Security and the role of HR
The Human Resources department is the gatekeeper of highly confidential employee data, and it needs appropriate measures in place, ensuring that the trust employees place in them to secure this information is well founded. Employees can also access the company's confidential data, and it's vital that HR, working with IT, have the right tools and procedures to help staff avoid accidental disclosures. Few employees have malicious intent towards employers. Guarding against the few that do requires draconian levels of control, an approach which can stifle the trust within an organisation.
The disclosure of company information, such as an annual appraisal, can be an embarrassment and breach of trust. Other disclosures can have more serious consequences, exposing employees to identity fraud. If you look at most HR databases, it is easy to find an employee's data of birth, their home address and even their bank details. Databases may even include passport information to comply with the Immigration Act. These details, while deeply confidential to each employee, are gold dust to fraudsters.
Here we look at how to protect your employees and the company against the threats posed both by malicious attacks and the more likely accidental data loss.
Securing against accidental data loss
No matter what steps an organisation takes to secure its systems, accidents will happen. Employees and employers will misplace laptops and USB keys or email sensitive information to the wrong recipients. First, it is wise to educate employees about how to avoid accidents and use technology to help manage and secure confidential data, such as encrypting laptops and deploying data leakage prevention software. These tools must be coupled with an atmosphere where employees are comfortable with disclosing any accidental data loss or disclosures as early as possible, so that damage can be controlled. Second, remember that accidents differ from deliberate attacks or theft, even when the actual consequences can be similar. Making an example of an employee who made an innocent mistake can negatively impact the relationship between the employers and other employees. Instead, HR and IT will be seen in a far better light by protecting both employees and the company through education and technology.
Preventing malicious attacks
Gone are the days where we locked files away in cabinets and felt assured they were safe. With virtually all companies having moved away from hard copy documentation, confidential and sensitive data is now kept on computers. Indeed, paper documents are often scanned in too.
"People are a company's greatest asset,” say HR, but running a close second is the company's information and data. Protecting these is an HR responsibility, which is why working closely with the company's IT teams is crucial: the IT security policy can safeguard confidential corporate information, better protecting a company's reputation and assets. A company can significantly decrease the risk of a hacking or malware attack designed to steal information by educating employees on safe computing practices, such as the use of passwords, and implementing a security infrastructure that includes encryption, anti-virus, patching and firewall technology. HR teams, who access confidential information on a daily basis, can take this a step further by seeking advice from their IT teams on what extra steps they can take, so they themselves avoid inadvertently leaving the door ajar to hackers.
Deliberate information theft from an internal source
Disgruntled employees taking confidential data is a rare occurrence for companies, but it is one that HR should take into consideration. When a company needs to make redundancies for example, it would be wise to plan beforehand about how it might avoid data breaches in the first place to protect the employee as well as the data. Again, a strong HR/IT relationship will assist, as you can plan for such situations ahead of time and have a plan of action in place to thwart thefts from internal source. Should however, sensitive information like a client database be stolen by an internal source, the organisation also needs policies in place to allow HR to take decisive action against those responsible.
Data loss prevention and privacy issues concerning continue to worry many companies. Whether it's a malicious attempt, a hacking incident or an inadvertent mistake, these occurrences can seriously damage an organisation. By taking the appropriate steps, deploying the right technology and having up-to-date security policies in place, companies significantly decrease the risks.
SOPHOS is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk