Can HR lead the way in business data security?

By Anthony Wolny | 6th June 2019 | 13 min read

“What does HR have to do with data security?”

It’s a common question amongst business leaders and HR professionals alike, and despite rising public awareness of the importance of both personal and professional data security, many still struggle to understand the impact that HR teams can have on technical compliance within the workplace.

A Personnel Today study reported that nearly half (47 percent) of HR departments do not know when their cybersecurity was last reviewed, and that only 22 percent have reviewed the people aspects of their organisation’s technology setup within the last year. Despite this, the organisations surveyed stated that the ‘people factor’ constituted the biggest risk to their overall security, yet only one in five (21 percent) were actually working on improving and educating employee technology skills.

Working in an environment where internet access is freely available can also cause frequent security problems. A OneLogin study recently explored the freedom that unrestricted internet access can bring, and revealed that as many as 76 percent of UK companies currently allow a high proportion of their employees free reign when it comes to online browsing. This can often leave businesses and their critical corporate data unwittingly exposed to cybercrime.

The thought of confidential documents and employee personal details falling into the wrong hands is a harrowing one, and unfortunately, many businesses do not have the right security protocols in place in order to provide a higher level of protection. The same OneLogin survey also revealed that 67 percent of companies have not invested in single sign-on (SSO) solutions, and a further 54 percent have not set up a domain name filtering system.

Whilst these could be considered to be technical considerations for IT security teams, it cannot be denied that HR teams can still play an important supporting role in ensuring secure data security processes and procedures within their business.

HR can really make a tangible difference to compliance and data security levels within their business by creating open, two-way communication channels with other key stakeholders such as IT. This can help to proactively identify and manage risks before the worst can occur.

Why is data security key for HR?

Data protection is now inevitably enshrined in law, and, since the introduction of GDPR, serious beaches can very easily lead to legal action, fines or even criminal procedures from the relevant authorities. Living in a modern, digital world now means that the way we do things has changed irrevocably, as every team or department in the workplace is touched by technology in one way or another. Data leaks can wreak havoc on a company’s reputation and its future success, and even a minor data breach involving customer data can cause irrevocable damage.

Most leaks occur through poor data security management, outdated technology applications, poor quality security patches, and employee misadventure. A recent report found that 63 percent of confirmed data breaches occurred because of the use of weak, default or stolen passwords.

With HR now increasingly acting as a gateway between IT teams and the wider employee community, and acting as gatekeepers for the vast majority of company personal and professional data, their involvement in upholding and promoting strict security processes and procedures is non-negotiable.

What data do HR teams commonly hold?

Modern HR departments can hold a huge amount of information about all areas of their business, including performance and salary data, employment history records, emergency contact details, employment eligibility documentation; such as driving licenses and passport data; and even details of medical conditions and health records.

This information is hugely beneficial, as it aids businesses in measuring performance, identifying skill gaps and recruiting new talent – but simply holding such data can lead to inherent risks. Employee data can be particularly compelling for data thieves, and simply balancing data security with the need for access and analysis is harder than it sounds. For example, even routine business procedures can include passing sensitive information in unprotected spreadsheets, something which has led to a quarter of businesses experiencing a data breach.

Why are HR teams responsible?

Many people consider IT and data security issues to be a subject more appropriate for IT teams, but the modern reality is that HR are just as responsible for safeguarding and security as their technical counterparts. Data security is now an ongoing part of any employee experience, so the responsibility of management will naturally fall to the department tasked with onboarding, employee training, and company culture. Our employee training software for small businesses and training management for larger businesses allows HR managers to add compliance training so that employees are aware of data security and possible threats.

With HR responsible for implementing data protection policies and procedures, educating the workforce and providing awareness training, they are a natural fit for promoting employee awareness and compliance around data security. Educating employees about basic threats such as phishing scams and password protocol may seem like common sense, but it is surprising how many businesses neglect these obvious areas. Risk assessments can act as a great way to find out if additional employee training is required, and working closely with IT departments to identify potential risks is a key task for HR teams.

What are the top four HR data security threats?

  1. Bring Your Own Device (BYOD) – With employees now working across multiple devices and platforms, the need for a ‘bring your own device’ policy is crucial for the vast majority of businesses, enabling them to control access and security protocol for any device attached to a workplace network.
  2. Mobile applications – In tandem with BYOD policies, most businesses are now aware of the problem of mulitple unauthorised apps, with some taking steps to ban Whatsapp, Snapchat and Instagram access on employee devices during working hours.
  3. Risk of legal exposure – A risk beyond simple data loss or theft is the fact that once data has been mislaid, your business may face legal action from either the employee evolved, or else the relevant authorities.
  4. Lack of awareness – The biggest risk to most businesses revolves around human error, and the greatest danger is related to a lack of education on the part of employees.

How are common pain points dealt with?

The rise of technology has inevitably led to common pain points for HR teams and the wider employee community alike. One of the most common is the proliferation of employee data, which can often exist in multiple systems, numerous variations, and can often be difficult to correctly analyse. With many employees now geographically scattered, the fragmentation of data is only likely to increase, with some businesses stating that they aren’t even sure what data they have, let alone where it is all stored.

An over-reliance on spreadsheets can also be a common HR pain point, with as much as 25 percent of data stolen or lost internally is in the form of Microsoft Office documents. A poor method for conducting sensitive business processes, the main problems arise from human error skewing data, unprotected spreadsheets being mailed to the wrong recipient, and a general lack of control over security and safety features.

The top four ways to mitigate HR data security risks: 

  1. Perform a solid risk assessment – This should show you where your weaknesses are, and which assets are the most valuable to you. This should act as a solid step towards ensuring better cybersecurity. This can then allow you to provide tailored cybersecurity training to employees of all levels and knowledge bases.
  2. Provide robust data security training – Educate employees about the importance of data security, and teach them how they can help your business to stay compliant with legislation through their own, individual role and its resulting responsibilities.
  3. Strictly enforce relevant policies – During your initial onboarding process, emphasise the disciplinary actions that employees who fail to comply with company and legal data policies could face. These should include employment termination, and fines where necessary.
  4. Ensure that employee ‘offboarding’ is satisfactory – Ensure that you have robust policies in place to deal with departing employees, as this can help greatly in minimising the risk of data leakage or theft.

Peter Cheese, CEO of the CIPD, has commented on many areas of cybersecurity and education within the workplace. He says: “Risk is fundamentally down to how people make decisions and judgments, and, whilst most people won’t do this with malicious intent, businesses can still be left exposed.

“More secure technology is part of the solution, but organisations need to think much more broadly and consider how they are equipping their employees with the knowledge and understanding they need to help to protect their organisation and its data.”

He also said that HR teams would be wise to look at the cultures and systems in place that can lead people to make mistakes that expose organisations to risks, whether that be through a long hours culture, lack of technological tools, or simply poor organisational education.