This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
And keep personal information from walking out the door
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Nearly every hand went up when Jim Farrell asked how many attendees at his recent conference session on data breaches had their identities stolen or knew someone who had.
Speaking at the 35th annual International Association for Human Resource Information Management (IHRIM) Conference, Farrell, senior vice president of products at New Jersey-based Archive Systems, said human resource information technology professionals must be proactive when it comes to protecting their data, and that includes having a plan to prevent such breaches before they happen.
Farrell said the number of U.S. data breach incidents reported and tracked since 2005 recently reached 5,029 incidents, involving more than 675 million estimated records.
He said there is a thriving black market in methods to take advantage of software vulnerabilities, driven by organized crime, nation states and terrorist groups.
The topic comes up again and again. Just last week, President Barack Obama met with Chinese President Xi Jinping; and the two discussed
the reported hacking of American companies by Chinese hackers.
Organizations must understand what hackers want. Cyber criminals often are in search of PII—personally identifiable information—and HR departments are ripe with it. That information includes a person’s date of birth, social security number, driver’s license number, phone number, address, and physical or mental health details. Thieves also may want proprietary company information, financial information, credit card numbers, as well as federally-protected data and state-protected data.
Farrell said it’s up to HR and IT departments to understand and dispel the common misconceptions of data breaches.
People think that most breaches are very sophisticated, and therefore hard to defend against, “but that’s not true,” Farrell said. Another misconception is that patching computer systems is sufficient to thwart all breaches. However, threats don’t come solely from outside, he added. Other people assume that getting hacked is inevitable, so companies should focus on response rather than prevention.
“There is a movement in our industry to say, ‘This stuff is going to happen. Don’t try to worry about prevention; worry about how you’re going to respond’ ” to a breach, he said. “Some people are following that model. But, really, it’s important to focus on prevention.”
So what can HR do?
You have to know where the information is, he said. Inventory your assets and interview relevant staff. Ask: What do you have? Who has access to it? How does it come into the company?
“When you’re thinking about who has it, [consider, too] who has rights to it and what kind of trusts are set up. What’s the process? Does your entire IT department have access to whatever is within your four walls?” Be sure, Farrell said, to inventory computers, flash drives, etc., and to regularly conduct a security audit.
“If you don’t have to keep sensitive information, don’t. If there is data that is not needed, don’t bring it into your organization,” he said.
“When you do an analysis, ask: ‘What if I didn’t have it? Do I need it? Can I get rid of it sooner rather than later?’ Because ultimately the less you have … the surface area someone is going to attack is less.”
“You’re only as strong as the weakest link; unfortunately, it’s usually the human being that’s the weakest link,” Farrell said. “Annually put your employees through a security-awareness training program. Then you can audit and review it going forward and that’s where a lot of issues come up.
“HR has to get involved; employees have to understand what their role is in protecting your company’s assets. They have to know they can fall victim to malware,” he said.
“If it’s done right, it’s an eye-opening experience for your employees. Part of that training is [telling employees that] you’re not going to Facebook and YouTube and you’re not streaming videos” on company equipment. “These are work assets. When it comes down to security, it’s important to educate them on vulnerabilities.
“Really bright, educated people are clicking on things they shouldn’t. It happens all the time.”
“If the asset is paper, shred it. Your IT department has the tools to wipe your equipment of data. You hitting delete doesn’t mean it’s gone off the hard drive. If you don’t need that record after three or seven years, get rid of it.”
“The gist of a lot of these breaches is the data is not encrypted. It’s open. So encrypted data is really two things: at rest and in transit,” he said. Make sure staff know the sites they’re visiting are secure and that they’re not to access sensitive company data on open connections because “cyber criminals sniff the network and look for activities on open connections. Don’t go to Starbucks and use the free Wi-Fi connection because that’s where these people live. The sniffers just sit there and maybe they’re sniffing and capturing all that data.”
He also advised companies that use cloud or software as a service (SAAS) vendors make certain those vendors are encrypting that data by having them undergo a Statement on Standards for Attestation Engagements (SSAE) 16 audit, which he described as an in-depth audit of control objectives and activities, including information technology and related processes, as well as the physical environment such as the data center, physical records and a host of other security controls.
What else should you look for in a cloud or SAAS vendor?
“Security. Security. Security,” he said.
Here are some security-related questions to ask a cloud-based provider:
Farrell said HR and IT managers should be able to look at the SSAE 16 report and know that data privacy regulations are only going to get tougher. “HR departments must actively partner with IT to protect sensitive data” and “employees play a critical part in keeping sensitive data where it belongs.” And their cloud providers “must have secure environments. The good providers are secure.”
Aliah D. Wright is an online editor/manager for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 10,000 companies