Last week, Capital One became the latest company to suffer a major security breach.
Based on what we know from the FBI and the slew of professional articles that followed the breaking news, the hacker was a former Amazon Web Services (AWS) employee who was able to tap into a central piece of Amazon’s cloud technology known as its metadata service. It holds the current credentials and other data needed to manage servers in the cloud—the computer world’s equivalent of a banker giving out the keys to the bank vault.
The attacker made off with data from more than 100 million credit applications, including 140,000 social security numbers, 80,000 U.S. bank account numbers, and approximately 1 million Canadian Social Insurance Numbers (SINs) used to administer various government programs.
While I won’t bore you with the technical details of how the attacker got access to all this sensitive data, I will tell you that the methods she employed have been well understood for years. The hack was made possible by a misconfigured open-source web application firewall (WAF) that Capital One was using as part of its operations hosted in the cloud with Amazon Web Services. Basically, she tricked the WAF into running commands that it should never have been permitted to run.
Bad actor. Bad configuration. Bad permissions. Bad news.
In preventing their organization from becoming a security breach headline, human resources professionals play a vital role. As recruiters, educators, culture creators and technology customers, HR is uniquely qualified to prevent vulnerabilities like those experienced by Capital One and so many other organizations we hear about nearly every week. Here’s a list of three things you and your team can do.
- When looking for new HR tech, call security.
While the Capital One breach didn’t rely on any HR systems, it’s important to point out that it was a “vendored” solution. That is, the organization made a choice to partner with an external organization. Whether you’re looking for a benefits administration platform, a payroll system or some other HR technology, your security team must be at the table. The last thing you want is to narrow your search to three finalists after months of searching only to find that none meet your security team’s requirements.
By involving IT risk management and security specialists early and often, you’ll get more than an idea of their security requirements; you’ll also gain a deeper awareness and appreciation of the risks associated with collecting, storing and accessing employee information. Your discussions might even prompt these subject matter experts to revisit security issues they haven’t considered in a while, thereby strengthening their value as a partner in your HR tech search and the overall security of your organization. From the RFP to signing the contract, engaging risk management specialists will ensure that they are aware of how the business is using the third-party organization and what the risks are as you move forward with the relationship.
2. Demand cyber insurance from HR tech providers.
Didn’t know this existed? It does and it’s worth it. Vendors who carry cyber insurance protect their customers against internet-based risks such as data destruction, extortion, theft, hacking and denial of service attacks. Coverage often includes losses due to errors and omissions, failure to safeguard data, defamation, post-incident public relations expenses, investigative fees and even criminal reward funds.
When it comes to the bottom line, cyber insurance may be a life saver in the case of a breach. Depending on your policy, it can cover the cost of communicating with impacted parties, restoring identities in the case of theft, recovering data, repairing damaged computer systems, litigation and even extortion. With the average cost of a cyber-attack coming in at $1.67M, a large incident could be a significant financial hit to your vendor.
It’s important to note that not all HR technology providers offer cybersecurity insurance. The reason for this is the increasingly stringent requirements insurance companies place on vendors to qualify them for coverage. If the vendor cannot demonstrate they are a low risk, they can’t get coverage. The implication for this, of course, is that if your vendor can’t cover the cost, you may be the one left holding the bag. It may seem like a small thing, but ensuring your partners are equipped with the right insurance could be a huge relief if you are dealing with a data breach.
3. Train your employees early and often.
As with most security breaches, including the one at Capital One, there was a strong human element. Cloud services and cloud infrastructure make it extremely easy to set up new systems and services. It also makes it extremely easy for someone to make a configuration mistake or to have a configuration oversight. Had someone configured Capital One’s environment differently, the attacker wouldn't have been able to elevate her access and get to all that personal data.
In creating a culture where security is top of mind for all employees—from the C-suite to the IT department to the customer service center—HR plays a vital role in protecting the organization against cyber threats. By training your employees early and often, you create a “human firewall” to keep the bad guys at bay.
As you look for training programs, off-the-shelf cybersecurity training modules are a great place to start. Look for one that addresses the unique security threats your company faces. A logistics company will have different needs than a hospital. But while these are a good place to start, make sure that you are exploring other community resources at your disposal. This may be vendor partners, customers, and your audit and consulting teams that provide services in your organization. These are all great resources for educating your workforce on industry trends, attacks and risks that are being posed to organizations like yours.
Interested in learning more about the unique role you play in protecting your organization? Read How to Avoid Becoming a Security Breach Headline for 15 tips on building a cybersecure workforce, selecting secure HR technology and keeping your employees safe at work and home.