What do China and Thanksgiving have in common this year? Well, it has nothing to do with tasty takeout for those who don’t want the hassle of roasting a turkey all day. On November 18, Ars Technica reported a potentially devastating cyberattack, backed by the Chinese government, that could lead to widespread security breaches. The effects of the coronavirus pandemic have shifted our traditions, societies, and behaviors. Gathering with loved ones and rushing to doorbuster events will largely be replaced by digital dinners and electronic commerce. But the holiday itself isn’t the catalyst. As we illustrate in our eBook “New Talent Strategies for Our New Normal,” COVID-19 had already elevated the role of technology at an accelerated clip. So it’s a good time for every business, government agency, federal contractor, and workforce solutions provider to carefully consider the role of cybersecurity as we crack open a new calendar.
Have Yourself a Digital Thanksgiving
This Thanksgiving, it’s probably fair to say that we can forget the chaos of hosting a packed house of relatives or the frantic sprint to retailers after finishing the last bite of pumpkin pie. The resurgent wave of COVID-19, along with renewed curfews and crowd curbing measures, will undoubtedly make 2020’s festivities a digital affair. Traveling over the river and through the woods to grandmother’s house? Probably not, unless we’re talking about the physical telecommunications networks that allow us to spin up Zoom for an intimate Internet interaction with dear old grams. The e-commerce frenzy that’s come to dominate the holiday in the forms of Black Friday and Cyber Monday will also certainly reflect the pandemic’s impact on shopping attitudes this year.
As Caitlin Mullen noted in her article for The Business Journals’ Bizwomen, holiday consumer habits have been reshaped by “the spread of Covid-19, the corresponding economic downturn and racial equity conversations.” Retailers and consumers must confront necessary adjustments to their former traditions.
The Centers for Disease Control and Prevention recommends online shopping this year and deemed shopping at crowded stores around Thanksgiving a high-risk activity, reports USA Today. Deloitte found about half of consumers feel anxious about shopping in-store during the holiday season, and almost two-thirds of their spending budgets will go to online purchases, per CNN.
The dangers of hacking, however, aren’t new around this time of year.
Black Friday, Black Hat
In 2013, significant security breaches defined that season’s Black Friday. Target revealed that the personal information of close to 70 million customers had been compromised, including names, addresses, phone numbers and email accounts. Few other sellers were immune. Hackers also infiltrated the payment systems of Home Depot, Albertson’s, Michaels, Neiman Marcus, P.F. Chang’s, SuperValu, Adobe and others. In fact, by the conclusion of 2014, researchers at the Ponemon Institute estimated that 110 million Americans—about the half the adult population of the country—had fallen prey to cyber criminals who exploited allegedly secure systems to expose their victims’ financial, transactional, and personal details.
But it’s not just commercial systems and corporations that catch the eye of malevolent hackers. During the run up to the presidential race of 2016, Russia’s interference in U.S. elections became a chilling example of how far-reaching, sophisticated, and consequential cyberattacks have become.
The looming problem we face right now, also from antagonistic foreign actors, could have equally detrimental consequences.
“Researchers have uncovered a massive hacking campaign that’s using sophisticated tools and techniques to compromise the networks of companies around the world,” cautioned Ars Technica’s Dan Goodin. The hackers, analysts believe, hail from a well-known group that Symantec calls Cicada, which is funded by the Chinese government:
The attacks make extensive use of DLL side-loading, a technique that occurs when attackers replace a legitimate Windows dynamic-link library file with a malicious one. Attackers use DLL side-loading to inject malware into legitimate processes so they can keep the hack from being detected by security software.
“The campaign also makes use of a tool that’s capable of exploiting Zerologon,” Goodin explained. “Exploits work by sending a string of zeros in a series of messages that use the Netlogon protocol, which Windows servers use to let users log in to networks. People with no authentication can use Zerologon to access an organization’s crown jewels—the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network.”
So, who’s at risk? According to Symantec, which has already discovered evidence of files being exfiltrated from compromised machines, the targets are many:
- Automotive, with some manufacturers and organizations involved in supplying parts to the motor industry also targeted, indicating that this is a sector of strong interest to the attackers
- Clothing
- Conglomerates
- Electronics
- Engineering
- General Trading Companies
- Government
- Industrial Products
- Managed Service Providers
- Manufacturing
- Pharmaceutical
- Professional Services
Yet, what’s not mentioned in the list—and is too often excluded—is the technology that powers the processes of most workforce solutions providers. These organizations house sensitive personal and business data for employees and clients, including government agencies who utilize federal contractors for staffing services.
