HR deals with mountains of sensitive employee data and must do a better job of protecting that information. Here's a look at how they can do just that.
Organizations and their HR departments have vast quantities of personal data on their employees and the wide variety of different people who have an employment-like relationship with the business. That's why HR data security is such a critical issue for chief HR officers and their teams.
HR has some of the most valuable data in an enterprise. That includes personal details, such as banking data, Social Security numbers, birthdates, family history, work history, background checks, health insurance records, discipline records and biometric data.
Some of these types of data are covered by data breach laws that require protections, but some of the data is very sensitive and may not be covered by a law or regulation in the United States. Multinational and international organizations must abide by additional laws around the protection of personal information.
Whether governed by laws or not, all HR data is potentially very sensitive and could have a significant effect on people if there is a security incident or data breach. Data breaches such as the Office of Personnel Management or Equifax data breaches will have long-lasting effects on the people whose data was compromised. Even seemingly mundane attacks or phishing scams for employee W-2s can have an effect on employees. Much of this data could be used for identity theft, or even worse.
HR data security is complex
All this data resides on a multitude of different technology systems, ranging from individual desktop computers to shared drives with files, including spreadsheets, HR applications and systems, cloud services and email, to name just a few.
The security protections across all these systems may be inconsistent and difficult for HR to understand, given the differences between all the systems. Some of this data must be shared with outside parties, which adds to the complications. In addition, the HR and IT teams may share responsibility on how systems are secured. IT or the information security team might secure enterprise-wide HR applications, and HR may need to run and secure departmental or cloud services.
Some HR data is critical for running core IT services, such as identity and access management. HR must share employee information to determine who should get an account, what access the account should receive and potentially how access could be delegated. HR data is also critical in deprovisioning access when someone is terminated or leaves the enterprise.
HR data security and information security connection
With HR using so many different types of data and systems, identifying all the ways needed to secure the data and systems can be very difficult.
Whether governed by laws or not, all HR data is potentially very sensitive and could have a significant effect on people if there is a security incident or data breach.
The first place to start is to perform a risk assessment of the systems and data to identify the highest areas of risk. This could be part of an enterprise risk management plan or just focused on IT risks. Once IT and HR complete a risk assessment, developing a risk mitigation plan to address the highest-priority risks could include getting a budget or buy-in from management to prioritize implementing the protections.
Some of the protections may even be available in an existing enterprise's information security program. IT and HR should design security controls to ensure it's as easy as possible to securely use the systems and so people don't need to take manual steps to protect the data or take higher-risk steps to get their jobs done.
Here are some additional examples of basic information security controls that can help protect HR data and systems:
IT or HR should provide basic security-awareness training about how to securely use the enterprise systems. For example, all users should know they should not share accounts.
Encrypt sensitive data, including sensitive data emails, because it's so easy to accidently send an email with a spreadsheet containing sensitive data to the wrong person.
Only give access to the necessary people involved and remove access when it isn't needed, especially when someone leaves the enterprise.
As part of protecting access, implement multifactor authentication to systems with remote access to sensitive data. And depending on the risk, implement multifactor authentication on all access to systems with sensitive data. This will make it much more difficult for an attacker to phish the password of a legitimate user to gain access to the system.
As part of protecting the data, IT or HR must make sure the data is appropriately backed up so it's safe from ransomware.
To complement data backup, IT or HR must identify sensitive data and how long it should be retained to help minimize the impact from a data breach, should one occur.
For cloud services, ensure the service is implemented securely, monitored over time and the contracts meet enterprise security requirements.
IT or HR should monitor enterprise systems for potentially suspicious activity. For example, if someone logs in from their normal computer and then from a computer in a foreign country at the same time, IT and HR should probably investigate it.
HR data security requires prioritization, partnership
HR has a multitude of responsibilities, requirements, laws, regulations and rules they need to handle on any given day, and protecting sensitive HR data on IT systems is critical to add to those responsibilities.
While the diversity of data and systems used in HR may make protecting everything seem impossible, HR and IT must prioritize working together to manage these risks. Identifying the highest risks and implementing the agreed-upon protections will ensure this gets started and managed over time as an enterprise risk, not just an HR risk.
