This article was updated on July 18, 2018.
With so much employee information now used and stored in software systems, it's all too easy for management to regard employee data security as an IT responsibility. Protecting employee data and promoting data security in the workplace is actually a cross-functional responsibility. After all, many factors contribute to data security risks, not just technology.
According to a report published by the University of Alabama at Birmingham's Collat School of Business, 80 percent of organizations say that carelessness by the end user is the biggest security threat to their organizations. Employee data security involves far more than technical issues. It involves people, policies and processes.
The CHRO has an opportunity to lead on this issue, advocating for employee protection, by working with the CTO and the CFO to ensure that the best security policies and technology are in place to protect employee data.
Risk Beyond Technology
Before any cross-functional team can begin to put employee data security measures in place, it must first understand the security risks involved. According to CIO, the six biggest security risks are:
- Disgruntled employees
- Careless or uninformed employees
- Mobile devices (bring your own devices)
- Cloud applications
- Unmatched or unmatchable devices
- Third-party service providers
Most of these risks involve a human element. It is, therefore, vital for the CHRO and the CTO to work together to identify risks and develop solutions that cross over into each others domains of expertise.
For example, if one of the agreed upon risks is that employees are not using strong enough passwords, the CTO could implement technologies and processes that require employees to create stronger passwords and to change them more often, thus reducing risk that passwords can be used by unauthorized personnel to access employee data.
Reasonable Attempt to Protect Data
According to the ABA Journal, when it comes to employee data security, another major risk to consider is legal risk. The question most often raised in legal cases that are brought against organizations over data security is whether the organization took reasonable steps to mitigate or prevent the employee data security issue.
So the question is, "What are reasonable measures?"
The Federal Trade Commission has created a document called "Start with Security: A Guide for Business," which provides guidelines businesses should use to develop data protection measures.
Adopting Known Standards
A critical measure to put in place to ensure your organization is taking "reasonable steps" is to follow the International Organization for Standardization (ISO) 27001 family of standards for information security management. According to the ISO, the ISO-27001 standards will help organizations manage data assets by specifying "the requirements for establishing, implementing, maintaining, and continually improving and information security management system."
If your organization decides to adopt ISO 27001 standards, audits should be performed to confirm compliance and ensure that the standards are being carried out properly. An organization that adopts the standards but does not comply to them properly is still at risk of litigation.
The CHRO should work with the CFO, who is experienced in the auditing process and would understand the particulars of how and when such audits should occur. Together, the CHRO and the CFO can ensure two levels of executive attention are paid to mitigating employee data security risks.
A Group Effort
Employee data security is not a technology function alone. There are, in fact, many factors and risks involved that impact several parts of the organization. The CHRO can be on the front line of the issue and take responsibility for coordinating with other C-suite leaders to develop, implement and manage employee data security standards that will reduce risk to the organization and protect employee data.