Why Businesses Need to Get Serious About HR Data Security

White wave White wave used to provide a visual break between the header and the body of the page.

Our experience in the HR software industry has meant that we have spoken to thousands of businesses across the length and breadth of the UK.

As such, we often come across organisations that continue to show complacency when it comes to data security.

If you or your team stores employee information in spreadsheets (whether encrypted or unencrypted), that represents a major data security vulnerability.

Have a think about how you store employee information. Do you:

  • Use unencrypted spreadsheets?
  • Store data on local hard drives?
  • Store confidential information in filing cabinets?
  • Use HR software that doesn’t take security seriously?

If the answer is “yes” to any of the above, then you need to re-evaluate how you are storing and handling sensitive data.

All HR systems aren’t made equal

There are many HR platforms out there that claim to be secure, and may appear to be secure on the surface. However, you don’t have to dig too much to find that their ‘security features’ leave a lot to be desired.

Permission Sets are a really powerful way to ensure that employee data is only accessible by relevant people. Permission Sets are used to let a system know what a user is allowed to see and do, and determine the type of HR processes that a particular user can be involved with. This means that employee data is siloed effectively and ensures that you remain compliant with the GDPR.

Yet despite the power of Permission Sets, not every HR system will have them. If yours doesn’t, then you should start asking questions.

Beyond Permission Sets, one of the most important modern and easy-to-use security features is called Two-Factor Authentication. Two-Factor Authentication gives your data an extra layer of protection. It works by sending a unique code via email or SMS after the user enters their password, which the user needs to enter in order to gain access. Even if every employee password was stolen, no malicious user would be able to access your system if you have 2FA enabled.

2FA is a relatively simple method of security, yet it is also one of the most important security features. However, despite this, there are popular HR platforms out there that don’t support it, and seemingly have no plans to. If you’re considering HR platforms at the moment, this should raise a huge red flag. If you’re currently using an HR system, then ask them if they support 2FA. If they don’t, you should consider your options.

Consider for a moment that you’re using HR software, and each one of your employees’ passwords were exposed and stolen.

If you were using a platform that had poor security features, then you would – and should – be fearful about what could happen next. Sensitive personal information could be stolen, such as names, addresses, bank details, and even medical information. This would be a disastrous situation that could leave you out of a job and your company liable for prosecution.

Or, even worse, you only store information in spreadsheets and unencrypted documents, which is just asking for trouble – any decent hacker would easily be able to steal information stored in such a way. This issue is compounded if you use local data storage – what happens if you leave your laptop on the train?

We would all like to think that HR professionals do take data security seriously, but our research has uncovered poor data security practices and a stubbornness to enact meaningful change.

The solution to this issue is to use secure, cloud-based HR software that is feature-rich and suitable for your organisation’s needs.

You also must assess whether the HR software you use or are looking to adopt has the following critical security features:

  • Password Expiry – This feature works by forcing employees to update their password at set intervals, ensuring passwords are fresh and unique.
  • Password Complexity – It’s important that passwords aren’t too simple and easy-to-guess, so a Password Complexity feature ensures that users create strong passwords.
  • Password Lock-Out – This feature allows you to determine how many failed sign-in attempts a user can have before their account is locked. This protects against the risk of brute force password attacks, that can be automated to try thousands – or even millions – of password combinations in an attempt to gain access to an account.
  • Password History – This feature forces each user to change their password at set intervals to one they haven’t used before.
  • IP Whitelisting – This feature allows you to create lists of trusted IP addresses from which your users can access your HR system. For example, if you only wanted the system to be accessed whilst employees were in the office, you would be able to do so by using an IP Whitelist feature.
  • File Upload Restrictions – This would allow you to define what types of files users would be able to upload to the HR system, which reduces the chance of harmful files being distributed between users.

Just as important, however, is the security culture and diligence that goes on behind-the-scenes – if your HR software provider, or prospective provider, isn’t responsive to your concerns, or reacts slowly to enquiries, then how can you trust them to keep your data secure?

Are they easily contactable? Can you give them a call and get through to a human being straight away?

Do they conduct regular penetration tests to verify the strength of their platform?

If the answer to any of the above is no, then this should raise alarm bells – and prompt you to make a positive change in your company in order to ensure your company’s data is in safe hands, and avoid any GDPR-related investigations.

What about third party applications?

Businesses often use multiple systems, so their employee data is spread across lots of different locations.

Many HR platforms offer an API, which enables you to integrate the platform with other third party applications.

This is great, and is something which Youmanage offers, too. But what you need to be aware of is whilst your HR platform may be secure, the systems you are – or want to – integrate with your HR platform may not be quite as secure as you would like.

Once a connection has been set up between your HR system and a third party application, your HR system provider cannot guarantee what will happen to your data when it reaches said third party application.

You must perform in-depth due diligence on your entire HR tech stack; ensuring that each piece of the puzzle is of an extremely high security standard.

If you’d like to see how Youmanage can help to secure your employee data, then book a free demo today.