7 Employee Data Security Considerations for HR

7 Employee Data Security Considerations for HR
Vice President of Information Technology

Who within a company holds employee information that is sensitive and personal?  That’s right, Human Resources (HR) and that is why data security is a very important area to focus on.  As identity theft and fraud increases globally, people are becoming more protective of their personal information and count on companies to keep that information protected.  In addition to the direct employee information HR organizations hold, they typically retain company delicate information that would be damaging if leaked to the general public.  So how are HR departments storing most of this information now these days?  Correct again, electronically.  This increases the risk because it shares the data protection responsibility with the Information Technology (IT) department.  What ways are there to make sure HR and IT are doing their duty to secure such data?  Here are a couple suggestions on how to protect your employees’ sensitive data.

Establish Policies for Safeguarding Your Employee Data

When policies are created, the awareness that data should be treated differently is made and guidelines to help every day users know how to handle data is established.  The policy should state the different classifications of data, what level and how protection should be applied, and how to check the guidelines are being followed.  The policy should not just apply to HR but throughout the company as well.  Train the users and post the policy in an area that is easily accessible.  Much like most security features, users are the strongest line of defense.

4 Ways to Secure Electronic Employee Data

Since most data is electronic, there are several different ways security can be applied to help secure information.  It should be thought of as layers of protection and the more layers, the better.  There is always a battle of usability and security so try to find the right balance for your company. 

  • Firewall/Network Security – Usually the first and widest net of defense are settings and configurations on the firewall and network devices.  Being on the network presents numerous vulnerabilities because that is the main access for hackers to enter.  They’re not walking into building doors anymore. 
  • Access Control Lists (ACL) – Sounds easy and should be a given but surprisingly many ACLs are never properly set or change over time.  ACLs can be set for just about anything such as applications, folders, devices or doors.  Make sure you have tools or checks in place to monitor or configure important ACLs.  Sensitive material should be treated like that exclusive club—no one gets in unless they are on the list.
  • Encryption – There are a few different ways to encrypt data and all should be considered:  at rest, during communication, and on backup.  Use certificates and secure protocols to accomplish this.  Since encryption works with a set of keys, pay careful attention to them; otherwise, the data will be lost if you can’t locate them.
  • Endpoint Protection – It takes much more than just Antivirus software these days to keep intruders out.  Personal firewall, intrusion detection, and patch management are all equally as important. With their powers combined, users will be protected.

Don’t Forget About Protecting Physical Data, Too

Not all data is electronic so be mindful of physical materials.  Security for physical materials is pretty straight-forward: Lock it up!  Your options are what kind of lock to use and how many.  Sensitive materials should be locked away unless it is being used and attended to by appropriate personnel.  If done correctly, you won’t see any successful “Watergate” scenarios.

Review Your HR Processes, Guidelines and Controls

Lastly, you should audit processes, guidelines and controls.  Who knows how or why things change, but they do.  Security is always evolving as well as the requirements, so there should always be a review process to make sure what was applicable back then is still applicable now.  It’s difficult to control users, but audits are a great way to determine if they are doing what they are supposed to.  No one likes an audit, but it’s a necessary and effective security measure.

HR can’t afford to take a chance with securing sensitive employee data.  It is the duty and responsibility of the organization to keep both company and employee information secure. It could be very damaging to your organization if securing data is not done properly.  These best practices will help you accomplish that that, but most of all, it’s building up awareness and attention to a serious matter.  It is becoming more difficult to keep data secure as technology evolves and the value of data increases; but with a multilayer, multi-tiered approach, it’ll be very difficult to break through.

PreCheck How To Overcome the 5 Biggest Challenges in Healthcare Recruiting