How Your HR Department Can Improve Information Security and Prevent Data Loss

Ray Costello — October 27, 2018

— October 27, 2018

In an era where cybersecurity regularly makes the headlines and data is increasingly valuable, it’s often IT professionals who take the spotlight. While tech pros are certainly critical to information security safeguards, they aren’t alone. Your HR department can and should play an important role in protecting the sensitive data your business houses. Their involvement can make all the difference in limiting your overall business risk.

Consider Your Data

When looking at HR’s relationship with information, it’s necessary to first understand the different types of data being collected. This can include anything from employee and candidate social security numbers on applications, criminal background checks, bank account numbers, insurance forms, and medical records, as well as other pieces of information unique to your business. At the same time, how long are these records being housed? If there isn’t a legal reason to keep a sensitive piece of information anymore, it’s often better to destroy it rather than allow it to sit on servers as a security risk.

Consider also how your HR data is housed. HR departments are increasingly going paperless. If yours is one of them, is all of your data housed in the cloud, on-premise, or in a hybrid model? What is the password protection like, and who has access to the data warehouse? Is information safely backed up elsewhere, or are employees using online storage services like Dropbox without the appropriate level of caution? IBM recently banned flash drives and other removable storage from their premises in an effort to avoid those devices being lost or stolen, and to inhibit them from introducing a virus from outside the company.

While not every company will take such drastic measures, it serves as an example that business leaders must consider every aspect of their data. You’ll also need to consider hard copies of sensitive information. Where are they stored and who has access to them? How are they backed up in case of a fire, flood, or other natural disaster? Ignoring even one detail surrounding data can introduce a dangerous amount of risk into any business.

Keep HR Software Up-to-Date

The HR departments of larger organizations may be able to rely on a robust IT department to update software programs and operating systems and check them for vulnerabilities, but small and medium-sized businesses don’t often have that luxury. HR software, like employee portals, are an excellent time-saver, but they should only be introduced into a company if they can be properly maintained and updated. What happens when an employee logs into an employee portal from their home laptop, which had a virus they didn’t know about? Employers can sometimes be held liable for the identify theft of employees, and out-of-date programs are a top avenue for losing vital employee personal information.

Include Information Security in HR Training

Human Resources employees aren’t expected to be technology experts, but only 59% of HR employees are trained in cybersecurity practices as it relates to their role. Considering that 90% of cybersecurity risks are caused by human error, it’s imperative that HR employees are properly trained in how to take care of the sensitive data they work with. Train employees so they know how to spot vulnerable data or potential threats. Make sure they understand what phishing emails look like and that they don’t send a sensitive document to a non-company email address. In other words, HR employees must carefully follow the policies protecting your data, and regular training ensures that practice.

Review Hiring and Employee Engagement

Employees with severe malicious intent are rare, but something to safeguard against nonetheless. Naturally, every business wants to recruit trustworthy employees, but in a hectic environment it can be easy to overlook an applicant’s red flag or checkered past. Your employees’ personal information is extremely valuable on the dark web, and people will go to great lengths to obtain it. HR holds the power to not just spot a candidate who may be prone to such behavior, but to also identify current employees who have become disengaged or disgruntled. After all, an employee conflict can leave a heated staff member deleting or damaging another’s sensitive information in a moment of regret.