As HR professionals, we are the touch point for all employee data, everything from employee IDs and performance records to social security numbers and home addresses. We cannot underestimate the importance of our role in these times of near-constant cyber-attacks and data breaches. The role of Cyber Security doesn’t solely fall with the IT team.
We know the impact. We’ve heard the stories. The Sony Entertainment hack in 2014 shut down all operations to the point where HR had to issue manual paychecks for 7,000 employees. The recent Equifax data breach in the US impacted over 130 million US citizens. It’s also recently come to light that Equifax in Argentina did not properly secure the DNIs (US social security number equivalent) to over 111 of their own employee's data. How did this happen? In part because the password to an employee database was incredibly simple for the most basic of hackers: admin/admin.
Think for a moment about how a major breach at your company impacts employees and what it will require HR to do?
What can today’s HR professional do to ensure they are doing their part to protect company assets, employee data, as well as their own information? Start with these 3 actions:
Develop an HR and Cyber business partnership
Take ownership of developing the partnership with your company’s Cyber Security or Information Security team. Understand what they do and why, on a high level. You don’t need to become a CISSP certified cyber expert. However, you should be knowledgeable of the basics like ransomware, phishing emails, and how to report incidents. This will allow you to be an advocate for their programs and initiatives to the employee base. Attend training or overview sessions and encourage creating an awareness campaign for all employees. They’ll typically need employee data information from HR, so that’s a great opportunity to develop that partnership.
Always have a solid and challenging password and change it regularly
I can’t stress this one enough: passwords must be secure and challenging on your computer that contains sensitive employee data as well as company databases. Ensure your company policy on passwords applies to all systems enterprise-wide. Don’t use information in your passwords that is personally identifying to you: names, birth dates, children’s name, etc. It’s becoming too common and easy to obtain that information.
According to McAfee, a solutions provider for virus protection and internet security, “When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.” What do you think the chances were that 1% of those 32 million were HR employees, top-level executives, or administrators with sensitive data? Consider password phrases: short statements you can remember and still use use special characters in your password like brackets and plus signs versus the more common @, #, $, % if symbols are allowed for the password. Lastly, don’t reuse the same password for multiple services or systems.
Be cautious of how you share data - even internally
I was on a webinar recently where the facilitator shared a story of how an executive assistant received an urgent email from a high-level executive requesting employees names, salaries, and addresses and needed it by 8am. The assistant didn’t question the action because it was a high-level executive, and she immediately sent the data. Turns out, it was a malicious phishing email design to look like it came from the executive, and just like that, employee data has been compromised. Always question data requests: what’s the data for? How will it be used? Whom is it being shared with?
Also, don’t just have that conversation in an email: pick up the phone and chat about it. If you receive an odd email request, hover your cursor over the email address of the sender and ensure the email address matches your company’s email URL exactly. When you do send the data, do you have to send it over email? Can it be in a shared file like Box.com or OneNote? Consider password protecting sensitive files and sending the password to access it as a text message. If you’re not sure how to do these things, a quick YouTube search will help tremendously so you can visually see how to password protect any Microsoft Office file easily.
No cyber security system at this time is fool-proof. It’s often not a matter of if a company gets hacked, but when. Be cognizant of your actions with company data as an HR professional and you’ll be on the front line of cyber awareness for your clients and your employees.