The COVID-19 pandemic has forced organisations to adapt to new and difficulty challenges. Businesses had to re-imagine how the workplace operates just to maintain basic operations. HR departments and their process became key to ensuring businesses keep afloat amid the many precautions taken against the pandemic.
People are the core of every organisation. With a ‘new normal’ being formed around both the business ecosystem and the daily lives of people, the HR department must strike an increasingly delicate balance while fulfilling the myriad of needs of workers and supporting organisational efficiency. As economies are slowly reopening, organisations are now making the decision between remaining remote or transitioning back into the office.
Navigating the untested waters of managing HR through this shift to remote and back again is complex enough without taking cybercrime and data security into account, yet it is crucial that HR do exactly that. The data stored by HR is the easy payday cyber-criminals are looking for and a nightmare keeping CISOs awake at night.
Should the data stored by HR ever be compromised, the damage to both the company and personal lives could be devastating. HR data is one of the highest risk types of information stored by an organisation given that it contains everything from basic contractor details to security numbers. The sudden shift to a more distributed workforce due to COVID-19 increased risks because a large portion of the HR workforce being remote means more and higher access levels across cloud, VPN, and personal networks.
Any security expert worth their salt will tell you that no security setup is foolproof. However, there are plenty of ways that an organisation can reduce the risk of a breach occurring. Securing HR-related data needs to be approached from both a technical and end user perspective. This includes controls designed to protect the end user or force them into making appropriate choices, and at the same time providing education and awareness so they understand how to be good stewards of their data.
The first step to securing HR data is making sure that the ways in which users access data are both secure and easy to use. Each system housing HR data should be protected by a federated login of some variety. Federated logins use a primary source of identity for managing usernames and passwords such as Active Directory.
The next step to credential security is to add a second factor of authentication on every system storing HR data. This is referred to as Multi-factor Authentication (MFA) and is a vital preventative measure when used well. The primary rule of MFA says that the second factor should be something “the user is or has” to be most effective.
In today’s world, HR users working from somewhere other than the office is not unusual. With this freedom comes the need to secure the means by which they access data, regardless of the network they are using. The best way to accomplish this is to set up a VPN and ensure that all HR systems are only accessible either from inside of the corporate network or from IPs that are connected to the VPN.
Organisations should also try to ensure that access to the database is being used appropriately or that no anomalous use is taking place. This is done through a combination of good logging and good analytics software. Comprehensive analytics solutions will notice trends in behaviour and flag an account if the user changes their normal routine. If odd activity occurs, the system alerts an administrator to delve deeper into why this user is viewing so many files.
Security awareness training for end users is also one of the most essential parts of infrastructure security. The end user is a highly valuable target because they already have access to internal resources. It is often found that humans are a high-risk factor because they are easier to “hack” than passwords or automatic security controls.
Social engineering attacks succeed when people aren’t educated to spot red flags indicating an attack is being attempted. The most important step of a solid layered security model is the one that prevent these attacks through education and awareness.
Be it in the office or from home, HR needs to deliver effective services to employees while taking the necessary steps to ensure that employee data is kept safe at all times. Even though an organization cannot control every aspect of how work is getting done, these steps will help keep sensitive HR data safe.