a makeover in recent years, Sjouwerman noted. Old awareness trainings based on PowerPoint slides and "keeping employees awake with coffee and donuts" is not enough.
"That is the awareness training of yesteryear which isn't effective today," he added. "If you don't take reasonable measures, you are falling down in protecting the network the way you should."
One way KnowBe4 and other firms train employees is by doing simulated phishing attacks on employee populations and seeing the percentage of people who click. The numbers tend to be "dangerously high," Sjouwerman said. But more importantly, it makes the training part of the program immediately more personable. Employees who partake in the program often ask about how they can share what they have learned with their families, Sjouwerman said.
That said, training employees on how to sensibly use technology and avoid traps is a team effort.
"When it comes to technology, the responsibility for proper training cannot solely be placed on HR," Li said. "You need to have a strong marriage between HR and IT to develop the training and engage employees together."
Interestingly, millennials may be partly to blame for some growing cybersecurity issues. Millennials tend to be more comfortable with cloud apps and modern tech, which ironically means they are more likely to "go rogue" and download unapproved apps for work outside of IT's overview. It all comes down to understanding why employees act the way they do concerning technology and, in turn, helping employees understand why their behavior matters.
"A big part of it is making sure employees feel like they're given a choice in terms of the apps and tools they use, but to also help them understand the proper ways to go about using them," Li said.