Which Is Worse: Data Breach or Natural Disaster?

Stolen HR data incidents force workplaces to prepare for inevitable

By Aliah D. Wright Mar 19, 2015

Violence. Disease outbreaks. Natural disasters. Work impeded by storm closings. These have often been the most pressing concerns for employers, but a new survey reveals that the No. 1 fear today is a cyberattack.

The survey comes just as Premera Blue Cross, an insurer serving millions of people and businesses in Alaska and Washington, reported March 18, 2015, that hackers may have stolen HR data. Up to 11 million of its customers may be affected, as their credit card numbers, Social Security numbers and medical information may be at risk. The insurer discovered the breach Jan. 29—about the same time Anthem Blue Cross told the FBI it was breached. Some experts are calling the Premera attack worse than the Anthem breach because the Premera hackers may have gained more information than the hackers in the Anthem attack, including members’ clinical information, birth dates, e-mail addresses, physical home addresses, telephone numbers, and identification numbers, as well as bank account information and claims information.

According to the International Foundation of Employee Benefit Plans (IFEBP), 37 percent of respondents to its 2015 Workplace Threats survey said their biggest concern was being the victim of a cyberattack. That percentage represents a nearly 75 percent increase compared to five years ago.

Eighteen percent of companies surveyed said they have experienced a cyberattack. An additional 18 percent said they experienced a data breach.

The other issues respondents cited as their top workplace concern were:

  • Internal data security breach: 25 percent.

  • Workplace violence: 19 percent.

  • Natural disaster: 12 percent.

  • Disease outbreak: 2 percent.

  • Terror or bomb threat/attack: 2 percent.

    Preparing for the Worst

    What’s HR to do? Plan ahead.

    From natural disasters to disease outbreaks, many companies have already developed plans and are financially equipped to handle threats. Sixty-four percent of organizations report devoting more financial resources to crisis prevention today than they did in 2010, the survey said.

    The Society for Human Resource Management (SHRM) offers a number of resources for HR professionals seeking information on planning for the unexpected. The SHRM website also has a Disaster Prep and Response Resource Page.

    Planning is critical not just for business continuity but also for survival. A report from Boston-based researchers the Aberdeen Group revealed that the average number of disaster recovery events in 2012 was 3.5 per midsize organization, with the average downtime per event being three to four days, and a cost estimated at $74,000 per hour.

    According to the Institute for Business and Home Safety, 25 percent of businesses never reopen after a major disaster. The Red Cross puts that figure slightly higher, at 40 percent.

    And for some businesses, a cyberattack can be a major disaster.

    “With all the different threats facing employers today, it was interesting to see cyberattacks clearly emerge as the greatest concern,” said Julie Stich, research director at IFEBP. “It is positive to see the financial preparedness of organizations and the preventive steps being taken.”

    According to the study, organizations say they are preparing for threats by:

  • Restricting access to electronic files: 63 percent.

  • Instituting a plan to communicate with and account for all workers: 62 percent.

  • Backing up all HR and benefits records: 57 percent.

  • Retooling evacuation plans: 56 percent.

  • Administering free flu shots or other immunizations: 53 percent.

  • Instituting a mobile device at work policy: 44 percent.

    Cybercrime as Career?

    Richard Turner, vice president at cybersecurity firm FireEye, told Newsweek that cyberattacks are inevitable and the best way to combat them is for countries to work together to thwart cybercrime as a career path.

    “We can encourage businesses to spend as much money on this as we like, but until we can create a disincentive for people pursuing this career there will be an ongoing tide of talent moving into cybercrime,” he said.

    “Legislatures should focus on building more collaboration between different countries and law enforcement agencies, so we can see a corresponding increase in successful prosecutions against this ever-growing wave of cyberattacks,” Turner added.

    “HR departments and HR IT professionals need to recognize that the Internet is under siege with criminals and nation-states working to access … data,” Robert Twitchell, an expert on Department of Defense cyber warfare, told SHRM Online recently.

    “To counter these threats and ensure that breaches like this don’t occur again, HR needs to recognize the value of the data it holds and the reasons why it’s valuable to the attacker,” he said. “They should consider examining and deploying techniques traditionally used to secure military RF [radio-frequency] communications: techniques that augment encryption capabilities and add variability to the process to raise the difficulties and costs associated with collecting such data. Make it expensive enough and difficult enough and the hacker will find a different target,” Twitchell said.

    And perhaps choose a different career.

Aliah D. Wright is an online editor/manager for SHRM.


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect