Retail brokerage Robinhood was on a tear in 2021. Buoyed by a surging stock market and torrents of cash from the #WallStreetBets meme investing crowd, the young financial firm was building a rep as an insurgent, gamified competitor to comparatively sleepy brokerages like TDAmeritrade and Charles Schwab, outfits which young day-traders more often associated with their parents or grandparents. To the casual observer, Robinhood was a fintech company on the rise.
Then, on Nov. 3, 2021, the company was hacked. It wasn’t the first time. In October 2020, some 2,000 accounts had been compromised and funds stolen. And although the 2021 attack did not target user funds, it was on a far greater scale. Personal information for some 7 million customers—including names and email addresses—was exposed. The attackers also got the phone numbers for a few thousand customers. Worse still, 310 customers had even more personal information, things like phone numbers and dates of birth, jeopardized, while an unfortunate 10 had “more extensive account details revealed,” said Robinhood.
The hacker, according to the firm, had gained access to user data not through some kind of sophisticated tech wizardry but by socially engineering “a customer support employee by phone,” allowing them to “obtain access to certain customer support systems.” The attack also underlined a hard fact of modern business: Employees are often the weakest link, meaning that Human Resources, not IT, is the first line of defense against cybercriminals.
“Human resources professionals have responsibility for the overall wellness of the entire company,” including in terms of cybersecurity, says Chris Pierson, founder and CEO of concierge cybersecurity firm Blackcloak. “This means the board and the executive team, the employees, and beyond that, those significant others and family members that are part of their employees’ teams.” In the wake of far-reaching cyberattacks such as the 2020 SolarWinds hack, boards of directors are treating cybersecurity as a serious operational and reputation risk.
Getting it right is a requirement for companies today. “Technical attacks and breaches are happening, but humans are still the weakest link, and humans are still the target,” says Austin Berglas, global head of professional services at cybersecurity firm BlueVoyant. “You can have the largest budget in the world for cybersecurity, but if your employees are untrained and susceptible to these types of social engineering, that’s all hackers need. Legitimate access.”
The Defensive Line
For many years, cybersecurity was treated as something that the IT department handled, just as HR was thought of primarily as a department which created policies and handled benefits. Both modes of operation have changed. “While the IT department and security department can put the controls in place to help protect the organization or build those walls around the company to protect their brand, reputation and assets, it’s really the executives who push down and make sure that security is woven into the culture of the organization,” says Berglas. Chief human resources officers, as the keepers of corporate culture, are often on the front lines of this effort. “The CHRO has a huge ability to influence employees from the get-go with recruiting, onboarding, making sure that proper due-diligence and background checks are there.”
Unfortunately, cybersecurity is and will be a constant challenge for companies. Attackers are always looking for new ways in. Moreover, the Covid-19 pandemic has made it all the more difficult for companies to protect themselves. In a context where “companies have now expanded and are pushing employees out of the office and everybody’s remote,” an ongoing concession to tight labor markets, “the attack surface has increased,” Berglas says. What this means is that while previously companies had the majority of their workers coming into the office five days a week—a protected, brick-and-mortar location—and could focus their cybersecurity efforts on a contained corporate network, employees now log-in from home or other remote locations, and they often use a variety of devices ranging from laptops to phones to tablets. Complicating things further, these often include employee’s own devices, rather than the work phones and desktop computers that were de rigueur just a few years ago in many workplaces. “There’s a lot of unmanaged devices out there, and that adds to the attack surface,” Berglas says. “There are many more opportunities for the bad guys to compromise a company,” particularly as they are still working out their Bring-Your-Own-Device policies.
Not only are CHROs responsible for protecting the company from cyberattacks, but HR is one of the most targeted functions by cybercriminals. CHROs and human resources in general have access to all kinds of sensitive data, including tax records, employee social security numbers, background checks, medical records and all manner of information about the structure and functioning of the company itself. “That’s the keys to kingdom in terms of the individual privacy of our staff,” says Emily Dickens, chief of staff and head of government affairs for the Society for Human Resource Management (SHRM).
“If you can send a fake email to the chief human resources officer and compromise that account, think about all of the thing that that CHRO has access to inside of an organization,” Berglas says. “That’s a goldmine.”
