For those working in the world of HR management, “malware,” “ransomware,” “exploits,” and “phishing” have become nightmares as nearly all employee data – including sensitive personal information protected by HIPAA – are now stored online in multiple systems. Viruses and worms, first created for mischief, have evolved into opportunities for real criminals to make big money by kidnapping sensitive data.
Identity theft, where thieves would find enough personal information to make purchases or obtain credit in someone else’s name, was a small-dollar and risky crime. Criminals were relatively easy to track down and arrest, and a counter-industry of ID theft insurance to restore compromised personal identities has flourished. Today, ransomware is a far better way of extorting huge sums of money in a single transaction. By encrypting sensitive data belonging to a healthcare provider, benefits administrator, or similar institution, criminals can demand huge ransoms – an electronic version of kidnapping.
This illegal activity has grown into a successful distributed industry, conducted by “ransomware gangs.” Recent disclosures of internal emails tell us that these gangs, based primarily in countries with a reputation for being lax on cybercrime, pretend to be legitimate businesses. The 2022 FBI Internet Crime Report reports that of the 870 ransomware attacks reported in 2022, the largest group of 210 were directed against healthcare and public health organizations.
How gangs break into your network
Faced with such threats, HR teams need to take active measures to prevent the gangs from gaining initial access. Defensive security concentrates on defeating criminals who work extremely hard to discover passwords, and unprotected systems to gain network access.
Here are some of the many techniques they use against organizations:
Phishing – It is easy to craft emails that look like they come from a health provider or insurance plan and ask employees to enter their user ID and password. This is the most common way initial access gangs break into corporate networks.
Password guessing – Using lists of thousands of the most popular passwords and a list of user IDs or employee numbers, automated scripts try various IDs and passwords to log into your websites. If your team members use common or popular passwords, your organization could be at risk.
Credential stuffing – Using lists of user IDs and passwords disclosed in the past, criminals use your employee’s user IDs or email addresses and try old passwords at the site they are attacking. If the same password is used for multiple sites, there is a chance they may get in.
Multi factor authentication (MFA) fatigue – Many systems these days are protected by MFA, requiring an authentication app on a phone in addition to knowing the user ID and password. If the initial access gang discovers an employee ID and working password, they may start making multiple non-stop MFA requests to approve the access. People sometimes approve these without giving it much thought.
Social media scraping – If the gangs identify someone as a target, they will go to social media to find personal details. Challenge questions are especially susceptible to this sort of attack. Remember, any information related to an employee that has ever escaped into the dark web will remain there, stored in databases used by hackers until the end of time.
How to protect yourself and your organization
The criminals are very formidable, and the critical place to defeat them is at the “initial access” stage. If they cannot readily find a way to login to your network, they will quickly move on to another potential victim. While having robust technology, firewalls, professional email protection, and up-to-date anti-malware is very important, employee education is far more important. An employee who unwittingly exposes their ID and password can defeat even the most “state of the art” technical security controls in seconds!
Here is what you need to do:
- Train employees to be highly skeptical of links in incoming emails, and conduct periodic phishing tests.
- Stress that passwords must be complex and uncommon – provide password managers for handling large numbers of passwords.
- Educate employees to pay attention to breaches and exposures from the past, and always change passwords if any doubt about exposure comes up.
- Train employees to report any suspicious or unusual activity connected to MFA.
- Educate employees that anything put on social media is liable to become public knowledge and cannot be relied upon for any security or privacy purposes.
Conclusion
HR teams need to be proactive and not reactive. Overprepare and use all tools at your disposal to secure your employees’ personal and healthcare information. As Lincoln once said, “give me six hours to chop down a tree, I will spend the first four sharpening my axe.”