HR managers, hiring managers and those in charge of payrolls look after some of their company’s most private and sensitive personal information, from employees’ bank details to their home addresses. This makes it critical that they are aware of the current threats to data security and how to protect their organisation’s data.
According to a 2016 report, up to 80 per cent of Australian businesses may have suffered data breaches. The report also found that most companies still lack formal security awareness training programs. For the 67 per cent of HR directors who deliver IT tools and access policies as part of their role, it’s enough to make you nostalgic for the days of paper files, however there shouldn’t be in a rush to unplug if you follow these security tips to keep your company’s data secure, while ensuring you’re fulfilling your role’s responsibilities in 2018.
Improve training and awareness
According to leading Australian cybersecurity expert Simon Smith, aka the eVestigator, it’s important to note that cybersecurity is primarily about people and processes, not technology. HR can and should play a vital role in increasing company-wide security training and awareness, as well as making sure adequate employee screening and monitoring procedures are in place.
“Cybersecurity is a complete discipline that has to be adopted across the whole organisation,” Smith says. “There have been many cyber incidents I’ve been called out to where there have been templated HR policies, or none at all. If you manage people and processes systematically, you’re on your way.”
Treat all data as sensitive
About to drop some work documents on that USB stick? Not so fast. Smith says many HR managers would be surprised at how even the most insignificant data can potentially expose an entire person’s identity. He recommends not relying solely on passwords, as it’s simply human nature to use abbreviations and other shortcuts that hackers can easily guess.
“Any work data should be protected by two-factor authentication,” Smith says. Known also as two-step verification, this involves adding an extra layer of security that only the user can access, such as a code generated by a physical token.
Any security training should also address the danger of employees being manipulated from outside, also known as social engineering. Smith cites the example of a hacker who, using only a first name, was able to get a list of matching surnames from a HR staffer over the phone, which was then correlated with Facebook profiles to access a wealth of personal information.
Provide access on an as-needed basis
Any monitoring of employees will inevitably bring up issues of ethics and privacy. Smith believes that if done properly however, security should be seamless to employees. This starts with making sure user roles and user privileges are properly assigned and managed.
“When it comes to access to information, [employees] should know what they need to know, and no more,” he says. “The only frustration that should occur is if they try getting into systems they shouldn’t be able to access.”
Keep your data internal
Laptops, tablets and smartphones have made it easier to work remotely, but they also add a layer of risk when it comes to data being lost or stolen. Smith says this risk can be minimised by using programs that allow the user to securely log into the company’s systems and work without having to save any files to the local device.
“There should never be any need for HR or company data to be saved to a laptop or device, and any remote access should be subject to the same stringent rules as inside the workplace.”
Use the latest security tools
When it comes to cybersecurity, prevention is always better than a cure. Therefore, it’s important for HR to consult regularly with IT experts in managing and securing its data.
This should include:
• Encrypting HR data that leaves the company via email or other channels.
• Implementing basic security policies, such as strong passwords and internet usage rules.
• Making sure every employee’s computer and/or device is running appropriate antivirus and firewall software.
• Having a removable media policy that restricts the use of USB drives, external hard disks or other portable media.
Many businesses are turning to online HR software that manages their HR data in off-site ‘cloud’ servers. While many of these solutions can offer high levels of data protection and security, no system is completely infallible, and HR staff should be just as security-aware as if the data were stored locally.
Collaboration is key
Cybersecurity can only be effective when everyone in the company is working from the same page, according to Smith. In particular, he says it’s important that the CEO and executive team, and business owners are intimately involved in the cybersecurity needs of the business.
“There have been situations where upper management has been 99 per cent at fault, whether from not listening to advice of employees or not paying contractors,” Smith says. “They need to work closely with the HR managers who are monitoring the people, as well as the policy and project managers. All three need to sync together before you even look at IT.”
It’s often said that people are a company’s biggest asset. However, as Smith likes to point out, it’s also important to remember that when it comes to cybersecurity: “The human is always the weakest link.”