How to Protect Employee Data from Breaches

Information is the single most valuable asset a business possesses. That includes proprietary information, trade secrets, and customer information, but it also includes employee data. Increasingly, hackers and bad actors are targeting this type of information to give them an edge. Organizations have a responsibility to help protect employee data from breaches, but what steps should they take?

What is employee data security?

The first thing to consider here is what data security is versus what employers think it is. When they hear the term “data security,” most managers immediately think of passwords and two-factor authentication. However, what should come to mind first is human error.

According to Roy Maurer, writing for SHRM, “Human error accounts for up to 52% of the root causes of security breaches.” That is backed up by repeated studies from CompTIA, a leading IT industry security association. But what types of human error lead to breaches? And how does an error on the part of an employee give access to hackers or malicious software?

The first thing that should come to mind when thinking about data security breaches is human error.

The breakdown of missteps and errors looks like this:

• 42% of issues are considered general carelessness
• 31% are failures to understand new threats
• 29% are due to a lack of expertise with websites or applications
• 26% involve the failure of IT staff to follow procedures

How do these errors let hackers into a company’s data? While it depends on the nature of the error, it’s easy to understand how they can lead to data breaches. For instance, an employee who never changes their password puts the entire organization at risk – passwords are easily cracked today, and good data hygiene requires that they be changed regularly.

Another example could be an employee who receives a phishing email purporting to be from their boss. The email requests something simple – the password the boss lost, for instance. The employee sends the password thinking they are helping their boss when they are throwing the door wide open for a hacker.

How to limit human error while protecting employee data from breaches

Employees have access to a wide range of sensitive business data. However, organizations also store important personal information about each employee, including:

• Bank account information
• Medical information
• Social Security numbers, and so much more.

Safeguarding that data while limiting the potential for human error and resulting data breaches requires following specific steps.

Set procedures

First, organizations must create procedures and policies that govern what type of employee information the organization stores and how that information is protected. All employees must be introduced to those policies and procedures and should understand their role in the organization’s efforts.

These guidelines should also include information about what security steps employees must take to safeguard access to the organization’s data files.

Secure records

In addition to setting policies and procedures, organizations must implement controls and solutions that secure employee information. These controls should be:

• Physical
• Administrative
• Technical
• Limiting access to employee information in multiple ways

All electronic records should be encrypted, password protected, and the server they’re stored on should be secure. However, organizations cannot rest on their laurels. Regular reevaluation of risks and threats is essential to ensure employee data remains secure.

Avoid data breaches by knowing the rules and following them

Organizations across all industries must follow specific guidelines, rules, and requirements. These vary depending on the industry and the type of business, but all organizations must meet some criteria. For instance, employers cannot combine medical information and employee personnel files per the Americans with Disabilities Act (ADA).

Organizations within the life sciences industry must also comply with the rules defined within 21 CFR Part 11. These are just a couple of examples. Managers, HR personnel, and C-suite executives must know the laws and regulations that apply to their organization and then enforce them.

According to Rehan Jalil, CEO of SECURITI and former head of Symantec’s cloud security division, writing for Forbes, “Although customer data privacy violations often make the headlines, employee data privacy is an emerging area of potential liability and risk for organizations. Abiding by these guidelines can help keep regulators at bay.”

Know and comply with data safety best practices

Protecting employee data often comes down to knowing, implementing, and following data safety best practices. Frequently changing passwords is one of the most important steps toward data safety compliance. Still, it’s equally important that employees do not use the same password for multiple accounts and avoid writing down their passwords anywhere.

Password managers can help keep track of this information, but some employees may be reticent about doing so. They shouldn’t be.

According to Rachel Tobac, white hat hacker and CEO of SocialProof Security, “Using a password manager is better than reusing your passwords, and if you need an extra special trick to be convinced a password manager is safe, then I recommend people ‘salt’ their passwords. This means you still store passwords in a password manager, but you also have a unique little code that only you know that’s not stored in your manager. You enter the code manually for your password.

Now, an attacker would have to miraculously break encryption, crack your master password, and bypass your multifactor authentication for your password manager. If they pulled off all these feats, they still wouldn’t be able to use the passwords in your password manager because of encryption.”

Backup data

All organizations should have a robust disaster recovery strategy that includes data backups. While most organizations focus on backing up customer information, as well as proprietary business data, it’s also essential that employee data is regularly backed up.

Note that all best practices and regulations must still be followed with these backups (organizations can’t combine employee medical records and standard personnel files, for instance).

Only allow authorized access

Finally, organizations must institute a solution that ensures only those with authorization can access employee data. This is particularly important when dealing with electronic systems where individual accounts/logins must be configured manually.

Organizations can automatically increase their security and reduce the risk of intrusion by limiting the number of people with access to sensitive employee data.

For instance, if an organization’s human resource information system (HRIS) automatically gives all new accounts access to all data, this must be adjusted at the time of account creation. HR also needs to periodically review user accounts to ensure that old accounts belonging to employees who are no longer with the company are removed. Employees who have changed positions and no longer need access to specific information should no longer be able to log into their previous areas, either.

This “need to know” approach is also important in preventing human error. However, it does not absolve the company of the need to train all employees to watch for signs of threats, including:

• Phishing emails
• Vishing phone calls
• Spoofed websites and emails
• Signs of malware

By limiting the number of people with access to sensitive employee data, organizations can automatically increase their security and reduce the risk of intrusion.

Wrapping it up

Data security has never been more important, but organizations must take an informed approach to protecting employee data. Jack Koziol, Rob Watts, and Cassie Bottorff sum the situation up well in their article for Forbes, where they state, “There is no singular approach to minimizing the human risks that lead to breaches. Employees will need to browse the web, open emails, and even answer the phone with a healthy amount of suspicion. An organization with a strong cybersecurity culture is an organization with a small social engineering attack surface.”