Canadian HR Reporter is the national journal of human resource management. It features the latest workplace news, HR best practices, employment law commentary and tools and tips for employers to get the most out of their workforce.
Issue link: https://digital.hrreporter.com/i/745917
CANADIAN HR REPORTER November 14, 2016 2 NEWS Recent stories posted on www.hrreporter.com. Check the website daily for quick news hits from across Canada and around the world. WEB O N T H E ACROSS CANADA Wynne government 'thrilled' by signing of CETA free trade deal with EU Will result in creation of 30,000 new jobs for Ontario: Minister National Bank shaking up workforce, with 600 job cuts, 500 hires 300 workers being offered retirements, position movement Vale Canada to pay $1 million fine in worker's 2014 death Company addressed 58 recommendations from joint investigation with union Justin Trudeau greeted by heckles, jeers at youth labour forum 'Unacceptable when minister of finance says young people need to get used to precarity': Delegate Saskatchewan changes law to help workers with psychological injuries, PTSD Injuries now presumed work-related unless employer rebuts position Get used to 'job churn,' Morneau tells Liberal meeting Says we need to think about training, retraining people as they move from job to job Registered nurse focus of 'death investigation' in southwestern Ontario: Company Ex-employee left Caressant Care more than two years ago AROUND THE WORLD U.K. Uber drivers win case to get paid vacation, minimum wage Ruling may have implications for companies that rely on self-employed workers Amazon delivery contractor settles on New York back wages Deductions for phantom lunch breaks short-changed workers Women and men won't reach economic equality until 2186, says index Statistics show progress has decelerated, stalled or reversed Pets at work may help atmosphere, but bring risks Some business owners believe animals boost morale, productivity A look at how robots assist with future of job safety Rice University's James McLurkin talks about robotics at work hrreporter.com FEATURED VIDEO "ere's a lot of very sensitive information in HR, so they are a more lucrative target." Ransomware new threat for HR Recruitment process can see resumés embedded with malware BY JOHN DUJAY THE threat of ransomware has been making dramatic headlines of late, as companies are faced with malware that restricts ac- cess to a computer or files and de- mands payment for the restriction to be removed. Most companies do not pub- licize successful ransomware at- tacks, but they are happening, said Al Smith, vice-president of technology at iCIMS in Matewan, N.J., which makes applicant track- ing system software. "Almost every company who has had an experience keeps an incredibly low profile," he said. "That's a double-edged sword because by hiding that, it makes it harder to create the awareness." It can also be an issue for hu- man resources — especially when it comes to recruitment — as seen recently when a ransomware vari- ant called Petya was found hidden inside a resumé housed on file- hosting company Dropbox. "e function of HR is to pro- cess those documents, so they're receiving resumés on a regular ba- sis," said John Shier, senior secu- rity advisor at Sophos, a security software and hardware company in Toronto. "e fact that they handle and process documents on a regular basis adds up to a lot of threats." "ey can't (assess candidates) without opening those docu- ments and that's where all the trouble starts." And recruiting companies are paid to get resumés to clients quickly. "They are trying to get that resumé on the desk as fast as possible," said Doug Kersten, in- formation security manager at iCIMS, which provides recruiting software management systems. "Most of the time, when you get ransomware, it's from companies that are allowing it through." e applicant tracking systems employed by companies usu- ally have good security systems but they are operated by regular people, said Nima Mirpourian, branch manager at Robert Half Technology in Toronto. "e limitation that ATS pro- vides for recruitment is really the human element." A common tactic is sending resumés with malware inside Microsoft Word which typically asks users if they want to trigger active content when opening a document. "Most users that are sending in resumés will not have active content; it will not trigger that type of behaviour within Micro- soft Word," said Shier. "If you do open a resumé and you do see that warning that there is active con- tent and there is a macro, that's probably where you want to step back a little bit and call your IT department and have them have a look at it." Because resumés contain per- sonal and private data that must be legally protected by companies, they are a target, said Lysa Myers, security researcher at ESET, an In- ternet security software company in San Diego. "ere's a lot of very sensitive information in HR, so they are potentially a more lucrative tar- get and the criminals are entirely aware of that," she said. "Because (data) in HR can be very time-sen- sitive, it increases the severity of an attack due to ransomware, be- cause if they are prevented from accessing data in a timely fashion, it's a lot bigger deal." Tips for employers So, how can companies protect themselves against ransomware? Scanning documents before they can enter the system is the best first step, said Shier. "If we can detect that docu- ment as being a poisoned docu- ment through the initial delivery mechanism, which is email, then we can block it there," said Shier, who also advocates using a "sand- boxing" technique that analyzes incoming documents in a safe environment, not connected to a network. "If you do use some of the tech- nologies such as an email filter that does have sandboxing tech- nologies, an anti-exploit tool, for a relatively lower cost and overall better benefit, you can leverage across the entire organization, you can be fairly well-protected against this kind of threat," he said. Backups are the best way to ensure data is protected should something happen to prevent people from accessing it, said Kersten. "If HR departments focus on making sure their systems are re- storable and the data is properly backed up, I think there is a lot less chance that they will have to even think about paying ransom for the data." But backups should be stored offline from the company net- work and must be regular tested to make sure they are not cor- rupted, said Shier. "Backups are an invaluable tool to make sure that if everything fails, at the end of the day, you have a reliable copy of your data that you can restore." Updating all operating systems and software on a regular basis means the threat of a successful attack is lower, said Smith. "ese documents do rely on existing vulnerabilities to exploit; if those vulnerabilities do not ex- ist, it is much more difficult for an exploit to be successful. It is an ongoing struggle," he said. "You need to remain current, because it is kind of a whack-a- mole world that we live in." By employing as much security as possible, companies are better protected and criminals do not profit, said Myers. "If there is any way to getting around paying, that is always the better option because that is just inviting more trouble. e best thing you can do with re- ally sensitive data is make sure you have strong authentication, not just password and login, but use multi-factor authentication, encrypt the data itself, and make sure you have good security soft- ware, not just on the machine the data is held but on the network." Sometimes, the solution to the problem might exist on the Inter- net. If companies do get infected by ransomware, a Google search might yield a solution. "In some cases, the ransom- ware key has been published," said Kersten. "e first thing you should do is look online and see if that key has been published. If that key hasn't been published, then you are in a much tougher situation." People errors Despite all of these measures, it is the end user who inadvertently activates an executable malware file that causes the bulk of the se- curity concerns, said Shier. "e age-old advice of 'Do not click on links in email' is so in- credibly important to adhere to," said Shier, who recommends if a worker suspects a link may be le- gitimate, it's best to manually type the link into a browser window and to not blindly click on a hy- perlink. "Do not open unsolicited attachments." REINFORCE > pg. 5