As a Human Resources (HR) professional you are involved in the most private aspects of your fellow employees’ work lives. You’re an expert in compensation and benefits, managing numerous uncomfortable topics, such as substance abuse, workplace hostility and unethical behaviour.
You also know that employee data privacy is core to the employee experience and employee retention, but the digital transformation of human resources to electronic data storage has made protecting employee privacy a lot more complicated. Digital records make life much easier for HR professionals…but they also make sensitive data much easier to steal.
Compliance is also an ongoing issue and HR leaders can no longer treat the security and privacy of employee data as the sole responsibility of IT. HR executives will play a key role in any company’s data breach response with new compliance mandates such as the European Union General Data Protection Regulation and the Australian Notifiable Data Breaches scheme apply to the protection of employee data.
HR leaders can expect more, not fewer privacy laws in the future.
To secure sensitive employee data, an organization must go beyond common security mechanisms like role-based access control and encrypted network connections.
Large enterprises often segment their HR systems and the IT staff that manages them, however this approach is increasingly ineffective as HR departments move to the Cloud, employees work from home, and HR users store more and more employee data on general use file servers and shared drives.
The best practices for securing sensitive employee data and ensuring compliance include ways of anticipating and preempting accidental and malicious ways sensitive employee data may be improperly disclosed, as well as putting controls in place to reduce to an acceptable level the impact of an employee data breach.
The first step in protecting and securing sensitive employee data is to realise employee data resides in far more places than just the Human Resources Information System (HRIS) and payroll solution.
Although HRIS environments are the main repository for payroll, benefits, and other administration, HR employees constantly export that data and store it in other places.
Email and email attachments are commonly used to exchange sensitive data with employees, other departments, and third-party service providers.
Outside attackers understand that the best way to compromise data is to compromise the account of someone that can access it.
MFA helps protect sensitive data by requiring that a user must successfully enter something they know (a password) and something they have (a numeric code texted to his or her mobile phone) in order to access this data.
Reputable providers of cloud HRIS systems will offer MFA as a feature, however legacy systems like a departmental file share, may or may not support MFA.
HR executives must demand that MFA is enabled, at least for remote and IT administrator access to systems that contain sensitive employee data.
Part of onboarding and offboarding employees is ensuring they have access to the systems required to do their jobs when they join and then making sure that access is removed when they leave or are reassigned. The same must be true for access to sensitive employee data.
HR departments need to take responsibility for making sure access to sensitive employee data is properly managed. This does not mean you need to do the job of IT, but you do need to verify that IT is configuring access to employee data according to business need to know and corporate role-based access policies.
Because IT administrators have full access to all data HR professionals you need to ensure IT administrators cannot mistakenly or maliciously expose sensitive data.
Most IT personnel are well-trained and trustworthy, but there are always those that cannot resist the temptation to know the salaries of other employees, who have a history of substance abuse, or access to the result of a privileged investigation.
Further, outside attackers often, if not always, compromise IT administrator accounts because they know those accounts have full access to all data.
Requiring MFA for IT administrator accounts will help but MFA does not change the fact that IT administrator accounts can be used by employees or attackers, mistakenly or with bad intent to access data they should not see.
Cocoon Data’s Cocoon Data will help control sensitive employee data that needs to be distributed to employees securely. Cocoon Data helps HR departments to not only decrease risk of an employee data breach and ensure privacy compliance, but allows HR to establish a multilayer access control to provide granular security depending on the sensitivity of the file.
Cocoon Data’s Multi-level Access Control
Sep 22, 2020