HR departments need to prioritize protection, recognize risks and create a way of working that focuses on holistic defense of human assets.
Data security is an IT problem, right? Not anymore. Now, HR professionals play an essential role in data defense — particularly for small and medium-sized businesses (SMBs).
Legislative controls, such as GDPR, and evolving standards, such as HIPAA, now prioritize granular control and oversight of employee data. While IT professionals are on the front lines of network and infrastructure security, HR pros are the first line of defense for employee data.
"From a GDPR standpoint, there is no distinction between an employee and a consumer," says Cecile Georges, Global Chief Privacy Officer for ADP. "Everyone is considered a data subject privacy-wise, meaning employers must grant the same privacy rights to employees."
Human resource staff are often the first to collect employee information and the first to input and use this data for benefit assessments, leave requests and recruiting efforts. They are often the "silo" responsible for safely storing and sending this data at scale as well.
Organizations process an abundance of personally identifiable information (PII), from addresses and birth dates to medical history and financial records. Secure handling of this data is now a priority for consumers and staff alike, and the protection priority has shifted. HR teams, whether they know it or not, are part of the information security ecosystem. As Georges notes, attackers are on the hunt for HR data.
"Compared to a few years ago, personal information is now seen as something of value," she says.
The Risk Reality
It's one thing to recognize the evolving role of HR in data security; it's another to confront emerging risks head-on. But in much the same way that downstream worries around open-source vulnerabilities like Heartbleed or ShellShock went from minor to apocalyptic, the realities of employee data risk mean paying the price when things go wrong — and it's not cheap. As data from Cybersecurity Ventures shows, 60% of SMBs go out of business within six months of a data breach.
Effective preparation requires a clear understanding of the potential threats. Some of the top concerns for SMB HR teams include:
- Insider threats — According to Cybersecurity Insiders, 90% of businesses feel vulnerable to insider attacks fueled by excessive access privileges, increasing mobile device use and growing IT complexity. Most are accidental, as staff may not realize the risk of posting or sharing sensitive information. Given the sheer amount of sensitive data handled by HR (and employees' right to access this data upon request), controlling user access is critical to minimize insider threat risk.
- Spear phishing — Curated email attacks remain a critical concern for organizations, and HR is a top target. Why? Because staff are more likely to respond to messages or click on malicious attachments if they supposedly come from "Human Resources" and contain need-to-know information about benefits, paychecks or leave requests. According to Kim Albarella, Senior Director of Cyber Security Marketing for ADP, one rising method of attack focuses on compromising the identity of SMB payroll administrators. "If they steal the payroll administrator's credentials and identity, they now have access to all payroll information in the company and the ability to change whatever they want," she says. And if they're willing to do reconnaissance, they can discover exactly when senior managers and admins will be on vacation or away from their offices, making it easier to make changes without getting caught.
- Mobile attacks — Mobile devices are now the targets of many malware attacks, and with many SMBs adopting broad BYOD policies to enable remote working, HR must be mindful of the inherent risks of always-on, on-demand access.
The New Normal
What does all this mean for HR teams looking to take an active role in data security? It's time for a new normal. HR professionals must develop and deploy key processes, such as:
- Promoting active employee engagement — Data security doesn't happen in a vacuum. While IT teams and HR pros can design and implement better strategies to protect data at scale, they won't work without employee buy-in. This is where the human connection of HR comes into play. HR must engage with their workforce at every step of the employment process — from recruitment to corporate culture building to ongoing education — in order to raise awareness around data security issues.
- Building a "human firewall" — People are the weakest link in cybersecurity, and that's why phishing attacks are still successful and social engineering scams work. HR plays a critical role in creating "human firewalls" by developing ways to improve cybersecurity education and make it part of day-to-day operations.
- Creating cross-department partnerships — There's also a critical need for human resources to reach out and create cross-department partnerships, especially with IT. While technology pros are tasked with securing systems at large, they're often unfamiliar with the way specific HR tools work. Human resource pros, meanwhile, often prioritize ease-of-access but may not realize its long-term impact on overall risk.
Attackers are counting on fragmented defenses to help them breach network borders and infiltrate infrastructure — and SMBs are a prime target. Bolstered by accidental insider threats, absent internal communication and a lack of employee infosec engagement, even small security concerns can quickly escalate. The solution: HR practices that prioritize protection, recognize risks and create a "new normal" focused on holistic defense of human assets.
Visit the ADP data security page for security updates and best practice resources.