Responsible organisations understand the sensitivity of HR and employee data. Within their systems, they have employees’ personal information including bank account details, addresses, medical information, disciplinary records, and grievance disputes.
Security officers and HR departments know that they cannot afford to be cavalier. An employee whose personal information is compromised may have grounds to claim compensation for distress and financial loss if it is because of negligence. Privacy legislation and GDPR rules also hold the threat of severe fines if investigators find negligence is the cause of a data breach.
HR and payroll data is vulnerable to criminals and malicious insiders
Yet, there is a tendency in some companies to believe cyber criminals are more likely to target customer data, intellectual property or try to engineer fraudulent cash transfers. Unfortunately, when accessed, employee data is as likely to be ransomed by criminals as any other type of data. One concerning trend is the willingness of criminals to publish data online – including employee details – if companies refuse to pay a ransom.
Employee data is also more vulnerable to insider attacks by disgruntled workers or former employees who know how to access the organisation’s systems. Breaches of data caused by negligent or malicious employees continue to be a major problem for corporations. An IBM/Ponemon Institute study in 2019 found the frequency of security incidents caused by insiders had tripled since 2016. A separate study by Bitglass shows that 61% of organisations reported at least one insider attack over the last 12 months. The damage caused by insider data breaches isn’t just financial, but most importantly reputational, leading not only to headline news but also to a loss of confidence among customers, suppliers and, of course, employees.
Utilising a post-breach mindset for ransomware
An upgraded, multi-pronged, zero-trust approach to employee data protection
There is however plenty that organisations can and should do to shut down opportunities for cyber criminals or insiders to ransom, steal or destroy HR data. Encryption, installing multi-factor authentication and deploying behavioural analytics all go a long way to protecting employee data.
All employee data should be encrypted to make it harder for criminals to extract and ransom. In 2018, however, a survey of 1,200 firms by 451 Research found encryption was the lowest security expenditure priority for IT. Although global research by Ponemon published this year found 51% of organisations now encrypt employee and HR data, this is still too low. Any organisation not protecting employee data in the cloud this way needs to reassess their security protocols.
Indeed, organisations should reassess their whole security position and implement new tools that identify malicious activity on the network and can shut down the attack quickly before it does any real damage. In addition, businesses need to move to a zero trust security model on the basis that it is impossible to prevent malicious activity entirely. They need to move away from traditional approaches focused on securing the perimeter to authenticate access based on user identity, location, the device used and other protocols.
Access to data should be based on what people need to do their jobs and no more, with requests treated as if coming from outside the system or network. HR professionals accessing sensitive data and employees updating their details are often required to use the VPN or a corporate account. However, it is the multi-factor authentication that should be made compulsory for all employees, even to the point of necessary secondary validation.
Modern HR thrives on ease of access. If organisations use a cloud-based platform, their HR teams can log in to the system remotely, enabling them to work efficiently from any location. They can communicate and collaborate with colleagues and use the platform for employee engagement. Employees can access the platform from their mobiles to update their details, apply for leave and so on. Losing this functionality and ease of use would be a retrograde step, so employing multi-factor authentication to generate a second password for such cloud-based platforms and systems is a necessity.
Behavioural analytics make life harder for resentful or greedy employees
Advances in AI provide another important layer of security, using analytics to spot unusual behaviour in a system. In an HR and payroll context, it is possible to assign a risk score to each employee, thus determining their level of access. AI technology can monitor activity in HR and payroll systems and alert security managers when a certain activity does not fit an employee’s usual profile or privileges. Equally, it can detect activity by unauthorised individuals. One of the major advantages of this approach is that insider attacks are much easier to detect, reducing the chances of payroll data manipulation to create ghost employees, divert payments or alter expenses claims or allowances.
If organisations adopt these measures using a zero trust approach, the area of damage should be limited in the event they are subject to a successful breach. Organisations must accept that staff training in cyber awareness will only go so far. Employees seldom set themselves challenging passwords and remain susceptible to phishing emails – which are still the primary delivery method for malware and ransomware. It is certainly worth training employees, but organisations should not place a heavy reliance on their workforce to protect them.
Finally, any company should be rigorous in the due diligence it conducts on its technology suppliers and partners. It is common practice now for companies to offer employees accounts on wellbeing, financial management, rewards, and discounts applications. But before they integrate with these suppliers, organisations should conduct thorough checks on the state of their cyber-security controls.
There is no magic spell information security officers can use to protect employee data, but they must avoid complacency. Cyber criminals are not fussy, and will steal or ransom any data they can access if they see a potential opportunity for money to be extorted. To substantially reduce the odds of falling victim, organisations need to reassess their HR and payroll data security, employing encryption, multi-factor authentication, and behavioural analytics.