A recent survey has revealed significant gaps in cybersecurity within the HR sector, raising alarms across the UK.
- Notably, phishing attacks have become more sophisticated, successfully bypassing multi-factor authentication (MFA) safeguards.
- A concerning number of HR professionals have experienced phishing attempts, outpacing the national average.
- Training programmes on cybersecurity are alarmingly outdated, with a majority of staff lacking crucial knowledge.
- The report underscores the need for advanced security measures to thwart emerging threats.
The increasing prevalence of sophisticated phishing email attacks has become a substantive concern for businesses throughout the UK. These attacks, notably capable of evading multi-factor authentication (MFA), present a critical vulnerability within the HR sector, as emphasised in recent survey findings by the North East Business Resilience Centre (NEBRC).
The survey data, released during October’s Cyber Security Month, indicate that a significant number of HR professionals, approximately 77%, have encountered phishing incidents in their work environment. This figure starkly contrasts with the 54% reported among the general workforce, indicating a particular vulnerability within HR departments to such cyber threats.
The deceptive nature of phishing emails, which often masquerade as legitimate communications from trusted entities, tricks recipients into taking harmful actions. These actions include clicking on malicious links, opening dangerous attachments, or unwittingly divulging sensitive information, such as passwords or authorising fraudulent transactions.
Martin Wilson, Head of Student Services at NEBRC, elucidates that the current trend in phishing attacks sees hackers exploiting compromised, legitimate email accounts rather than creating easily identifiable fake ones. He explains, “Hackers prefer to take over real accounts and send malicious emails, leveraging the trust within the victim’s address book.”
The bypassing of MFA protections by these phishing techniques remains a critical concern. The process typically involves phishing emails that lead users to fake login pages, capturing their credentials, which hackers use to gain unauthorised access. Even when MFA is activated, certain methods like SMS codes or authenticator apps can still be compromised through direct interception or malware.
To combat these vulnerabilities, the report suggests implementing more secure MFA methods, such as on-screen codes and physical MFA keys. These options provide an additional layer of security by eliminating the need for manual entry of codes, thus reducing the risk of interception.
Current statistics show that more than one in five employees do not employ any form of MFA in their workplaces. Among those who do, various methods are used: app-based time-sensitive codes (21%), SMS (20%), email (20%), security questions (17%), biometric authentication (17%), and physical keys (9%). However, the effectiveness of these measures is countered by the varied susceptibility to phishing attacks.
The concept of ‘MFA fatigue’, where hackers inundate users with spurious login requests to trick them into granting access, presents another layer of threat. Vigilance is advised, ensuring users only approve legitimate login attempts.
Alarmingly, the report highlights a profound deficiency in training regarding cybersecurity threats, with an estimated 32% of workers having never received training on phishing or MFA. This lack of education is more pronounced among business owners, with two-thirds having not undergone any training in the past year, placing their organisations at substantial risk.
In conclusion, the findings advocate for urgent improvements in employee education and the adoption of robust cybersecurity strategies, particularly within HR functions, to mitigate the potential impacts of these increasingly sophisticated phishing attacks.
This report emphasises the urgent need for enhanced cybersecurity measures and comprehensive training in the HR industry.
