By Gordon Rapkin
The recent announcement of the federal government data breach made it clear that employee information is vulnerable. We collect personal information every day and file it away, with mere thoughts of its safety and confidentiality. However, HR owes employees confidentiality – end of story, and there are no excuses.
Too often, HR is low on IT’s priority list, and HR is lacking a strong enough voice to focus corporate action on protecting employees’ personally identifiable information. In most organizations, HR has several different information systems, and tons of paper files. The information systems require IT attention to ensure they are secure and all data is safely encrypted when at rest and when it is in transit. Too often, the perimeter of the organization and perhaps even access to the HR applications are secure, but the data in the system is not encrypted. This leaves the door open to an industrious hacker to go around the application and attack the unencrypted database directly. Think of this as crunchy on the outside, but soft in the middle. Break through the outer layers of protection, and the data is yours.
The second problem area is all of the paper HR documents and how they are used. The file cabinets and file rooms may be locked up and secure, but the minute anyone asks to see the contents of these HR files, a clerk will typically copy the files and mail them, or scan the files and email the images. Both are terrible practices that leave employee data exposed.
The ideal solution is to convert all of the paper files to a secure digital document management environment. A proper digital environment will act like a vault. Everything in the vault must be encrypted, and nothing should ever leave the platform. When someone requests access to a document, they should only receive a secure link back to the original image in the vault, not an email with an attachment, and there should not be an option to download the document or do anything with it that would expose it to risk. When documents are accessed, the person looking at the document needs to pass through multiple security hurdles, including two factor authentication (request access, receive a PIN on your phone, and enter the PIN into the application to open the vault). Any and all access to employee documents needs to be logged and monitored so that there is always a secure audit trail of who touched what, and when.
The last problem practice in many HR departments is the pervasive use of spreadsheets to hold really sensitive data. Typically, an HR person will download lists of employees with all sorts of sensitive data such as salary, date of birth, address, etc., and put it all into a spreadsheet on their computer. Their purpose may be to model salary ranges or increases, or to create demographic reports, but the reality is that these spreadsheets are prime targets and high-risk failure points. Even worse, the typical behavior is to email the spreadsheet to a supervisor of field manager – YIKES.
At a minimum, any spreadsheet containing PII needs to be encrypted and password controlled, and the password should not go in the email with the file attached. Even better, the spreadsheet needs to be controlled by technology that makes it self-destruct after a very short time. That way it will not sit in the recipient’s in-box or on their hard drive forever.
HR departments need to build a culture of security and they need to adopt a posture of paranoia that keeps them ever vigilant about employee data. When it comes to protecting employee information, there is no such thing as ‘pretty good protection’, only absolute protection counts.