The cyber attacks waged against HR data services firm ComplyRight and talent management platform PageUp prove how employee data remain vulnerable to identity theft even in the era of stricter data privacy rules.
The mere existence of such data creates risk, analysts from Deloitte said. Companies that store sensitive employment information – whether through a third-party service or an in-house HR information system (HRIS) – become the prized target of cybercriminals, security experts warned.
“The HRIS is a veritable gold mine for hackers,” said Dave Rietsema, founder and CEO of HRISPayrollSoftware.com. By gaining access to employee names, birthdates, social security numbers, salaries, and bank details through HR documents, data thieves can proceed with a number of other system hacks.
How can HR departments ensure their HRIS is safe from hackers?
At the start of their software implementation, HR and IT managers need to ensure the nature (and coverage) of security measures the software vendor will put in place is sufficient for the size and complexity of the organization. The data management system will also need to comply with the General Data Protection Regulation (GDPR) of the EU.
While all vendors will have security protocols in place, the strength of the system varies from vendor to vendor. Some of the basic questions buyers should ask include the levels of access and number of access points different users will have.
- How many from the HR/IT teams will hold an administrator’s account?
- Which modules will be accessible to different types of users?
- How many will be able to view and modify the contents/modules in full?
- Will the HRIS be open to remote access?
- Who will be given remote access?
- How will access be regulated? Through two-factor or multi-factor authentication? With physical security keys?
For HR teams that rely on third-party data-services firms, it is important to check that the service provider not only implements a robust security system (able to bar unauthorized access and detect malicious software) but also complies with GDPR rules on how and where to store personal data.
Since some attacks also use malware to gain entry, organizations need to keep their database of known malware updated regularly, and to educate all users about transferring and downloading suspicious files within the system.