No HR professional is exempt from the planning.
Take the work out of creating and maintaining an employee handbook.
SHRM Seminars will host HR education every month in San Francisco this fall! Select the program that meets both your scheduling and development needs.
Join us, September 27 - 28.
Chances of being compromised dwindle when HR makes sure IT is qualified to handle data security
With more data breaches occurring each year, is your IT department equipped to handle the aftermath?
On Aug. 18, 2014, Community Health Systems Inc.—one of the largest hospital systems in the country—said cyber thieves stole the Social Security numbers and other personal information of more than 4.5 million patients, according to news reports.
Earlier in August, 1.2 billion user names and passwords and 542 unique e-mail accounts were stolen by Russian hackers from 420,000 websites worldwide, according to The New York Times. Companies panicked, mostly because Hold Security, which discovered the breach, declined to identify the sites affected, citing confidentiality concerns.
Many companies have since scrambled to change passwords and review security protocols. But experts say repeated breaches of this nature should prompt human resource departments to make sure their IT staffs are capable of protecting their corner of the Internet kingdom.
The risk of a data breach is an ongoing problem for any company doing business online. In a 10-year study, the number of data breaches has risen to more than 5,900, according to Verizon’s 2014 Data Breach Investigations Report.
According to the ninth annual 2014 Cost of Data Breach Study: Global Analysis from research organization the Ponemon Institute, the average total cost of a data breach for companies participating in the study increased 15 percent in one year, to $3.5 million.
Experts say preventing data security breaches today requires forward-thinking. “It’s far more complex than just changing passwords,” said David Shearer, chief operating officer of International Information Systems Security Certification Consortium (ISC²), a nonprofit that certifies information and software security professionals worldwide. “We have to look at our personnel side and see what we need to be secure,” he said in a phone interview.
Shearer likened it to having a home security system. “You need to know your access points—windows, doors. You need to know where the weakest links are and what you can do to mitigate those risks. You have to do more than change passwords.”
The most important thing, Shearer and other experts have said, is for HR practitioners to make sure they have theproper staff in place to handle such issues. If not, hire an expert to assess risk and address damage.
“Look for third-party, credible companies that come in and do a risk assessment to see the level of vulnerabilities that [you] may have,” Shearer said. “You have to understand your vulnerabilities first. Otherwise you run the risk of taking a piecemeal approach” to keeping your data secure.
Once a breach has been detected, Shearer said companies should determine how it occurred.
“Was this a failure of existing policies, principles, practices and procedures?” IT should look at the root cause of a breach. Ask: “‘Has someone done something that introduced a vulnerability?’” he said.
“If they understand how this happened then they can … develop the policies and training to ensure it doesn’t happen again.”
Assessing the internal team is important as well. “Was it a breakdown in the system or a mistake?” Or the problem may be that “you don’t have the right people operating your IT security program,” Shearer said.
“There really is no perfectly secure system, but with the right skills and training, you may reduce [your] odds. The chances of you not being compromised are far better.”
Just as you wouldn’t give your house keys to every neighbor on your block, HR should make certain the IT department strategy includes making sure only certain people have access to certain levels of data.
“Keep data on a need-to-know basis,” Verizon advised in its recent data breach report. Companies should limit staff access to only the systems needed to do their jobs. “And make sure that you have processes in place to revoke access when people change roles or leave.”
IT staff also needs to be aware of security risk trends ahead of news reports, experts say.
“Companies should definitely have their IT staff subscribe to security bulletins, and numerous sources will push information” about security issues to you, said Jonathan Villa, an information security consultant with 1030Tech, a security consultancy based in Milwaukee and Chicago. “They’ll tell you details about vulnerabilities, severity, how the breaches are being done—all IT departments should have a subscription to security bulletins; that way they know when their servers are vulnerable to exploits that are out there and from there they can execute a patching cycle,” to fix vulnerabilities.
Meanwhile, HR needs to continually assess its IT team’s capabilities. Here are some things every HR manager should keep in mind when improving policies on security and training for IT staff:
Aliah D. Wright is an online editor/manager for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 3,200 companies