How to keep your HR data safe in 2023 and beyond
When they sign a contract, your people are agreeing to hand over two of their most valuable assets—their time and their personal data. In return for their time, they can expect compensation.
When they sign a contract, your people are agreeing to hand over two of their most valuable assets—their time and their personal data. In return for their time, they can expect compensation. In return for their personal data, they should expect transparency, a right to access, and—probably most importantly—security. Once upon a time that meant filing all the company records away in a locked cabinet and making someone responsible for the key. But how do you keep your virtual filing-cabinet keys consistently safe in a world of cloud technology, third-party integrations, agile organisations, remote working, shifting cyber threats, transparency, and rights of access for all?
Let’s talk about securing your people data in the modern workplace.
Limit data collection and retention
If you don’t collect it, you don’t need to secure it… not quite as catchy as Bob Dylan’s, “When you ain’t got nothing, you got nothing to lose”, but it’ll do for the HR hall of fame.
You HR department should collect and retain only what’s necessary. Not only does this keep you on the right side of the GDPR UK, but it limits the scope for data loss in the event of a breach. So, regularly review systems and data entry forms for your people. If you don’t need it, don’t ask for it. If it’s inaccurate, update it. If it’s no longer relevant, delete it.
Restrict access
Limiting access to data, limits exposure of sensitive personal information. Identify key stakeholders and anyone that needs access to certain data to fulfil their duties. Then apply appropriate and consistent access permissions depending on policies, level of training, and roles. And always keep access records, which can be referenced in audits or if there’s a breach.
Although it might be tempting to share login details between users and save on licensing costs, sharing access credentials poses a BIG security risk. For starters, leavers can’t be automatically deprovisioned in good time, which means that they can still access systems after their leaving date. Not to mention that it becomes much harder to set proper access restrictions.
Categorise stored data
Job data, payroll data, personal data, and sensitive data should all be categorised separately. Not only does categorisation save time in HR administration, but it means that appropriate security and access can be applied to different types of people data.
Implement granular encryption
Data encryption both at rest and during transfer is an essential layer of security. For example, if a hacker was able to gain access to your system, high-level encryption would protect compromised data from being immediately readable, so your organisation would have more time to apply countermeasures.
And don’t forget your spreadsheets! Just like financial professionals, those of us in the people profession love a good spreadsheet. But whatever they’re being used for, if they contain any personal data, make sure that they’re secured and preferably encrypted.
Conduct cyber security audits
The ever-evolving nature of cyber security means that continuous risk assessments and reviews of security measures and practices are a must. And if you find a problem, don’t delay putting it right. According to a 2021 security report by Check Point software technologies, “87% of organizations have experienced an attempted exploit of an already-known, existing vulnerability”.
HR professionals must demand that their organisation can properly respond if the worst should happen by having backup, response, and disaster recovery plans in place. To develop a response plan, identify the nature and scope of possible breaches, and establish processes for corrective action to protect employee data. And be aware that personal data breaches must normally be reported within 72 hours, which means that a set response plan can save valuable time.
Circulate up-to-date documentation
Establish, maintain, and promote proper documentation to support security measures and protect the privacy of people data. That includes:
- Privacy Statements for both workers and applicants
- up-to-date employment contracts and contractor agreements covering data processing agreements and privacy obligations
- Data Protection Policy
- Third-party data processing and sharing agreements for any individual or organisation that uses your employee data
Policies should also outline what’s expected of employees, workers, and third parties to keep people data secure, as well as anything that they need to do, and any associated consequences.
Get cosy with IT and legal
HR professionals should work alongside IT security governance and legal teams to produce data security documentation, response plans, policies, and training programs. Cross-departmental collaboration will produce the most robust security-awareness program and help to ensure that people managers know about the risks and laws involved, as well as take them seriously—and that will filter down through the whole organisation.
Exercise good password hygiene
Strong, complex passwords, regular password changes, using unique passwords for every new platform, and refraining from password sharing are all aspects of good password hygiene—and they’re just as important in the workplace as they are in domestic life.
Training
Ransomware, business email compromise (BEC) and phishing are some of the biggest threats to securing your people data.
Ransomware is as it sounds—your money for your data. This type of data extortion usually threatens to destroy or publish data if a specified ransom isn’t paid. Not only does the organisation suffer the costs associated with the ransom, but also the downtime and any resulting GDPR fines. Garmin recently suffered and reportedly paid a $10 million ransom, so even the heavy hitters find it hard to stay ahead of emerging vulnerabilities.
Phishing is the most common method for getting ransomware or other malwares into organisation networks. It operates by luring an individual or multiple individuals into opening an email, instant message, or text message, which leads to a link. Once clicked the link can behave in several ways from downloading malware to freezing a system or encrypting data as part of a ransomware attack.
In much the same way, BEC relies on gaining the trust of an individual victim, by masquerading as a colleague, superior, IT member, or a trusted third-party associate, and asking for money or some form of system access.
With most cyberattacks targeting individual team members, it’s apparent that proper training is crucial to avoid a data breach. So, everyone in the organisation should undergo data security training at the point of onboarding with regular refresher training.
The record increase in remote working poses even more security risks, which requires specific training and guidance. For its report “The Cybersecurity Pandora’s Box of Remote Work,” SailPoint surveyed 9,000 people from the US, UK, France, Germany, Australia, and New Zealand about cybersecurity practices and experiences during remote working. The results are eye-opening. For example, 48% of UK respondents experienced a phishing attack during the 6 months prior to the survey. While a quarter of all respondents admitted to sharing a password in the same time frame. And organisations aren’t doing enough to prevent problems arising. In the US a third of employees said that they use their personal devices for work, but only 13% of the same respondents had been encouraged to use secure access for files and folders. And less than a quarter of overall respondents received regular training.
The use of personal or company mobile phones also requires focused guidance, with 46% of organisations saying that they’ve had at least one employee download a malicious mobile application.
It seems that the real challenge for HR professionals is going to be implementing and maintaining training standards for all employees, whether they’re office based, remote, or deskless. Because it’s evident that individual training and awareness is paramount to securing every organisation’s people data. And don’t forget that security training can be promoted as a perk rather than a penance because the same threats are targeting employees in their homelife too.
Easing the security burden
Great people management demands great data security practices. But having to keep abreast of the changing laws and threats, as well as protect, inform, and train employees, is a lot to handle, even for the most dedicated cyber knight, let alone a busy HR team. Luckily, HR management systems can take care of most recommended security practices.
Here are just some of the security measures that you can expect from and what you can do with a good HR software system:
- Dynamic role-based security so that data access is managed through security protocols on a ‘need to know’ basis.
- Self-service access, so employees can see and control most of their personal data
- Quick and easy access for deletion or correction
- Documents like employee handbooks and policies can be stored, managed, and circulated from within the system
- Cloud-based systems are easy to use but can still support compliance and data security at every stage
- Automatically issue reminders to staff to change their passwords
- Help to categorise stored data
- Bank-level security protocols and data encryption
- SSO and multifactor authentication
- ISO 27001 certification
And next generation HCM systems, like SenseHR, can keep on top of all your training too.
With our system you can keep track of who still needs training, training progress, and refresher recommendations, as well as supporting and cheering on your people as they improve their security knowledge and your chances of avoiding an attack. And it doesn’t matter how agile you need to be or how dispersed your workforce is—our progressive solutions will flex with you and keep you and your data safe.
Basically, we’re the Mister Fantastic of HR Software.