The recent report that Facebook exposed between 200 million and 600 million user passwords should strike fear into the heart of every HR professional.
This is a severe GDPR breach, something which your company will want to avoid. With multiple fines now being reported across Europe for GDPR breaches, your organisation should place data security at the very top of its list of priorities.
This is especially true for HR professionals due to the vast amount of sensitive information that HR is responsible for.
Have a think about how you store employee information. Do you:
- Use unencrypted spreadsheets?
- Store data on local hard drives?
- Store confidential information in filing cabinets?
- Use HR software that doesn’t have strong security features?
If the answer is “yes” to any of the above, then you need to re-evaluate how you are storing and handling sensitive data.
With the biggest GDPR fine hitting an eye-watering £44 million, you simply cannot afford to take risks with data security – the survival of your company, and your job, depends on it.
Let’s take the Facebook breach as an example and apply it to your own organisation.
Imagine you’re using some sort of employee platform or HR software, and each one of your employees’ passwords were exposed and stolen.
If you were using a platform that had poor security features, then you would – and should – be fearful about what could happen next. Sensitive personal information could be stolen, such as names, addresses, bank details, and even medical information. This would be a disastrous situation that could leave you out of a job and your company liable for prosecution.
Or, even worse, you only store information in spreadsheets and Word documents, which is just asking for trouble – any decent hacker would easily be able to steal information stored in such a way. This issue is compounded if you use local data storage – what happens if you leave your laptop on the train?
We would all like to think that HR professionals do take data security seriously, but our research has uncovered poor data security practices and a stubbornness to enact meaningful change.
The solution to this issue is to use secure, cloud-based HR software that is feature-rich and suitable for your organisation's needs.
You also must assess whether the HR software you use or are looking to adopt has the following critical security features:
- Two-Factor Authentication – This feature is an apt example in response to the Facebook case. Two-Factor Authentication would give your data an extra layer of protection. It works by sending a unique code via email or SMS after the user enters their password, which the user needs to enter in order to gain access. Even if every employee password was stolen, no malicious user would be able to access your system.
- Password Expiry – This feature works by forcing employees to update their password at set intervals, ensuring passwords are fresh and unique.
- Password Complexity – It’s important that passwords aren’t too simple and easy-to-guess, so a Password Complexity feature ensures that users create strong passwords.
- Password Lock-Out – This feature allows you to determine how many failed sign-in attempts a user can have before their account is locked. This protects against the risk of brute force password attacks, that can be automated to try thousands – or even millions – of password combinations in an attempt to gain access to an account.
- Password History – This feature forces each user to change their password at set intervals to one they haven't used before.
- Permission Sets – These are used to let a system know what a user is allowed to do and see, which enables you to lock-down sensitive information to authorised users only.
- IP Whitelisting – This feature allows you to create lists of trusted IP addresses from which your users can access your HR system. For example, if you only wanted the system to be accessed whilst employees were in the office, you would be able to do so by using an IP Whitelist feature.
- File Upload Restrictions – This would allow you to define what types of files users would be able to upload to the HR system – this reduces the chance of harmful files being distributed between users.
Just as important, however, is the security culture and diligence that goes on behind-the-scenes – if your HR software provider, or prospective provider, isn’t responsive to your concerns, or reacts slowly to enquiries, then how can you trust them to keep your data secure?
Are they easily contactable? Can you give them a call and get through to a human being straight away?
Do they conduct regular penetration tests to verify the strength of their platform?
If the answer to any of the above is no, then this should raise alarm bells – and prompt you to make a positive change in your company in order to ensure your company’s data is in safe hands, and avoid any GDPR-related investigations.