HR data security breaches are bad news for your business in countless ways. Bad PR for your company, big problems for your employees, compliance fines and lawsuits.
But HR data security is not just a matter of protecting your company from liability and bad publicity. It’s about doing right by your employees, protecting their personal information from potential misuse.
Employees will notice when your company consistently watches out for their best interests. Take care of your HR data security and let your employees keep taking care of business.
Protecting your company’s sensitive information must be a top-of-mind concern. HR must have a plan, great communication, proper training, and HR software that guarantees HR data security and remains up-to-date with current cyber threats.
What kind of HR data is sensitive?
Hackers with access to employee information can do a lot of damage with just a few pieces of information, most notably identity theft. Here is some of the employee information that employers must keep protected:
- Payroll information, such as bank account numbers
- Basic employee information, including Social Security and driver’s license numbers
- Employee benefits and healthcare information
- Employee medical issues, including FMLA
- Compensation data, such as salaries, raises, bonuses, etc.
- Performance review and termination records
- Workplace complaints and disciplinary actions
- Drug and alcohol testing
- Workers’ compensation
- Confidential company planning, like layoffs,expansion, and restructuring
How can you protect sensitive HR data?
Partner with IT, Legal, and Security teams
Unsurprisingly, this is an area where you’ll need help from experts. Start by talking with your IT staff about network security and basic protections like firewalls. How secure is your computer network and company hardware?
Talk to the legal team or obtain outside legal advice about your company’s legal obligations, compliance concerns, and overall liability issues. Additionally, approach this as preparing for the worst case scenario—if a data breach did occur, what steps must be taken.
On-site IT and security staff cannot check every USB drive and laptop for unauthorized files, but they watch for suspicious behavior and unauthorized personnel. With the increase in ransomware attacks, it’s important to note that networks are very difficult to protect from anyone with physical access to your computers.
Enable appropriate permissions
Managers and some supervisors will need broader access and permissions on company software than everyday employees. Rather than granting everyone unnecessarily broad access, make sure you’re only granting permissions where needed.
Set appropriate expectations
Even with a stellar IT department, your network can be vulnerable if employees make unwise or uninformed choices. Workers without computer security training may not understand the reasons behind certain rules. Work with your IT department to develop clear rules for employees. Be sure to include this information when updating your employee handbook.
Require strong passwords
Your employees will need to create complex and secure passwords, but some may attempt to reuse the simplest password accepted by your system. You should require capital and lowercase letters, numbers, and symbols. Your system can also require employees to regularly create a new, unique password, including monthly or quarterly.
No password sharing (no exceptions!)
Employees should not be allowed to share or exchange their passwords. Mutually used software and applications should require individual logins, not joint access for multiple people.
The motivation for sharing passwords varies widely, from simple convenience to cheating the time clock. But your network is more secure when each employee and workstation only accesses a limited, discrete portion of the system.
Utilize multi-factor authentication
Mobile notifications and biometrics can seem extraneous, but they make a big difference with network security. Periodically have your employees use an authenticator app or at least a text message confirmation to confirm their identities, especially when employees work remotely.
Encrypt sensitive information
Encryption is essential for protecting your company’s data, like when it’s being transferred through external servers and email. A single excel spreadsheet could contain personal data about hundreds of employees or clients, which is why it’s so critical to protect those files.
The general public is increasingly aware of and drawn to encrypted communication tools, which means your employees are too. Help employees feel safe and secure by utilizing encryption throughout the workplace as well.
Proper data destruction
Even printed records and spreadsheets can be vulnerable. Develop protocols for shredding sensitive documents like old tax records and data concerning former employees. Make sure those policies are included in your employee handbook.
Digital records also need to be properly destroyed, not just forgotten in the recycle bin. When old laptops and company hard drives are disposed of, work with your IT department to make sure that sensitive data is fully erased. A formatted hard drive might seem to be wiped clean, but files can frequently be recovered with special software.
Make sure HR/Payroll software is safe and secure
Find out whether your payroll software is cyber ready. HR and payroll software has some of the most sensitive data about your employees, including taxes and bank account information. The right HR software can massively improve the efficiency of your in-house paperwork, and it’s worth investing in a secure provider (like Netchex).
New operating system updates might cause a problem with your company’s proprietary software, and you need regular testing to identify bugs. To minimize incompatibility issues, consider getting all of your HR software from the same company. At Netchex, we just happen to offer a full menu of today’s best software solutions.
Conduct regular security audits
Most companies conduct audits of some kind or another, particularly with financials. Conducting an audit of your HR policies, procedures, and security is just as valuable. An HR security audit can help you assess the important factors needed for creating a secure company, such as improvement insights, potential oversight, and up-to-date information on threats.
Routine data security training
Your employees will need to be trained on password rules and any new data security policies, but you should also make data security an ongoing topic for future training. It’s impossible to guess what threats will be your biggest concern a year or two from now. With additional training, your employees should have better instincts for avoiding phishing emails and future scams.
Proper employee offboarding
Offboarding is just as important as onboarding. Similar to how you grant new hires access to company software, you will need a schedule for blocking the access and permissions of departing employees.
Make sure you’ve collected company hardware, physical keys, and ID badges that could give a non-employee access to your building or network. Add these steps to your employee offboarding checklist.
Industry news & tips sent straight to your inbox!
Enter your email below to subscribe to industry news, product updates, and tips.