Data Security for HR and Workplace Leaders

May 28, 2019 | Shannon Shoemaker

The Wall Street Journal (WSJ) recently published an article that shines a spotlight on hacking—What I Learned From the Hacker Who Spied on Me—and how easily someone can access one of your many devices and technology. They accomplish this through a process called phishing. Pronounced like fishing, phishing is a term used to describe a malicious individual or group of individuals who scam users. They do so by sending e-mails or creating web pages that are designed to collect an individual’s online bank, credit card, or other login information.

In the WSJ piece, journalist Joanna Stern hired an ethical hacker, Alexander Heid, the hacker tried to access her computer and home. Very quickly he was able to easily access her home network, sending a webcam photo of Joanna’s daughter sleeping in her bedroom. Alexander talks in the article about how he accessed her network, which happened to be by applying for a job. He created a fake persona applying for a videographer job with a resume attachment and a video reel. The scariest part is, it worked. In the pilot episode of the Workolog Go podcast, I touched on how data security concerns are growing in importance as more HR teams, their data, and employee records are housed in the cloud. Here, I’m going to dig a little deeper into how to keep your data and employee records secure.


The Rising Cost of Data Breaches for Employers and HR

Some losses are easy to calculate, such as time spent on help desk activities, investigations and legal defense. Other losses are harder to quantify, such as reputational damage to the business. A report by Gemalto’s Breach Level Index reveals that 945 data breaches led to a staggering 4.5 billion data records being compromised worldwide in the first half of 2018, with the total number of breaches down year-on-year—but the number of records compromised up 133 percent as the severity of incident rises. Malicious outsiders caused the largest percentage of data breaches (56 percent), a slight decrease of almost seven percent over the second half of 2017 and accounted for over 80 percent of all stolen, compromised or lost records.

Accidental loss accounted for over 879 million (9 percent) of the records lost this half, the second most popular cause of data breaches representing over one third of incidents. The number of records and incidents involved in malicious insider attacks fell by 50 percent this half compared to the same time period in 2017.

According to the 2018 Cost of a Data Breach Study: Global Overview from IBM Security and Ponemon Institute, the global average cost of a data breach is $3.86 million, up 6.4 percent from the previous year. When broken down by country, the U.S. is leading in the most data breaches, equaling out to $7.91 million. Next is Canada with $4.74 million average cost for data breaches and Germany with $4.67 million. The countries with the smallest average cost was Brazil ($1.24 million) and India ($1.77 million).

Also included in the study was the amount of time it took for the companies to identify a data breach in their systems. The average time companies took to identify their breaches was 197 days and 69 days, respectively. The study noted that companies that contained their breach within 30 days ended up saving over $1 million vs. those that took over 30 days to resolve the situation.


How HR Can Protect Your Company Employment and Candidate Data

As HR and workplace leaders, data security must be at the top of your list in order to protect your company. Human resources is the hub for all employee and candidate data. Considering the example I began with in this post, HR is also the most vulnerable to data breaches. The following steps are a good starting place to review any potential areas of vulnerability and institute best practices to protect your company’s data.


  1. Have a consistent employee offboarding and termination process that includes removing immediate access to workplace technologies like HRIS and ATS technology. One study found that one-third of U.S. and U.K. office workers still have access to their former company’s data and systems after leaving their jobs. While much of this data exposure is innocuous and accidental, some malicious individuals may use their access to wreak havoc upon their ex-employer. HR should partner with IT in determining employee data accesses.
  2. Work with IT to create and establish levels of access based on position type and responsibility to limit your liability and risk. Representatives from different business functions—such as IT, HR, security and finance—should work together to ensure that data security measures are ingrained in your company’s practices. HR can play a role in influencing senior management about the importance of having everyone in the organization follow security procedures.
  3. Train your teams and encourage real time phishing and data security simulations to determine how safe and secure your data is. Every new hire’s employment contract should include specific language regarding the treatment of confidential data while working for and upon leaving the company. Regular compliance training for all employees should include updates on handling sensitive information.


Employer Data Protection Should Be One of HR’s Top Priorities

Data protection is one of the highest stakes areas of compliance for any company. According to SHRM, state laws are the primary source of potential identity-theft liability for employers. “State laws in this area are a patchwork collection and are neither uniform nor completely consistent,” said Patrick Fowler, an attorney with Snell & Wilmer in Phoenix, in an interview with SHRM Online. California and Massachusetts have been more active than other states in passing data privacy legislation, but virtually all of the states have data breach notification laws. Employers should make sure they know what is required under relevant state laws.

When selecting a vendor that manages data, such as candidate and employee data collected during a background screen or criminal background check, it’s important to work with a verified company with certification in the industry and a pristine reputation. Because your third-party vendors are collecting data on behalf of your company, they must be as vigilant (if not more so) in protecting that data. Companies like Cisive not only ensure data security, they can also help with recruiting database integration best practices to advise your company on best practices for maintaining secure transmission and exchange of data.

Supported By WordPress Database Support Services

Subscribe to the Cisive Newsletter