When attacks do occur, the entire C-Suite typically needs to be involved in the response, and the CHRO is often a key player. “It’s critical for the CHRO to make sure they have simple things like contact information for employees if there’s a crisis,” says Dickens, who was previously interim CHRO at SHRM. Breaches should be treated as opportunities to educate employees, review security procedures and policies, and emphasize why cybersecurity matters.
In the aftermath of an attack, an all-hands meeting can be a useful way to emphasize the importance of cybersecurity and an opportunity to talk about how it impacts the business. If it’s a publicly traded company, it may be worth discussing the impact on the stock. “Use that meeting to actually paint a picture of what happens to the business,” says Dickens. “The day before the breach, this was our stock value. The day after it was this,” and merit pay and bonuses could be affected as a result. Beyond the financial and reputational costs, Pierson adds, are the lost time and focus of executives and key employees who are dealing with the fallout rather than focusing on core business activities.
Dickens cautions that the crisis response and ongoing training should not create a culture of fear, but rather emphasize that good cybersecurity practices are key to preserving the bottom line. In situations where an employee was socially engineered as part of an attack, CHROs need “to be more empathetic,” according to Dickens. “They were trying to do their job, and we’re all human. We all make mistakes. So let’s not hang that person out to dry.” Instead, HR and management need to figure out how to get that employee—if they’re generally a good employee—back in the game. “A year later, you want them saying things could have gone so far left, but this organization stuck by me…and they gave me additional tools to handle this situation,” says Dickens.
Fortify the Company
Thankfully, there are concrete steps that CHROs can take to protect their companies.
• Control information access: HR employees have access to huge amounts of sensitive information as part of doing their job. This can make them targets ripe for exploitation. “CHROs must protect their organization by making sure that people in the org have access only to the information necessary for their job. It’s called ‘least privilege’ in the cybersecurity world,” says Berglas. CHROs need to make sure that employees in general—and especially those in the HR function—have access only to the specific information they need to do their jobs. That way if hackers compromise an account, they’re only gaining access to some of the company’s valuable data. Under least privilege, hackers “have to do more work to get other things in the organization.”
• Incorporate cybersecurity practices into onboarding: Onboarding and training are excellent times to influence how employees approach cybersecurity both in terms of how seriously they take it and ensuring that they understand what they need to do to protect themselves. Good security starts with hiring and background checks and then carries through onboarding with how things like acceptable use and personal device policies are crafted and explained. Onboarding should also include regularly updated trainings on common tactics, like how to spot a phishing email. “At onboarding, explain to employees that you have a fiduciary duty to protect the information that’s available to you in the day-to-day job,” says Dickens.
• Use two-factor authentication: The single easiest measure organizations can take to protect themselves is to institute two-factor authentication. “When we’re talking about targeting humans, we have seen on numerous, numerous occasions where bad guys would target accounts, and then they see two-factor authentication is implemented and they don’t even bother,” Berglas says. Regardless of password policies, people tend to reuse passwords all the time, so two-factor authentication—making breaking into an account an onerous activity—is an easy and effective protective action.
• Protect mobile devices: Cybercriminals are always looking for new angles of attack. Organizations need to be aware of the increasing risks posed by mobile malware, for instance. Individuals tend to be quite comfortable using their mobile devices and think of cybersecurity risks in the context of computers, however, according to Berglas, there is a growing trend of malware variants compromising and collecting credentials and information from people’s phones.
• Pay special attention to executives and board members: Because they have access to large amounts of information and employees rarely question the veracity of communications from executives and board members, they are particularly appealing targets for hackers. Complicating matters further, their identities and contact info tend to be publicly available, either on corporate websites or in SEC documents, says Pierson.
• Check-up on third party service providers: Companies aren’t just vulnerable from direct attacks. Often, hackers try to gain access via a third-party tool, such as in the SolarWinds attack, so companies need to regularly audit the security practices of their partners (this auditing process is often called “third-party assurance,” “third-party due diligence” or “information assurance”). If a company providing benefits portal technology, for instance, has poor security practices or a breach “then literally you as the chief people officer for the company have just caused an impact to every single potential employee,” says Pierson.