One of the world’s largest human resources providers, PageUp, recently reported data breach after noticing ‘unusual activity’ on its system. The Australian company, which claims it has more than two million active monthly users in 90 countries, has a customer list of names, such as Lindt, Australia Post, Kmart, the Reserve Bank of Australia, Commonwealth Bank and Telstra just to name a few.
The human resource management system (HRMS) platform is home to a lot of sensitive data, irrespective of the size or nature of the organisation. Ranging from bank account details to aadhar card and social-security numbers, this data may seem harmless till it falls into the wrong hands — after all, it is exposed not only to internal but external threats, such as ransomware, phishing attacks and so on. Verizon 2018 Data Breach Investigations Report (DBIR) states that financial pretexting incidents have increased over five times since the 2017 DBIR, with 170 incidents analysed this year (compared to just 61 in the 2017 DBIR). Eighty-eight of these incidents specifically targeted HR staff to extract personal data for the filing of file fraudulent tax returns.
Data breach can be accidental as well as deliberate. Here are some of the ways in which organisations are taking all security measures to protect their data:
• Training and creating awareness – Human error is probably the least focussed area when it comes to HR data loss. Something as simple as leaving the laptop unlocked in a public space can lead to a data breach. Hence, it is important for all employees to be educated on integrating data-security measures in their day-to-day lives.
• Data governance structure – One of the major clauses for data security is that the correct amount of access should be given to the user. Being exposed to unlimited or irrelevant data exposes the user to confidential data and risks the organisation to data-security breach. It is critical that only the necessary access rights should be given to all users. Also, only limited resources empowered by the organisation, should be allowed access to confidential data.
• Strict BYOD policy – Bring-your-own-device is the worst nightmare of data-security experts. Devices outside of office boundaries are subject to unlimited access by unauthorised personnel. It is imperative for the IT and HR teams to design the BYOD policy, such that the organisation’s as well as the employees’ confidential data remains well secured in the foreign device.
• Integrating government laws in organisation’s policies – Organisations may be spread across the world and may have multiple nationalities working under them. It is important for them to comply with all government rules individually for all employees and customers they are dealing with. Recently, Europe has come out with its latest data-privacy law, that is, the General Data Protection Regulation (GDPR), effective 25 May, 2018. It is considered to be the most stringent regulation of its kind in the world. Designed to enhance data protection and the right to privacy for the European citizens, it gives them ultimate control over their personal data and its usage. Another similar law is the Notifiable Data Breaches (NDB) scheme by the Australian government. This scheme mandates notifying individuals who will be affected in case of any mishap. Although prevention is better than cure, it is better to be aware and prepared for any such disasters that may come one’s way.
From checking HRMS service provider’s security plan to putting a disaster-recovery plan in place, HR managers today are doing all in their capacity to keep up with the data-protection standards from across the world. After all, in this case, ignorance can only cause misery and unleash hidden monsters in the form of data threats.