EMPLOYER TAX BRIEF
Don’t overlook HR when strengthening your cybersecurity measures
When employers address cybersecurity, they often focus on financial data and intellectual property. But there’s another area that’s just as important and typically much more vulnerable: HR information.
Many organizations have a huge amount of data about both current and former employees, as well as job candidates, stored on their servers or in the cloud. And this information tends to be at great risk because, even if it’s encrypted in storage, HR staff often share key data points via easily hackable mediums such as email, text and instant messaging.
Assess your risk
A good first step to take is to assess your risk. Conduct an internal audit of the types of employment and benefits information you gather, how much data of each type you’re currently retaining, where it’s stored, as well as who’s using it and how.
Don’t be surprised if you discover multiple redundancies regarding where data is stored. Many organizations also discover that they’ve been holding on to HR data for far too long. You could even be shocked to learn that employees aren’t following security protocols, assuming you have widely understood and enforced ones in place to begin with.
4 guidelines to follow
To better protect sensitive HR information, follow these four guidelines:
Collect only what’s absolutely needed. Some organizations are unnecessarily thorough when it comes to gathering information on current and former employees, as well as job candidates and even independent contractors. Ideally, you want to establish a set list of data points to collect — appropriate to your needs, of course — and limit yourself to those.
Encrypt everything. This may seem to go without saying but, following an audit of your HR data, you might find that some sensitive information isn’t encrypted. It’s for this very reason that employers need to know precisely where every bit of employment-related data is stored and shared.
Implement strict policies governing who may access and use HR data. Carefully devised, clearly worded and regularly updated cybersecurity policies are now a must for every type of organization — no matter how big or small.
One important concept to integrate into your policies is “least privilege.” This is the general rule that employees should be granted only the absolute minimum levels of access needed to perform their job functions.
Retain data for limited periods. They say on the Internet, or more specifically the cloud, everything lasts forever. But it doesn’t have to. Regularly delete HR data that you no longer need. Just be sure to comply with federal and state statutes for file retention related to tax reporting and other important matters, including legal investigations.
Stay out of the dark
There’s reportedly a huge market for stolen HR information on the “dark web” — the alternate version of the Internet where hackers go to sell their ill-gotten gains. Be sure to take the necessary steps to protect your organization because the associated costs of a data leak, HR or otherwise, can be devastating.