Ransomware new threat for HR

Recruitment process can see resumés embedded with malware

The threat of ransomware has been making dramatic headlines of late, as companies are faced with malware that restricts access to a computer or files and demands payment for the restriction to be removed.

Most companies do not publicize successful ransomware attacks, but they are happening, said Al Smith, vice-president of technology at iCIMS in Matewan, N.J., which makes applicant tracking system software.

“Almost every company who has had an experience keeps an incredibly low profile,” he said. “That’s a double-edged sword because by hiding that, it makes it harder to create the awareness.”

It can also be an issue for human resources — especially when it comes to recruitment — as seen recently when a ransomware variant called Petya was found hidden inside a resumé housed on file-hosting company Dropbox.

“The function of HR is to process those documents, so they’re receiving resumés on a regular basis,” said John Shier, senior security advisor at Sophos, a security software and hardware company in Toronto. “The fact that they handle and process documents on a regular basis adds up to a lot of threats.”

“They can’t (assess candidates) without opening those documents and that’s where all the trouble starts.”

And recruiting companies are paid to get resumés to clients quickly.

“They are trying to get that resumé on the desk as fast as possible,” said Doug Kersten, information security manager at iCIMS, which provides recruiting software management systems. “Most of the time, when you get ransomware, it’s from companies that are allowing it through.”

The applicant tracking systems employed by companies usually have good security systems but they are operated by regular people, said Nima Mirpourian, branch manager at Robert Half Technology in Toronto.

“The limitation that ATS provides for recruitment is really the human element.”

A common tactic is sending resumés with malware inside Microsoft Word which typically asks users if they want to trigger active content when opening a document.

“Most users that are sending in resumés will not have active content; it will not trigger that type of behaviour within Microsoft Word,” said Shier. “If you do open a resumé and you do see that warning that there is active content and there is a macro, that’s probably where you want to step back a little bit and call your IT department and have them have a look at it.”

Because resumés contain personal and private data that must be legally protected by companies, they are a target, said Lysa Myers, security researcher at ESET, an Internet security software company in San Diego.

“There’s a lot of very sensitive information in HR, so they are potentially a more lucrative target and the criminals are entirely aware of that,” she said. “Because (data) in HR can be very time-sensitive, it increases the severity of an attack due to ransomware, because if they are prevented from accessing data in a timely fashion, it’s a lot bigger deal.”

Tips for employers

So, how can companies protect themselves against ransomware?

Scanning documents before they can enter the system is the best first step, said Shier.

“If we can detect that document as being a poisoned document through the initial delivery mechanism, which is email, then we can block it there,” said Shier, who also advocates using a “sandboxing” technique that analyzes incoming documents in a safe environment, not connected to a network.

“If you do use some of the technologies such as an email filter that does have sandboxing technologies, an anti-exploit tool, for a relatively lower cost and overall better benefit, you can leverage across the entire organization, you can be fairly well-protected against this kind of threat,” he said.

Backups are the best way to ensure data is protected should something happen to prevent people from accessing it, said Kersten.

“If HR departments focus on making sure their systems are restorable and the data is properly backed up, I think there is a lot less chance that they will have to even think about paying ransom for the data.”

But backups should be stored offline from the company network and must be regular tested to make sure they are not corrupted, said Shier.

“Backups are an invaluable tool to make sure that if everything fails, at the end of the day, you have a reliable copy of your data that you can restore.”

Updating all operating systems and software on a regular basis means the threat of a successful attack is lower, said Smith.

“These documents do rely on existing vulnerabilities to exploit; if those vulnerabilities do not exist, it is much more difficult for an exploit to be successful. It is an ongoing struggle,” he said.

“You need to remain current, because it is kind of a whack-a-mole world that we live in.”

By employing as much security as possible, companies are better protected and criminals do not profit, said Myers.

“If there is any way to getting around paying, that is always the better option because that is just inviting more trouble. The best thing you can do with really sensitive data is make sure you have strong authentication, not just password and login, but use multi-factor authentication, encrypt the data itself, and make sure you have good security software, not just on the machine the data is held but on the network.”

Sometimes, the solution to the problem might exist on the Internet. If companies do get infected by ransomware, a Google search might yield a solution.

“In some cases, the ransomware key has been published,” said Kersten. “The first thing you should do is look online and see if that key has been published. If that key hasn’t been published, then you are in a much tougher situation.”

People errors

Despite all of these measures, it is the end user who inadvertently activates an executable malware file that causes the bulk of the security concerns, said Shier.

“The age-old advice of ‘Do not click on links in email’ is so incredibly important to adhere to,” said Shier, who recommends if a worker suspects a link may be legitimate, it’s best to manually type the link into a browser window and to not blindly click on a hyperlink. “Do not open unsolicited attachments.”

The threat is big for any organization, said Faith Tull, senior vice-president of human resources at Randstad in Toronto.

“We remind people not to open unfamiliar emails or resumés that they weren’t expecting: Always be careful opening attachments.”

Regular campaigns are a good way to remind employees of the dangers, she said.

“We have awareness campaigns about security so it’s top of mind for our employees,” said Tull. “We can’t rest on our laurels. The biggest protection is awareness.”

Workers should be educated and reminded that the threat of ransomware and other malware is always present, said Mirpourian.

“A lot of it has to do with prevention through education,” she said. “It’s also creating communication initiatives that will educate the organization at large.”

“You can have the best policies, tools from a security perspective but without the implementation and the understanding from an end-user perspective as to what the potential risks could be, you’re not necessarily preparing yourself for the best-case scenario.”

Computer security training should be done when an employee is first hired, and then reinforced constantly, says Myers.

“We need to be reminded how to do this,” she said, adding some companies conduct a “fire-alarm” test by sending an email that mimics malware, and whoever clicks on it will receive further training.

“(It’s) the idea of preparing people to behave in a way that is useful when they’re in an emergency or when they are not especially thinking really clearly,” said Myers.

The C-suite is ultimately responsible for positioning the company to withstand a security attack, said Mirpourian.

“CIOs need to make sure that they have the right technical tools available to them to protect them from such risks but also communicate the best practices of those tools to ensure they are mitigating the risk of potential ransomware from threatening the organization,” she said.

“As an organization constantly evolves with new individuals coming in to the various groups, there needs to be a constant communications of security best practices from the leadership group.”

Latest stories