Data Security Should Be a Top HR Priority
By William J.T. Strahan, EVP-HR, Comcast Cable
It is almost clichéd for an HR manager to cite confidentiality to avoid talking about details regarding everything from health care benefits to employee relations to pending promotions and terminations. In a world where personal privacy seems to have growing challenges and complexities, this type of confidentiality is a very good policy. Is there an even more menacing threat to employee security that HR is not yet fully engaged in mitigating? Is HR doing enough to ensure that HR data security is as tight as needed in today’s mobile world of outsourced transactions, employee selfservice and ubiquitous data collection and retention? How can HR know it is fulfilling fiduciary and ethical responsibilities to protect personal, commercial and organizational information?
To the extent that HR is relying solely on the protection offered by the organization’s IT department, there is almost certainly a gap. HR can likely rely on IT to ensure that proper software security standards for HRIS and other large systems solutions are in place. The same is true for the underlying software that is used for productivity and day to day work. Spreadsheet, database and word processing software as well as the organization’s operating systems and communication protocols properly reside, or should reside in IT. No one, certainly not HR benefits from amateurs freelancing these protections. What is the role for HR to secure our own data?
"It is important that HR focuses on the physical security of machines to avoid loss in airports, through theft from a car, or through unstable and insecure Wi-Fi"
Here are five actions that will allow HR to best protect sensitive employee and organizational data.
Convey to every person on the HR, vendors, contractors and managers that HR data is just as subject to risk of loss and breach as any consumer or financial data in the possession of the organization. Tone is typically set at the top. Thorough HR leaders should be conveying in word and deed that they put a premium on HR business practices, partner relationships and resources that put a responsible emphasis on data security. There have been several high profile breaches in the last few years, mostly dealing with credit and financial data. However there is no reason to think that organized crime, international syndicates and hackers of all motivations won’t have interest in the data and systems of employers. Large employers are attractive targets because of sheer size of the data—health information, Social Security Numbers, banking and personal information. Many employers are linked through common outsourcers.
Do not circumvent the IT group in selecting, negotiating or accessing vendors. There is no shortage of exciting new technologies, social applications and software that offer efficiencies and new human capital management promise. However, unless there is a very sophisticated HR operations group, it is important to get an IT partner in the discussions early. Not every start-up or new tool is going to make the grade for security. Have a lifeguard with you when you go into the ocean.
Insist that non-enterprise level software is used with security in mind. Every spreadsheet or document, in addition to the more obvious database, should be password protected if it contains compensation or other personally sensitive information. Despite our use of powerful enterprise wide software or HRIS, much of the business or as usual work of HR is still done on or ends up on more pedestrian software. The security roles and configuration on your HRIS doesn’t do you any good if information has been transferred to a slide show, spreadsheet or letter that is unprotected.
Ask your Audit Department or IT team to do refresher training and tests on HR business processes annually. HR should certainly be able to expect that data security audits are being completed. Having “Data Security Day” in HR is not a bad use of time. Whether its training, or just awareness built by a pizza lunch and a sheet cake, making sure that newhires, transfers and those promoted into management—along with everyone else, get regular reminders about the dangers of data breaches but also the available tools and business practices to avoid them.
Make sure that every HR professional who takes equipment out of the work location knows that they must safeguard the machine and should limit the data which resides on it. This is going to get harder to rationalize. More professionals are working at home, on transportation or otherwise with tablets and other mobile devices. Generally the multiplication of apps and other digital tools may have a numbing effect on the seriousness of handling work data outside the secure environment of the office. It is important that HR focuses on the physical security of machines to avoid loss in airports, through theft from a car, or through unstable and insecure Wi-Fi. If your organization is in a position to offer a Virtual Private Network, it is important that HR sets the example for always using it when working on “live data”. Finally as a responsible and tech-savvy HR leader know if your laptops and other devices are encrypted.
As HR departments become more data driven and perhaps as more administrative and transactional work is done on an outsourced or off shore basis, the movement of data will increase. Not because of any particular threat from these business models but simply because there will be more data moving more places, the risk of loss through carelessness or even the malfeasance of others will only increase. Additionally, the ubiquitous collection of digitized data is increasing in every aspect of society, including the work place. There is likely data being collected, automatically and innocently enough, from company smart phones, cameras, and GPS. The need for HR to be more aware of the total collection of data about employees and its security is likely to become a core HR function. Increasing the capability to defend data in your HR function is an investment worth making today.