[BreachExchange] How Your HR Department Can Improve Information Security and Prevent Data Loss

Destry Winant destry at riskbasedsecurity.com
Mon Oct 29 15:50:50 EDT 2018


In an era where cybersecurity regularly makes the headlines and data
is increasingly valuable, it’s often IT professionals who take the
spotlight. While tech pros are certainly critical to information
security safeguards, they aren’t alone. Your HR department can and
should play an important role in protecting the sensitive data your
business houses. Their involvement can make all the difference in
limiting your overall business risk.

Consider Your Data

When looking at HR’s relationship with information, it’s necessary to
first understand the different types of data being collected. This can
include anything from employee and candidate social security numbers
on applications, criminal background checks, bank account numbers,
insurance forms, and medical records, as well as other pieces of
information unique to your business. At the same time, how long are
these records being housed? If there isn’t a legal reason to keep a
sensitive piece of information anymore, it’s often better to destroy
it rather than allow it to sit on servers as a security risk.

Consider also how your HR data is housed. HR departments are
increasingly going paperless. If yours is one of them, is all of your
data housed in the cloud, on-premise, or in a hybrid model? What is
the password protection like, and who has access to the data
warehouse? Is information safely backed up elsewhere, or are employees
using online storage services like Dropbox without the appropriate
level of caution? IBM recently banned flash drives and other removable
storage from their premises in an effort to avoid those devices being
lost or stolen, and to inhibit them from introducing a virus from
outside the company.

While not every company will take such drastic measures, it serves as
an example that business leaders must consider every aspect of their
data. You’ll also need to consider hard copies of sensitive
information. Where are they stored and who has access to them? How are
they backed up in case of a fire, flood, or other natural disaster?
Ignoring even one detail surrounding data can introduce a dangerous
amount of risk into any business.

Keep HR Software Up-to-Date

The HR departments of larger organizations may be able to rely on a
robust IT department to update software programs and operating systems
and check them for vulnerabilities, but small and medium-sized
businesses don’t often have that luxury. HR software, like employee
portals, are an excellent time-saver, but they should only be
introduced into a company if they can be properly maintained and
updated. What happens when an employee logs into an employee portal
from their home laptop, which had a virus they didn’t know about?
Employers can sometimes be held liable for the identify theft of
employees, and out-of-date programs are a top avenue for losing vital
employee personal information.

Include Information Security in HR Training

Human Resources employees aren’t expected to be technology experts,
but only 59% of HR employees are trained in cybersecurity practices as
it relates to their role. Considering that 90% of cybersecurity risks
are caused by human error, it’s imperative that HR employees are
properly trained in how to take care of the sensitive data they work
with. Train employees so they know how to spot vulnerable data or
potential threats. Make sure they understand what phishing emails look
like and that they don’t send a sensitive document to a non-company
email address. In other words, HR employees must carefully follow the
policies protecting your data, and regular training ensures that

Review Hiring and Employee Engagement

Employees with severe malicious intent are rare, but something to
safeguard against nonetheless. Naturally, every business wants to
recruit trustworthy employees, but in a hectic environment it can be
easy to overlook an applicant’s red flag or checkered past. Your
employees’ personal information is extremely valuable on the dark web,
and people will go to great lengths to obtain it. HR holds the power
to not just spot a candidate who may be prone to such behavior, but to
also identify current employees who have become disengaged or
disgruntled. After all, an employee conflict can leave a heated staff
member deleting or damaging another’s sensitive information in a
moment of regret.

How Your HR Department Can Improve Information Security and Prevent Data Loss

Ultimately, an efficient and knowledgeable HR department minimizes
business risk. Nowhere is this clearer than when it comes to
information security within human resources. By looking at your
organization’s data from a high level, updating software, implementing
robust training, and reviewing employee hiring/engagement, you can
limit future data loss and prevent cybersecurity breaches.

More information about the BreachExchange mailing list