How HR Leaders Can Support Cybersecurity in a Ransomware World
Less than two weeks before Christmas, a cybersecurity disaster struck users of UKG’s Kronos Private Cloud services. A ransomware attack left systems like UKG Workforce Central, UKG TeleStaff, Healthcare Extensions and Banking Scheduling Solutions crippled.
These solutions serve both public and private sector employees, with high concentrations in public safety, healthcare and financial services. Companies affected by the cybersecurity breach were mostly using the Kronos applications for time tracking, scheduling and payroll purposes. For healthcare talent leaders in particular, it was a lump of coal in their stocking after a particularly brutal year.
The shake-up led to companies following a variety of contingency plans, including manual time tracking and scheduling and using new payroll systems. Some companies with Christmas payrolls imminently due made the choice to average employee pay and make any corrections once the system is restored.
At the time of this writing, UKG is slowly getting services restored. Today still, the company's leaders remain forthcoming about the status of the restoration. It’s still unclear whether the ransomware attack had anything to do with the Log4J security vulnerability, but UKG isn’t some new company with relaxed cybersecurity procedures.
Until there’s more information, it seems wise to assume that what happened to Kronos Public Cloud isn’t just a cybersecurity failure at UKG. Any potential zero-day vulnerability could likely wreak havoc if it affected any significant cloud environment.
Cybersecurity Contingency Plans
Those using systems unaffected by the attack may be breathing a sigh of relief. I know I would. But it can’t stop there.
Companies need to take a look at all of their current critical people systems and revisit their contingency planning. Are they up to date? Do they cover all critical systems? Does everyone know where to find the information on those contingency plans? How hardened are the plans for different outage scenarios? For example, what is the contingency for a service outage with one particular solution versus a disaster outage with no internet access at all?
For many organizations affected by the ransomware outage, there unfortunately wasn’t clear planning done. While an outage of this significance means more work for everyone, not having a plan adds additional stress and uncertainty on everyone.
Some organizations, for instance, may use a third-party payroll provider for these services, but it is still the organization’s responsibility to pay its people. That means that for some systems, there is a legal obligation to be better prepared. Best-faith efforts can make a significant difference in times of crisis.
Related Article: Protecting Data Against the Rising Tide of Ransomware
Teaming Up for a Cybersecurity Solution
Even the best contingency plan won't prevent future cybersecurity incidents. Cybersecurity today isn't about preventing attacks but about how quickly the company can identify a breach, respond and restore services. It's about resiliency.
Addressing Employee Needs and Wants with a Digital Workplace
The workplace is getting more and more digital – both in how we work and where we work
Maintaining a Human-Centered Approach During Digital Transformation
When it comes to digital transformation - people drive change, not technology
The Evolution of Employee Recognition
Leveraging the power of appreciation to improve the employee experience
How to Build a More Innovative and Resilient Workplace Culture
What would happen if every member of your team came to work focused on finding solutions and creating better results?
As cloud solutions have become the norm in the digital workplace, the need for HR leaders to engage a CIO, CISO or other IT expert on a company's cyber resilience isn’t seen as foundational as it once was. But for those who haven't been as involved in recent deployments, now may be a good time to revisit the landscape and measure any potential risk against the systems they have in place today.
Most enterprise HR leaders use dozens of solutions on a day-to-day basis. Prioritization is key to making the best use of time for both HR and IT. One HR leader told me his company only looks at systems that house critical employee and dependent personal information or systems that could lead to severe business disruption. This enabled them to skip the evaluation of their third-party people analytics tool because of its limited ability to pull personally identifiable information. While a hack of that system wouldn’t be great, the risk would be more limited than, say, a payroll system.
IT leaders will also be keen on a solution provider’s own contingencies. Do they have failover systems? What sort of backup cadence do they have, and what’s the timing for getting systems patched and up again after a disruption? A seasoned CISO, CIO, IT leader or other experienced security professional will be able to dive into those challenges.
Related Article: Does Your Organization Need a Chief Data Officer? Probably
Act Soon, But Don’t Panic Buy
If anything, the UKG ransomware attack has given everyone the talking points needed to prioritize critical areas in 2022. So, unless a company is in the midst of an actual business disruption, there’s no need to go out and grab the first solution available.
Instead, working with a broad team of IT, HR and operations leaders will help ensure that any new solution selected will take care of both business and people needs, while also being secure. This can also be a great opportunity to update neglected, outdated systems that aren’t meeting the needs of the business anyway.
With the shift in the workforce to more hybrid and remote environments, threat vectors have increased (or at least changed). The changes brought on through the pandemic have given HR and IT the opportunity to work together and create the next generation of solutions for their workforce.
But none of that matters if critical information is compromised or key systems are down for weeks. The time to collaborate and work to secure and upgrade solutions is now. There might not be another opportunity like this for years.
Learn how you can join our contributor community.
About the Author
Lance Haun is a leadership and technology columnist for Reworked. He has spent nearly 20 years researching and writing about HR, work and technology.