Given the personal exploitative data HR departments store and the propensity for HR employees to open unsolicited emails, the HR industry is a top target for hackers.

In the case of GoldenEye, the ransomware was hidden in a Microsoft Excel document of a seemingly legitimate job applicant sending their CV and aptitude tests for consideration.

Hackers also often use spear phishing to make requests for money or information. There was a case where a hacker used an email address similar to the company president's to request employees' W2 information and the HR department mistakenly sent the hacker 900 employees' tax information.

Two years ago, the U.S. Office of Personnel Management was hacked, and the personal data of millions of past and present federal employees was stolen including names, addresses, Social Security numbers, and other information that could be used for identity theft and blackmail.

HR is a lucrative target for hackers due to the value of information and ease of entry. But despite continued cyber attacks, the HR industry has failed to implement significant changes.

The HR industry needs to shift from a retroactive to a proactive approach to cybersecurity. In order to make it more difficult for hackers to gain access, HR departments need to do these three things:

1. Practice good cyber hygiene

The simplest way an organization can help protect itself from a cyber attack is to practice good cyber hygiene.

Cybercriminals are looking for a quick profit and seek the easiest targets. Actions that make an organization more difficult to exploit will often lead a cybercriminal to pass over the opportunity and move on to an easier target. Below are actions an organization can take to improve its cyber hygiene:

• Utilize strong unique passwords
• Use multi-factor authentication as often as possible
• Never download third-party applications
• Be conscious when surfing the web — go only to trusted sites
• Ensure network is private and protected with firewalls
• Utilize anti-virus software

2. Raise phishing awareness

As exemplified by the GoldenEye attack, the primary way cybercriminals chose to target HR departments is through phishing attacks.

HR departments should be educated and trained on phishing attacks. Key points in the training should include these:

• Never download/click on files/links from an unverified sender
• Be aware of spoofed email addresses or addresses that may be off by a single letter
• Report any email that makes monetary or sensitive information requests
• Keep phishing top of mind, refresh training, discuss phishing attacks in the news

3. Protect data

Unfortunately, hackers will always find a way to gain access, so the best way to protect an organization is by encrypting data on the servers and utilizing an email encryption service.

By using encryption, even if a hacker gains access to the network or email account, any data they steal will be rendered useless.

In addition, organizations need to utilize back-up servers to avoid paying ransoms to hackers who have stolen their data. Through encryption and data back-up, organizations can protect themselves and eliminate cybercriminal's profit.

Don't wait

HR is entrusted with the most sensitive employee and organization records; how many more cyber attacks will it take for the industry to make a change?

Instead of waiting for the next attack to implement change, begin today by increasing cyber hygiene, educating employees on phishing attacks, and considering network and email data encryption.

Idan Udi Edry is the newly announced CEO of Trustifi, a cybersecurity company specializing in email encryption services and security