Three Steps to Optimizing Cybersecurity Initiatives
PricewaterhouseCoopers (PwC), one of the world’s largest and most reputable professional services firms, emphasized the mission-critical need for mature and resilient cybersecurity practices in its “2021 Global Digital Trust Insights” report. According to the survey, “40% of executives say they’re accelerating digitization — perhaps taking on business strategies they hadn’t imagined before.”
Most recruiting and hiring efforts transpire in the cloud these days, not in the office. Data has become paramount. Yet, extracting more and more of it without the proper protections has created a new holiday for hackers and digital saboteurs. With the tremendous surge in contingent and complementary labor over the past decade, cybersecurity in HR remains essential to optimal business performance and safety.
Focus on Cybersecurity Leadership
High-speed digital change is a necessity for most organizations, including workforce solutions providers. But safety can’t be ignored in the mad dash to innovate. For companies that develop vendor management systems (VMS), applicant tracking systems (ATS), online recruitment platforms, and other HR information systems (HRIS), cybersecurity protocols are probably baked into their organizations. They may even have installed IT security professionals into the ranks of leadership. But as PwC recommended, especially in the presence of COVID-19, all companies should seriously consider moving forward with incorporating cybersecurity strategies into every business decision. Staffing companies may not have seen the need to bring aboard Chief Information Security Officers (CISO), but times have changed.
- Savvy CISOs remain in step with the vision and goals of the entire enterprise, not just IT.
- Companies must make security a priority and an integral aspect of the overall culture, encouraging people to engage and contribute to security rather than shying away from it.
- “Lead cross-functional teams to match the speed and boldness of digital transformations with agile, forward-thinking security and privacy strategies, investments, and plans,” PwC suggested.
- CISOs and operational executives should work hand-in-hand to implement enterprise-wide policies for promoting safety across all systems where sensitive data resides.
- A business-driven cyber strategy is essential as businesses adopt sweeping, rapid digitization. In staffing, where new tools and technologies are being deployed to increase efficiencies, this becomes imperative.
Budget for Cybersecurity
“Cyber budgets could — and should — link to overall enterprise or business unit budgets in a strategic, risk-aligned, and data-driven way, but 53% lack confidence that their current process does this,” concluded PwC in its report.
- Allocating additional funds for new departments or roles may seem daunting, but cyber managers can do a lot with a little, thanks to automation and the rationalization of technology.
- Identifying and quantifying cyber risks is essential. Staffing companies may not think they’re at risk, particularly if they don’t consider themselves tech firms. But today, every organization has become digital. Processing payroll, for example, exposes workforce solutions providers to hundreds of regular transactions that risk vulnerability.
- Cyber budgets should be connected to the enterprise or relevant business units in a strategic, risk-aligned, and data-centric way.
- “Quantification,” PwC said, “also makes it easier to measure the value of the overall portfolio of cyber investments against business objectives.”
Move to the Cloud
The systems most susceptible to attack, even with the current Chinese-backed campaign, are often static legacy systems and localized servers. The cloud, PwC advised, offers companies dynamic, nimble, and integrated network systems that are more secure in design.
CISOs who transition their organization to the cloud are able to build in hygiene mechanisms from the beginning—in automated ways. They’re also able to eliminate friction from the system and simplify service delivery to their customers.
In the workforce solutions industry, we often talk about the power of the human cloud—an evolving ecosystem of online and digital labor marketplaces where talent and hiring organizations find and engage each other. But many workforce solutions providers, particularly smaller firms, have yet to migrate. The reality is that cloud solutions like AWS, Google, and Microsoft Azure are making it easier for organizations of all sizes to capitalize on the benefits of operating through the cloud.
Plan for Problems
In 2019, the World Economic Forum’s Global Risk Report 2020 deemed “infectious diseases” an unlikely threat. How did that pan out? We can never predict what events will come, but we can plan for them. Workforce solutions providers—whether they’re commercial vendors ort federal contractors—have an obligation to protect their clients’ businesses, their employees, and their own organizations. Making cybersecurity a priority for 2021 could give every stakeholder something to be grateful for next Thanksgiving.