A new report highlights significant cybersecurity vulnerabilities within the HR industry, especially concerning phishing email attacks.
- Over 77% of HR workers have encountered phishing incidents, compared to just 54% of the average workforce.
- Outdated training is a critical issue, with 53% of employees lacking adequate education on multi-factor authentication (MFA) and phishing.
- Many MFA methods, such as SMS and authenticator apps, remain susceptible to bypass by hackers.
- The report urges stronger cybersecurity measures and improved training to protect businesses from potential breaches.
The HR sector is facing alarming cybersecurity threats, as revealed by a recent report during October’s Cyber Security Month. Data indicates that a staggering 77% of HR workers have experienced phishing attacks, a stark contrast to 54% of the general workforce. This difference underscores a vulnerability in HR departments which often handle sensitive employee data.
Critical insights from the North East Business Resilience Center (NEBRC) highlight that phishing attacks are evolving. Hackers now prefer exploiting legitimate email accounts rather than creating new ones, making them harder to detect. Martin Wilson of NEBRC elucidates that these attacks often lead victims to fake login pages, designed to harvest login credentials, including those protected by MFA.
Despite the supposed security of MFA, many methods are still at risk. Hackers can intercept one-time passwords (OTPs) through techniques like SIM swapping or malware, allowing unauthorized access even to accounts with SMS or app-based MFA. Additionally, ‘MFA fatigue’ is a concerning tactic where victims approve login attempts amidst repeated prompts.
Among the workforce, 22% reported the absence of any MFA use, and others rely on less secure methods such as SMS codes, security questions, or biometric data. More secure alternatives like physical MFA keys or app-based verifications are recommended to counter these threats effectively.
Alarmingly, 32% of workers have never received training on MFA or phishing, and many who have, report outdated sessions. This lack of proper education perpetuates security gaps. Business owners are not immune; with 66% admitting to missing essential training within the past year. Experts from NEBRC and the National Cyber Security Centre offer valuable resources to mitigate these issues.
The pressing need for more effective cybersecurity measures and training within the HR sector cannot be overstated.
