HR Leads Business

Feb 26, 2019 | Geoff Whiting

4 Ways to Protect Your Organization's HR Data

Data breaches are growing more challenging to weather as they become more expensive each year, rising 6.4% in 2018, according to an IBM Security and Ponemon Institute study. 

And while big customer data breaches often make the news, internal data can also pose big risks for organizations. “People are very vigilant with customer data and credit card data, but HR’s sensitive data is often overlooked,” said Erika Lance, senior vice president of people operations at security awareness training firm KnowBe4. “HR systems have a gold mine of information and some of the greatest security risks because they hold social security numbers and bank accounts.”

Here’s how to keep your employee’s data safe.

Start With a Data Inventory

Protecting organizational and customer data requires an understanding of what you currently hold. Conduct a thorough review of HR data, sales and marketing databases, email lists and content, account information and more.

Your company may discover that it is holding sensitive information it doesn’t need to keep. Employ legal and operational teams to remove unneeded data, and  limit who can access sensitive information.

Train Staff About Common Threats

Make sure every team member has effective training on on security practices. Anyone can click a bad link or download a malicious program that infects your network.

 “Training is everything,” says Heather Clauson Haughian, founder and managing partner of law firm Culhane Meadows. “The vast majority of data breaches are now caused by social engineering, not defeating state-of-the-art security systems.  If hackers can trick employees into falling for deceptive emails, they’re going to take the easy route.”

Probe for vulnerabilities by conducting tests outside of designated training times. Target each department throughout the year with malicious emails and links as well as attacking the network directly.

“This will let you know if employees retained the information in their training and are actually using it,” recommends Adnan Raja, vice president of marketing for the compliance-focused hosting provider Atlantic.Net. “Testing may be as simple as having IT send out a phishing email to see how employees react.”

Clarify Which Laws Apply to You

Security policies must protect your company against illegal activities while meeting regulatory requirements. You may need compliance support to ensure IT and HR efforts meet legal demands of your industry, operations, location and customers.

“You may be in Chicago, but you collect data about individuals from the EU who are in Chicago, so you need to understand the implications of the GDPR,” Haughian says. “Or, if your Chicago-based company collects data about individuals from California, you need to understand the implications of the California Consumer Privacy Act and just how stringent this new law is.”

Adopt More-Secure HR Technology

 The IBM and Ponemon Institute study found using encryption technology to be one of the most significant ways to decrease data breach costs. It can also limit the impact of internal and external threats.
“HR teams specifically should implement a true HRIS (Human Resources Information System),” Lance says . “Based on our research, many other software options don’t have proper security parameters in place. Some vendors don’t even have encryption for key data. If you don’t have a solid system like that in place with payroll and benefits integrated, you can be very prone to data exposure and data breaches.”