HR Departments’ vulnerability as a key cyber-attack target and key prevention strategies

HR Departments’ vulnerability as a key cyber-attack target and key prevention strategies

When managing risk, Human Resources departments often overlook the potential for a cyber-attack. HR departments are a prime threat for cyber-attacks given the sensitivity of personnel data held.

A recent survey estimated that 90% of all data breaches were attributable to human error or misuse—not IT vulnerabilities. The survey noted that more than half of all employers do not train new employees on cybersecurity threats.

HR departments, big or small, need to be proactive in preventing cyber-attacks.

Below are some strategies that can be used to protect your HR department from cyber-attacks.

Phishing Attacks

The Australian Cyber Security Centre’s partner agency CERT Australia advised in early 2016 that it was aware of at least three major international organisations that had been targeted by a new phishing scams in the previous two months. The intent of the scams were to expose sensitive employee data.

According to CERT, the phishing email, which appears to be from the CEO or executive of an organisation, is sent to the Human Resources (HR) department, requesting the organisation’s personnel details.

This scam poses a significant risk to an employee’s personal information as the personnel data contains names, addresses, wages and tax file numbers and health care information that could be used for identity theft or tax fraud.

Strategies that can be used to protect your business from phishing scams such as this include:

  • Educating all employees about the risks of opening any link or attachment from an unknown sender
  • Ensuring employees understand the risks of responding to requests for bulk staff information. Procedures need to be put in place to ensure bulk requests for personnel data are treated with the upmost care
  • Being cautious with the information that is posted to social media and company websites including job descriptions, organisation structures and out-of-office information.
  • Subscribing to a Spam filtering service and regularly reviewing its effectiveness



Ransomware is a type of malware that restricts access to a computer system (e.g. by encrypting files) and demands that the user pay a ransom to remove the restrictions.

In one reported attack on a HR Department, an email arrived disguised as a resume of a potential job candidate.

Education and training employees on cyber security is the key to preventing ransomware attacks. Specifically, employees need to understand the risks of opening an attachment from an unknown sender.

The company insider

According to one survey, 59% of ex-employees admit stealing company data when leaving their former employer.

Companies can minimise this risk by being proactive during the hiring and termination process

During the hiring of a new employee, HR should do the following:

  • Educate employees on common cyber security threats, outlining expectations on how employees should handle company data, including destruction of data
  • Provide employees with only the data access necessary to perform their individual job
  • Ensure all privacy expectations regarding client data are correctly documented
  • Ensure company policy prohibits employees from sending confidential work data to non-work email addresses such as gmail or hotmail
  • Explain to employees the risk of posting on social media

During the separation or termination of employees, HR should do the following:

  • Conduct a termination interview, reiterating the company’s data use policy and the possibility of both civil and criminal penalties for violations of that policy
  • Seek confirmation in writing from employees that they did not and will not violate the company’s data use policy
  • Ensure that access to all company systems including external websites or portals containing company data is stopped
  • Ensure company data is deleted from all devices that the ex-employee is taking with them such as mobile phones


Worldwide Learning Hub believes prevention is the best cure and can work with your business to  help you and your employees understand the risks of a cyber-attack and to gain a clear understanding of the dos and don’ts of using of both hardware and software.


Our e-learning course Cyber-security and You is designed for employees and managers. The program aims to explain to learners the role we play in cyber security, awareness of privacy and security principles, as well as steps to keep personal information safe from cyber-attack.

Related Article

Safeguarding Businesses from Cyber-threats

Cyber-crime globally costs organisations more than $400 billion worldwide. At a global level, cybercrime damages trade, competitiveness, innovation, and global economic growth.

Read More


Contact Us