HR administrators should take note that an alert was issued by the National Cybersecurity and Communications Integration Center (NCCIC), an arm of the U.S. Department of Homeland Security, on July 25, 2018 that the targeting of Enterprise Resource Planning, or ERP, applications and HR business management systems by cybercriminals is on the rise. The alert references a report released by Digital Shadows Ltd., a risk management firm, and application security company, Onapsis Inc., highlighting the exploitation of vulnerabilities within these applications that manage key business processes, including product lifecycle management and CRM.
What is Contributing to the Problem?
While the proliferation of mobile technology has made enterprise easier and more efficient, it also adds a layer of compromise to security. For example, “BYOD” or “Bring Your Own Device” to work programs yield fewer hardware expenditures, however, they can increase the chances for HR data being leaked or hacked when the devices are transferred between hands or are taken home to be used remotely. Unfortunately, human error is one of the largest contributors to data breaches and/or loss. Thus, device-based HRMS security becomes increasingly necessary.
Similarly, mobile applications on devices make doing work “on the go” possible. However, with information being continuously uploaded to and downloaded from the Internet or the cloud, can data security and integrity be ensured? This is where monitoring the apps being used via mobile or remote means is vital and creating a list of approved apps and banned apps should be imperative. Also, a mobile or remote workplace opens up your business to compliance issues. Non-compliance with local and national laws governing employee and/or user data can translate into penalties. For example, HIPAA, or Health Insurance Portability and Accountability Act, requires native encryption on a device holding any relevant data for that user.
What Can You Do?
The first thing you can do to maintain HR data security is to complete a risk assessment—this will determine where your weaknesses lie and where your security strengths are, starting with creating strong passwords and changing them often! After this, you can spearhead a data security training initiative, establishing the proper protocol for those departments or people who have the most data exposure risk.
Next, develop an accountability system for employees to report data issues or concerns. HR needs to ensure that all employees receive training and are aware of the proper channels for reporting any suspicious activity or misuse of data, and are kept apprised of any potential disciplinary actions regarding non-compliance with data security policies.
While avoiding any data loss or breach may not be possible, these small steps may alleviate some of the heartache associated or diminish your company’s chances of its data being compromised or targeted.