How is HR Supposed to Protect Confidential Data?
1 December 2016
The Intralinks HR Security Series is a monthly blog series authored by Michal Kimeldorfer, Executive Vice President of Human Resources at Intralinks, created to inform HR professionals about the importance of information security when handling confidential files and provide best practices for secure collaboration.
Thanks for joining me on the third installment of my HR Security Blog series. I am writing to you after finishing up a call with a colleague in Singapore. I never cease to marvel at how technology continues to “shrink” our world. Physically, we can get ourselves from one side of the globe to the other in under a day. Digitally, we can traverse that distance almost instantaneously! In fact, a single piece of data can go to all four corners of planet Earth and everywhere in between at the same time, with just the press of a button. It makes global business possible – but the exposure to risk can also be a little daunting!
Last time in this space I posed a question: How is HR supposed to protect confidential data that is customarily handled by HR professionals? This is especially relevant given how quickly some of our most sensitive information can be spread without our knowledge. If we look at the trending data, the betting man would say that data loss is not a question of “if” but “when.”
The best course of action to minimize this type of risk is a four-prong proactive approach to handling and protecting sensitive information:
- Technology: Work closely with your IT department to design a system with best-in-class technologies and policies that keeps in mind how the company’s talent actually gets their work done. We all know that sharing information both inside and outside your organization is a necessary part of modern business. So, discuss with your IT, CISO and security counterparts how your company can enable sharing sensitive information while protecting it with on-demand security. Tools that enable granular access controls, detailed reporting and information rights management (IRM) can all ensure end-to-end control over confidential information at the file level – all without impeding productivity. Along with implementing technologies that enable collaboration, think through which technologies pose a risk to data security and disable them on company-issued devices. Note that the key here is understanding your people and how they work. A system designed without the individual worker in mind is going to meet with resistance and, in all likelihood, multiple compliance challenges. Who better to lead this effort than HR? Getting this piece right will help protect against external attacks and unintentional internal leaks.
- Education: Get the word out to all employees and contingent workers on the company’s information security policies. Regular education sessions should clearly articulate the do’s and don'ts of data protection and the potential hazards of noncompliance – for both the individual and the company. Education and awareness can go a long way toward protecting against accidental data breaches, while also helping the average employee identify, report and rectify a noncompliant activity.
- Manage your partner network: Closely monitor vendors and third parties. While these associates are useful members of our corporate ecosystems, they also represent a potential source of serious information risk. Having a robust dialogue with your current and potential partners about their information security practices before engaging in an information-sharing relationship with them is essential. With the mushrooming threat of cybercrime, make sure that any information flowing outside your organization is secure and compliant with regulatory requirements. This will protect against external hacks, accidental data breaches and noncompliant activity.
- Removal of temptation: Do what you can to take sensitive information out of the hands of people who do not need it. Oftentimes, HR has “juicy” information – information that may be too tempting for certain employees to use in strict adherence to company policy. “Compensation curiosity” is a classic example, but intentional information leakage could target any number of files, including future hires/fires, grievance claims and internal audit information. If your internal IT teams don’t need to know something, they shouldn’t have access to it. HR must be able to own the data and have the right security and IT infrastructure in place to maintain confidentiality and compliance. Finally, when employees or contingent workers are off-boarded for any reason, ensure that their access to corporate networks and third-party systems is removed immediately. A survey by Heimdal Security found that nearly 60 percent of fired employees steal sensitive, confidential corporate data – including HR data – after leaving their positions.
I hope you found these suggested approaches helpful. For more information on this topic, I recommend “Executive Guidance: Managing the Hidden Causes of Data Breaches” written by CEB, the best-practice insight and technology company.
Michal Kimeldorfer is the Executive Vice President of Human Resources at Intralinks. She is an accomplished human resources leader with extensive global leadership experience. Michal comes to Intralinks from Adama Agricultural Solutions, where she led human resources in Asia and the Americas. Prior to Adama, she was the leader of global compensation and benefits at Comverse. Before Comverse, Michal worked at Ernst & Young – Tel Aviv as a director of global employment solutions. She began her career serving as a corporate attorney for law firms in Israel.