How to Prevent Data Breaches

Nearly every hand went up when Jim Farrell asked how many attendees at his recent conference session on data breaches had their identities stolen or knew someone who had.

Speaking at the 35th annual International Association for Human Resource Information Management (IHRIM) Conference, Farrell, senior vice president of products at New Jersey-based Archive Systems, said human resource information technology professionals must be proactive when it comes to protecting their data, and that includes having a plan to prevent such breaches before they happen.

Farrell said the number of U.S. data breach incidents reported and tracked since 2005 recently reached 5,029 incidents, involving more than 675 million estimated records.

He said there is a thriving black market in methods to take advantage of software vulnerabilities, driven by organized crime, nation states and terrorist groups.

The topic comes up again and again. Just last week, President Barack Obama met with Chinese President Xi Jinping; and the two discussed the reported hacking of American companies by Chinese hackers.

Organizations must understand what hackers want. Cyber criminals often are in search of PII—personally identifiable information—and HR departments are ripe with it. That information includes a person’s date of birth, social security number, driver’s license number, phone number, address, and physical or mental health details. Thieves also may want proprietary company information, financial information, credit card numbers, as well as federally-protected data and state-protected data.

Farrell said it’s up to HR and IT departments to understand and dispel the common misconceptions of data breaches.

People think that most breaches are very sophisticated, and therefore hard to defend against, “but that’s not true,” Farrell said. Another misconception is that patching computer systems is sufficient to thwart all breaches. However, threats don’t come solely from outside, he added. Other people assume that getting hacked is inevitable, so companies should focus on response rather than prevention.

“There is a movement in our industry to say, ‘This stuff is going to happen. Don’t try to worry about prevention; worry about how you’re going to respond’ ” to a breach, he said. “Some people are following that model. But, really, it’s important to focus on prevention.”

So what can HR do?

• Know what you have and who has access to it.

  You have to know where the information is, he said. Inventory your assets and interview relevant staff. Ask: What do you have? Who has access to it? How does it come into the company?

  “When you’re thinking about who has it, [consider, too] who has rights to it and what kind of trusts are set up. What’s the process? Does your entire IT department have access to whatever is within your four walls?” Be sure, Farrell said, to inventory computers, flash drives, etc., and to regularly conduct a security audit.

• Remember that less is more.

  “If you don’t have to keep sensitive information, don’t. If there is data that is not needed, don’t bring it into your organization,” he said.

  “When you do an analysis, ask: ‘What if I didn’t have it? Do I need it? Can I get rid of it sooner rather than later?’ Because ultimately the less you have … the surface area someone is going to attack is less.”

• Provide cybersecurity awareness training.

  “You’re only as strong as the weakest link; unfortunately, it’s usually the human being that’s the weakest link,” Farrell said. “Annually put your employees through a security-awareness training program. Then you can audit and review it going forward and that’s where a lot of issues come up.

  “HR has to get involved; employees have to understand what their role is in protecting your company’s assets. They have to know they can fall victim to malware,” he said.

  “If it’s done right, it’s an eye-opening experience for your employees. Part of that training is [telling employees that] you’re not going to Facebook and YouTube and you’re not streaming videos” on company equipment. “These are work assets. When it comes down to security, it’s important to educate them on vulnerabilities.

  “Really bright, educated people are clicking on things they shouldn’t. It happens all the time.”

• Dispose of unnecessary information.

  “If the asset is paper, shred it. Your IT department has the tools to wipe your equipment of data. You hitting delete doesn’t mean it’s gone off the hard drive. If you don’t need that record after three or seven years, get rid of it.”

• Encrypt sensitive data at rest and in transit.

  “The gist of a lot of these breaches is the data is not encrypted. It’s open. So encrypted data is really two things: at rest and in transit,” he said. Make sure staff know the sites they’re visiting are secure and that they’re not to access sensitive company data on open connections because “cyber criminals sniff the network and look for activities on open connections. Don’t go to Starbucks and use the free Wi-Fi connection because that’s where these people live. The sniffers just sit there and maybe they’re sniffing and capturing all that data.”

  He also advised companies that use cloud or software as a service (SAAS) vendors make certain those vendors are encrypting that data by having them undergo a Statement on Standards for Attestation Engagements (SSAE) 16 audit, which he described as an in-depth audit of control objectives and activities, including information technology and related processes, as well as the physical environment such as the data center, physical records and a host of other security controls.

What else should you look for in a cloud or SAAS vendor?

“Security. Security. Security,” he said.

Here are some security-related questions to ask a cloud-based provider:

• Will my data be encrypted in transit and while at rest?
• What is the configurability of password length and complexity? Are certain elements of data restricted from different groups?
• How or are you storing passwords? Is the storage of those passwords encrypted?
• Do you support IP address-based access control (IP restrictions)? How many people can access stuff and from where? At home or in the office only?
• Do you support two-factor authentication?
• Are all users’ activities in an accessible audit log? The systems themselves should be fully auditable. For example, who has changed security rights for another user? Is there a full audit trail?
• Do you annually go through an SSAE 16 audit? Will you give me that report?
• Do you annually subject your solution to third-party vulnerability scanning and penetration testing annually?

Farrell said HR and IT managers should be able to look at the SSAE 16 report and know that data privacy regulations are only going to get tougher. “HR departments must actively partner with IT to protect sensitive data” and “employees play a critical part in keeping sensitive data where it belongs.” And their cloud providers “must have secure environments. The good providers are secure.”

Aliah D. Wright is an online editor/manager for SHRM.