Russian-speaking cybercrime group ‘Clop’ (translating in English to ‘blood-sucking bedbug’) sucked over 100,000 employees’ personal data from British institutions like the BBC, British Airways, and more, the companies recently confirmed.

The hackers targeted a previously unknown vulnerability in the popular MOVEit payroll software, putting HR in the spotlight. Yet these attacks were preventable–and the good news is that you don’t have to be a giant like British Airways to prevent them. Read on to discover what HR can do to avoid letting the bedbugs bite.


The cost of cybercrime

Worldwide, businesses lose £48bn a year to cybercrime, according to law firm Reed Smith. And that’s not all because of theft or operational impacts:

  • A headline-hitting data breach is bad press for any brand–particularly for BA, which has been there before.
  • The Information Commissioner’s Office (ICO) can fine companies for cybersecurity failures, with BA paying a record £20m after hackers breached customers’ personal data in 2018.
  • The ICO can also require companies to pay for fraud monitoring services to protect those impacted.

Besides these financial costs, the human cost can be devastating. If there’s a breach at your organisation, the worst thing you can do is try to save face by keeping employees in the dark. Be transparent with them as soon as possible about what’s happened, what data the hackers have breached, and what you’re doing to remedy the situation.


What you can do

This latest round of attacks makes it more urgent than ever to update your cybersecurity processes and maintain checks and balances on your supply chain. Past ransoms paid for breached data probably encouraged the hackers–and will continue to do so.

The hackers also took advantage of outdated systems. Upgrade to Web3 infrastructure that uses blockchain technology–it keeps data constantly encrypted, making ransomware attacks like these impossible.

However, 53% of HR functions outsource payroll, according to a study by CoAdvantage. If this is you, you need to do a serious review of your supplier’s cybersecurity. Ask them what controls they have in place and what will happen in the event of a breach–then have an independent cybersecurity expert review their answers. It’s also a good idea to audit them and look for certification like ISO 27001.


Why cybersecurity is an HR issue

While HR generally manages people, not technology, cybersecurity is now HR’s problem. 39% of businesses reported cyberattacks in 2022, according to government figures, and very few small and medium-sized businesses have a cybersecurity policy. It’s on HR to prevent breaches and protect employees.

As well as creating a policy with multiple layers of security, this should include training HR staff and educating them on how common payroll fraud is. It’s also important to provide regular cybersecurity training for all employees.

Finally, consider what you’ll do if the worst does happen. Create a plan for disaster recovery and business continuity. This should include educating leaders and key decision-makers on how to negotiate with hackers (and how not to).

We spoke to a business owner who has unfortunately been affected by cybercrime and has consequently lost her business due to it. She said:

“I was involved in a scam, not a fraud, useful to know the difference, as this matters when it comes to reporting and more importantly appealing. The situation affected my business, personal accounts, and my livelihood. Loans and accounts were set up in my name. 

From an HR perspective, communication and proactive planning are fundamental to preventing any cyber attack. Our IT partner were brilliant, but sadly only in a reactive measure, not preventative. Having the correct insurance in place and educating everyone involved in a business on what to look out for is key to preventing the same from happening. With any disaster recovery procedure, I strongly suggest cybercrime prevention should be a priority to implement.

I cannot provide advice on how to prevent a cyber attack, as my case was complex and convoluted (and still ongoing after 4 months). The police were extremely helpful, so any individual affected must be reactive in engaging with the cybercrime unit, and Action Fraud, as all cases need to be reported within 3 months. There is no need to be embarrassed or ashamed as similar situations are very common.

There are specialist solicitors who work on a no-win no-fee basis within the first 3 months, who also may be able to help retrieve the funds. The Ombudsman needs to be contacted within 6 months of the final decision letter from the banks involved.

Personally, I’ve appealed again recently to The Ombudsman to establish where exactly the missing funds went, regarding lack of protective servicing, and negligent banking. Specifically, not being sufficiently proactive with their actions. They must take more responsibility, and not apportion much of the blame squarely with their customers.”


Some words from Cherry

Cybersecurity is also a prevalent issue in recruitment, do you ask your recruiter about their systems and security? At Cherry, we use a first-class CRM system which smaller organisations may not have access to. It’s always important to remember that although some recruiters may offer cheaper prices, does this compromise elsewhere? Our Operations Director, Sarah Gibson has in-depth knowledge of cyber security and says:

“The most common cyber threat is Phishing, where the hacker will attempt to deceive the recipient by imitating a company or another person known to them, with the goal of obtaining personal information such as credit card details or passwords. These emails are often very convincing, and imitations can be hard to spot, especially when employees are under time pressure or feeling stressed. 

83% of all identified attacks last year were Phishing based. For these attacks to be successful they rely on people clicking something that they shouldn’t! Therefore, there is a big role that HR teams need to play in ensuring employees are trained effectively in how to spot these Phishing emails. This should happen not only when employees first join, but periodically throughout the year. HR teams need to ensure employees and line managers know the common things to look for and ensure that they know the process if something does go wrong.”

We’re proud to be sponsoring the Nottingham Business Growth breakfast on this very topic on Wednesday the 28th of June – click here to discover the details.