Too often, HR is not considered when thinking about cybersecurity protection. Businesses focus on financial data and other intellectual property, but HR data also contains important information that needs to be protected.
This important HR data most likely includes current and former employee information in addition to that for potential candidates. Even if this data is stored on encrypted servers, HR usually shares this information over other mediums such as email, text, and instant messaging, which can be easily hacked.
Assess Your Risk
A good first step is to assess your risk. Conduct an internal audit of the types of employment and benefits information you gather, how much data of each type you’re currently retaining, where it’s stored, as well as who’s using it and how.
Don’t be surprised if you discover multiple redundancies regarding where data is stored. Many organizations also discover they’ve been holding on to HR data for far too long. You could even be shocked to learn that employees aren’t following security protocols, assuming you have widely understood and enforced ones in place to begin with.
Four Guidelines To Follow
To better protect sensitive HR information, follow these four guidelines:
1. Collect only what’s absolutely needed. Some organizations are unnecessarily thorough when it comes to gathering information on current and former employees, as well as job candidates and even independent contractors. Ideally, you want to establish a set list of data points to collect — appropriate to your needs, of course — and limit yourself to those.
2. Encrypt everything. This may seem to go without saying but, following an audit of your HR data, you might find that some sensitive information isn’t encrypted. It’s for this very reason that employers need to know precisely where every bit of employment-related data is stored and shared.
3. Implement strict policies governing who may access and use HR data. Carefully devised, clearly worded, and regularly updated cybersecurity policies are now a must for every type of organization — no matter how big or small.
One important concept to integrate into your policies is ‘least privilege.’ This is the general rule that employees should be granted only the absolute minimum levels of access needed to perform their job functions.
4. Retain data for limited periods. They say on the Internet, or more specifically the cloud, everything lasts forever. But it doesn’t have to. Regularly delete HR data that you no longer need. Be sure to comply with federal and state statutes for file retention related to tax reporting and other important matters, including legal investigations.
Stay Out Of The Dark
There’s reportedly a huge market for stolen HR information on the ‘dark web’ — the alternate version of the Internet where hackers go to sell their ill-gotten gains. Be sure to take the necessary steps to protect your organization because the associated costs of a data leak, HR or otherwise, can be devastating.