Security vulnerabilities every HR department should be concerned about
HR professionals are, for the most part, in charge of an organization’s most sensitive data. An HR department is typically tasked with the management of personal, financial, and health information, as well as other sensitive data such as credentials and proprietary secrets. Because of this, it’s not surprising that there has been a steady increase in cybercrime that specifically targets HR departments. Protecting confidential data is critical because the consequences are severe, both financially as well as to a company’s reputation. In this article we will look at some of the security risks that HR professionals face, HR’s role in preventing a security breach, and HR file management technology that secures sensitive information.
A 2018 study by Forrester Research revealed that 55% of network security professionals reported experiencing at least one data breach in the past year. 44% of those breaches were the result of employees who unintentionally exposed sensitive data to hackers. The most common way this happens is through “business email compromise,” more commonly known as email phishing attacks.
Human resource departments typically receive more email than any other office, making them highly vulnerable to this type of threat. For example, an attack might start off as an email sent to HR that appears to be from an employee, but is in fact not. The email instructs payroll personnel to change banking information to a bank account number that is controlled by a hacker. If HR complies, and the money is sent, then that money can be lost forever. Other types of phishing attacks might aim to collect personal data, such as social security numbers or login and password information that can be sold on the dark web for profit or used to compromise the business or employees in other ways.
Establishing controls for how HR information is communicated, for example using eForms instead of email, and setting policies for the dissemination of information to employees, is key to avoiding attacks of this nature.
Ransomware is a particularly disturbing type of attack that has quickly gained momentum. In the first three months of 2016, cybercriminals made over $209 million from ransomware extortions, which was more than the entire previous year. Ransomware works by infecting a computer with a virus (often downloaded as an email attachment such as a fake job application) that holds all files hostage until a ransom is paid. This virus can quickly spread through a company’s network, essentially crippling an organization. It is often more affordable to pay the ransom than it is to go without access to critical files for a long period of time. Small businesses, who’s security practices are typically not as robust, tend to be more vulnerable. However, many large organizations, including entire cities, have been the victims of ransomware.
Ensuring that digital information is properly backed-up and held in a secure system that is not vulnerable to ransomware is essential.
While external threats to HR data are very daunting, it’s important that HR employees do not overlook internal risks (both intentional and unintentional). Unintentional internal risk factors might include employee negligence, such as inappropriate Web surfing or installing unauthorized software. However, intentional, malicious activity cannot be ruled out. For example, an employee might attempt to gain access to sensitive information in order to gain a competitive advantage over his or her co-workers, or to use confidential information to secure a position at another (competing) organization.
Properly securing information is the first step, but monitoring access with reports, and establishing an audit log of activity is necessary to fully ensure that risks are mitigated.
HR’s Role in Security
Education is Key
The most important role that HR professionals can play in an organization’s security is that of educator. Maintaining a highly robust security awareness program is the most effective way to ensure information security is in alignment with an organization’s goals and priorities. Developing well-documented HR policies and best practices will help employees to better understand what they must do (and not do) to avoid threats. Also, procedures for reporting a data breach and responding to an incident must also be clearly laid out.
Balancing Access with Security
HR professionals must ensure that employees have easy access to information while not exposing sensitive data in the process. Using software with role-based access can help greatly, while at the same time provide information about who is accessing files and when. Scanning paper files into a secure system can also help to ensure paper files with sensitive information are not lost or do not fall into the wrong hands.
A Secure System for Human Resources
It is critical that all members of an organization understand and implement good security practices. However, HR professionals must take extra care due to the sensitivity of the data they manage. With the right tools and education, HR employees can be highly effective at protecting the sensitive data they are entrusted with.
Deploying an HR file management system alleviates many of the most serious concerns for information security as it relates to sensitive HR information. Security controls access to files and records a history of everything that happens. Rather than storing files on a personal drive or shared network location where information may be vulnerable to an attack, an HR file management system that utilizes database storage goes a step further by preventing malware from navigating through and systematically encrypting or corrupting documents.
Request an HR Document Management Software Demo