Don’t Overlook HR When Strengthening Your Cybersecurity Measures

December 8, 2022 HoganTaylor

cybersecurity in the office

When employers address cybersecurity, they often focus on financial data and intellectual property. But there’s another area that’s just as important and typically much more vulnerable: HR information.

Many organizations have a huge amount of data about both current and former employees, as well as job candidates, stored on their servers or in the cloud. And this information tends to be at great risk because, even if it’s encrypted in storage, HR staff often share key data points via easily hackable mediums such as email, text and instant messaging.

Assess your risk

A good first step to take is to assess your risk. Conduct an internal audit of the types of employment and benefits information you gather, how much data of each type you’re currently retaining, where it’s stored, as well as who’s using it and how.

Don’t be surprised if you discover multiple redundancies regarding where data is stored. Many organizations also discover that they’ve been holding on to HR data for far too long. You could even be shocked to learn that employees aren’t following security protocols, assuming you have widely understood and enforced ones in place to begin with.

4 guidelines to follow

To better protect sensitive HR information, follow these four guidelines:

  1. Collect only what’s absolutely needed. Some organizations are unnecessarily thorough when it comes to gathering information on current and former employees, as well as job candidates and even independent contractors. Ideally, you want to establish a set list of data points to collect — appropriate to your needs, of course — and limit yourself to those.
  2. Encrypt everything. This may seem to go without saying but, following an audit of your HR data, you might find that some sensitive information isn’t encrypted. It’s for this very reason that employers need to know precisely where every bit of employment-related data is stored and shared.
  3. Implement strict policies governing who may access and use HR data. Carefully devised, clearly worded and regularly updated cybersecurity policies are now a must for every type of organization — no matter how big or small.

One important concept to integrate into your policies is “least privilege.” This is the general rule that employees should be granted only the absolute minimum levels of access needed to perform their job functions.

  1. Retain data for limited periods. They say on the Internet, or more specifically the cloud, everything lasts forever. But it doesn’t have to. Regularly delete HR data that you no longer need. Just be sure to comply with federal and state statutes for file retention related to tax reporting and other important matters, including legal investigations.

Stay out of the dark

There’s reportedly a huge market for stolen HR information on the “dark web” — the alternate version of the Internet where hackers go to sell their ill-gotten gains. Be sure to take the necessary steps to protect your organization because the associated costs of a data leak, HR or otherwise, can be devastating.

HoganTaylor Talent

If you have any questions about this content, or if you would like more information please contact Jeff Wilkie, Principal of the HoganTaylor Talent practice. More information is also available on the HoganTaylor Talent page of this website.

INFORMATIONAL PURPOSE ONLY. This content is for informational purposes only. This content does not constitute professional advice and should not be relied upon by you or any third party, including to operate or promote your business, secure financing or capital in any form, obtain any regulatory or governmental approvals, or otherwise be used in connection with procuring services or other benefits from any entity. Before making any decision or taking any action, you should consult with professional advisors.

Share This:

10 Human Capital Questions to Consider

It's important for employers to regularly conduct a human resources (HR) analysis of their policies and practices. Download our 10 question checklist to see whether you might need an assessment.