You’ve seen the headlines about the urgency of getting cybersecurity in place for your HR tech to run smoothly and without any hiccups. But what do you do if your best-laid plans go awry? What if you get hacked?
Kronos Private Cloud, a workforce management service owned by the Ultimate Kronos Group (UKG), recently had a breach of security that made it impossible for employers who use their services to access vital employee information. Their clients include Whole Foods, Staples, Puma, and Tesla, according to Business Insider.
Recognize the Risk
The hack meant that HR leaders could not access UKG Workforce Central, which includes time cards, attendance, and scheduling, according to Business Insider. This happened in mid-December, a time when employees are scrambling to use up paid time off (PTO) and anticipating their paychecks with even more urgency than usual.
Some employees shared their concerns on social media and expressed worry about not getting paid on time. This is a difficult situation for HR leaders for a number of reasons. After all, the Fair Labor Standards Act requires employers track the hours worked by their employees using any method of timekeeping. It spells out the obligation employers have to switch to paper time cards to manually track their time or use another electronic timekeeping method, according to Business Insider.
No one knows for sure, but the UKG hack may have been a result of vulnerabilities related to Log4j, a software used with Java. Companies need to be aware of this possibility and be proactive about addressing it in their own security strategies.
In the wake of the UKG hack, SHRM reported that Linn Freedman, a partner in the Providence, Rhode Island law firm Robinson & Cole, said that these kinds of ransomware attacks against companies are becoming more frequent. Hackers want to instill tremendous fear and pain on employers to increase the chance that they will pay the hefty ransom.
“The big lesson is that companies must have specific contingent operations and backup plans in place for when a critical third-party service provider is taken out,” Freedman said to SHRM. “This will not be the last time this will happen.”
Indeed, UKG’s misfortune is a warning signal to HR leaders everywhere. If it can happen to them, it can happen to you. The good news is that you can prepare for the worst.
Freedman and other experts say that you should do the following:
Have a Backup Plan
Many employers rely on these platforms for payroll, but they need to have another system in place in case of getting hacked. You could have a backup technology or you could have a system for manual timekeeping and paper pay checks. Make sure the teams in charge of these services know the backup plan and can execute on demand. You might even have drills to ensure the process is seamless.
Disaster Recovery Plan
Even the most secure systems can be hacked. So, you must be ready to respond. What will PR look like? What is your policy for dealing with ransom demands? How will you delegate powers in case of an emergency such as the one UKG faced in December?
You can’t just focus on hacks of your company. Obviously, the clients of Kronos had to face difficult questions about what to do now that a platform they used for a critical part of their operation – employee management and payroll – had been hacked. Know what you will do if something similar happens.
Remote Desktop Monitoring
Remote desktop monitoring is software that allows you to remotely monitor client networks, computers, and endpoints. It is vital to your cybersecurity strategy. It should be a priority for IT departments, as well as HR.
Insider Threat Mitigation
“An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization’s network systems, data, or premises, and uses their access (sometimes unwittingly),” according to the U.S. government’s Cybersecurity & Infrastructure Security Agency (CISA). “To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk – before an incident occurs.”
The government’s website offers a structured plan for mitigating such threats. The steps suggested include detect, identify, assess, and manage threats. A key to preventing an insider threat is to know the people you hire well. HR leaders must take an active role in engaging employees and recognizing potential threats.
Multifactor authentication means that you have to go through a number of steps to enter a system.
“When you sign into the account for the first time on a new device or application (like a web browser) you need more than just the username and password,” according to Microsoft. “You need a second thing – what we call a second ‘factor’ – to prove who you are.”
Having multifactor authentication in place, especially now that employees are sometimes working remotely, can be a benefit to your cybersecurity. It might also make the process of logging on annoying, but it’s a small price to pay for a more secure network.
Strong Spam Filters
Obviously, if you can keep spam out, you can save yourself more than a few headaches. Spam is digital junk mail. It can also refer to junk texts and calls. The point is that it sometimes includes links that activate breaches in security and lock up computers, so that people lose access to private and vital information. It can also incapacitate your ability to work. Strong filters to identify spam before anyone encounters it and could accidentally click on something are important parts of a security strategy.
Unfortunately, even if you take all these precautions and more, you may still get hacked. Nothing is foolproof. So, you should have a backup plan, take preventative measures, assess risk, prepare for the worst, and hope for the best.