How secure is your organization's job application process?
Many organizations utilize their website, third-party job boards or email to screen prospective employees... but what if we told you Microsoft Word documents and Adobe PDFs could host malware or be weaponized to attack your endpoints? With malware attacks on the rise in 2023 and beyond, investigating how your candidate information is being stored and presented to your HR team is nothing short of critical.
Let's explore the ways in which your HR job application process may be putting your organization's security at risk (and how to strengthen your security posture against it):
Creating a fake name and a resume that contains the requirements for your position is not difficult. Many job boards look for specific keywords matching your needs to gather a list of candidates for you. With this in mind, threat actors can easily utilize this information to target your organization with spyware.
Common spyware includes, but is not limited to:
Keyloggers
Remote desktop monitoring software
And ransomware (n the guise of resumes and cover letters)
In 2023, keyloggers are one of the top malware threats during the job application process: common keyloggers like Agent Tesla and Remote Access Trojans (RATs) can be covertly installed on the victim’s computer system through the use of legitimate Word documents and PDF files. Keylogging (also known as "keyboard capturing") is an exploit that allows the attacker to record keys struck on a victim’s keyboard, without their awareness. From here, data is then retrieved by the attacker to allow the compromise of the security of the victim’s computer.
Let’s perform a thought experiment to explore the same scenario to exemplify further the magnitude of what can happen if cybersecurity best practices are not applied to human resources:
An unassuming human resources employee works for a large corporation. This employee reviews resumes and cover letters for potential candidates daily. Suppose an attacker, disguised as a job candidate, attaches an executable ransomware file, disguised as a resume, to their application. Microsoft Windows, a commonly used operating system, has a function that will, by default, hide the extension of known file types (i.e. a file such as resume.doc.exe will read to the unassuming victim as resume.doc.)
Out of habit, the employee is none the wiser and opens the file. Once opened, there is a strong possibility that every single file on the employee's computer would be encrypted and she would no longer have access to it. Ultimately, this sensitive data could be withheld... often for a fee or ransom.
Because human resources deals in personally identifiable information (PII) from all employees, company-wide (including, but not limited to, resumes, SIN numbers, health data, case files, termination letters, and more) the potential damages to an organization's reputation is untold. In 2023, most small-to-large organizations also have a shared drive which would also be vulnerable to attack.
In 2018, changes to the Digital Privacy Act mandated the disclosure of breaches and may impose fines of up to $100,000. So how can you secure your HR job application process? Well...
Human resources is the first (and last) point of contact for employees, and, as a result, plays a critical part in creating and maintaining all parts of an organization's culture. This extends to cybersecurity culture.
Although IT traditionally created cybersecurity training sessions, HR’s involvement in cybersecurity has (rightfully!) increased over time. One key aspect of this is distributing employee awareness training: information given to new employees about how to upkeep cyber hygiene throughout their day-to-day tasks, manuals on how employees can counteract common cyber risk scenarios, and input on how to handle password change frequencies and phishing tactics are all valuable resources that all departments should have a hand in delivering.
Basic trainings to include are:
Best practices for password security
How to handle the integration of new technology
Incident response and recovery plans
And best practices for bring-your-own-device
How secure is your organization's job application process? With phishing attacks being the number one cybercrime targeting HR and HR-adjacent departments in 2022, with 300,497 complaints reported, total losses due to these types of cyberattacks exceeded $10.3 billion... and are showing no signs of slowing.
The best time to invest in strengthening your HR job application process's security posture was yesterday. The next best time is now. Contact our team today or sign up for our free newsletter to learn more about how to get started.
August 15 - Blog
It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.
August 01 - Blog
This article will delve into the most common techniques attackers use to transition from their initial breach to achieving their end goals: Privilege Escalation.
July 31 - Blog
Did you know? Attack attribution supports cybersecurity by providing contextual awareness for building an effective and efficient cybersecurity program. Learn more in today's blog.