With the rise of cloud-based HRIS solutions that enable users to log in from any device, security concerns are on the rise. The addition of unknown IP address access can make systems susceptible to outside hackers, as well as devious computer-savvy employees. Information breaches and identity theft occurring from inside company walls are also a concern that must be addressed.
A HRIS contains highly sensitive data, including employees’ social security numbers, payroll information, and even medical information. Information leaks and data breaches of the HRIS can be detrimental to individual employees and your organization as a whole. As such, it is important to take steps to make sure that that information is as safe as possible, from both internal and external threats.
For all companies, the implementation phase is the time when systems are the most susceptible to breaches and other security concerns. Employers should work closely with vendors and managers to ensure that security is maintained throughout implementation phases, and as the system starts being used on a regular basis.
Purchase with Intention
When you are looking to purchase a new HRIS, look into the reviews and pay close attention to what other companies say about the security of the software. While you may put additional security measures in place after the system has been implemented, going with a vendor that is known for offering a secure HRIS can help to keep your data more secure while limiting the amount of work that you have to put into adding security features.
Check Vendor Security Measures
The security measures a vendor takes to ensure that a company’s data are secure should be understood before the company makes a final HRIS selection. All HRIS vendors take precautions to keep company data safe, but the quality of their security measures may vary.
If no one on the HRIS selection team is a security expert, footing the bill to consult with someone that is qualified may help to ensure that the selected system has adequate security precautions in place.
Restrict Access Based on Needs
During the configuration stage of implementation, employers and managers must be mindful to set up the system so that information is limited and controlled.
Employees should only have access to their own personal information. In addition, every change made by an employee using the system must require authorization. Managers should have limits set, based on relevancy to job needs. This way, only the most critical information is accessible.
Employees and managers are not always honest and looking out for the best interests of the company or the other employees. It is important to make sure that only the most necessary information is accessible by employees at each level. Connecting passwords to access levels is a smart way to make sure that employees and managers are only able to see the information that pertains to them or their job duties.
Putting role-based access restrictions in place during the implementation phase can help to minimize internal threats to data security right from the start. Employees don’t really need access to information that doesn’t pertain to them, and each level of management really only needs access to certain information. By restricting access to just what is needed for employees and managers at each level, you also make it easier for employees to use the system and make it possible to tell who is doing what in the system for audit purposes.
It is also important to make sure that terminated employees are immediately restricted from the system. Bitter employees can do monumental damage to companies when allowed access for just a short amount of time after being let go. In some cases, ex-employees have caused companies thousands of dollars and many hours with just a few clicks.
Before the system goes live, create a few fake employees and test the system to see what you can access. This way you can identify any weak points in the system and work out the bugs before giving everyone access to the system.
Keep Your HRIS Information Safe from Hackers
The HRIS is a veritable gold mine for hackers. Employee names, dates of birth, social security numbers, salaries, and even banking information can be accessed through an HRIS, providing cyber-savvy thieves with everything they need to secure credit cards and commit countless acts of identity theft if they can breach the system’s safeguards. Even large and formidable companies are not immune to breaches and hacks, as evidenced by the breach at CareerBuilder.
Keeping electronic records secure is not impossible, though, it just takes a little knowledge and action. The following are a few ways to make sure that the data in your system stays secure.
Be Aware of Cyber Security
Most employers and HR professionals have absolutely no idea what safeguards are in place on their HRIS, nor what safeguards should be in place. Becoming knowledgeable about these issues is the first step to becoming more cyber secure. HRIS vendors should be happy to explain more about what steps are taken to protect information and a little online research will help to make sure their measures are adequate.
Beware of Phishing Schemes
Most cyber hacks are pulled off not because of system weakness, but because of human folly. Phishing schemes target employees and managers, tricking them into giving up usernames, passwords, and other sensitive information. By spreading awareness throughout the company of these types of schemes, suspicious pop-ups, emails, and phone calls may be flagged and shut down before harm can be done.
Create and Educate Employees on Security Protocols
Even if every employee can only access certain information with their code or card, these access restrictions are ineffective if managers and employees are sharing codes and cards. It is important to make sure that managers and employees know what the stakes are if they share this information. Create disciplinary policies that highlight the possible consequences of sharing access to discourage employees from doing so.
One of the most common causes of internal security breaches is lax internal security protocols. If managers hand out passwords that allow employees to perform certain activities (especially late clock-ins and early clock-outs), it undermines the effectiveness of passwords as a security measure.
To mitigate this issue, employees and managers should be trained to understand the reasons behind security measures as part of implementation training. They should also be held accountable for non-compliance with procedures.
Keep Software Up To Date
Security measures such as firewalls and security patches are only effective if they are up to date. Periodic maintenance should be scheduled to continually make sure that the system is secure and to make changes as needed. Hackers are always figuring out how to bypass security protocols, so it is necessary to stay one step ahead to protect your company.
Enable Timeout Features
Since most HRIS are now cloud-based and can be accessed from any device, timeout features can be extremely helpful. If there is an option to log employees out of the system after a certain amount of inactive time, make sure to activate this potentially valuable option. By the same token, disable features that would allow employees to stay logged into the system, just in case an employee inadvertently leaves a device where it can be stolen or tampered with.
Taking precautions to protect the information in your HRIS can save headaches and prevent damaging breaches. While information is generally more secure in a HRIS than in old-fashioned files, the technology comes with risks that must be addressed.
Frequent Password Changes
Most HRIS systems can be configured to require a password change every so often, usually once every 60 days. While managers and employees may express complaints regarding this measure, it can help to provide an extra layer of security as it protects sensitive information from both internal and external threats. It will also aid in keeping employees and managers from using passwords that are easy to guess based on personal information, as employees must be more inventive when creating new passwords.
Prepare for the Worst
Some of the most sensitive information in any company is contained within its HR files. Much of the information detailed in employee files is helpful or necessary for operations, ensuring that employees are compensated in a timely manner and that all reporting is completed according to legal requirements. However, this same information is valuable and tempting for hackers and thieves.
Security breaches can be devastating to a company’s employees and can sully a company’s reputation. Additionally, new privacy laws under the General Data Protection Regulation (GDPR) in Europe are enforceable as of May, which may result in hefty penalties for non-compliance for any company doing business in Europe (even if headquarters is located elsewhere).
Unfortunately, hackers continue to find new ways around security measures as they are created. It’s important to stay vigilant when it comes to protecting data so that your company is always one step ahead. The following are a few ways that you can work to establish the highest standards for data security and privacy.
Develop Password Priorities
Roughly 63 percent of data breaches can be traced back to weak, default, or stolen passwords according to a Verizon 2016 Data Breach Investigation Report. Passwords can be guessed by coworkers, phished by scammers, or even given away by the managers or employees themselves in the interest of efficiency. Once a thief has infiltrated the system, it can be difficult to re-establish control.
Creating strong passwords and using them properly can prevent data breaches. Forming guidelines that assist employees with setting up strong passwords and guarding them can make a big difference. Outlining policies that prohibit password sharing and enforcing them can also discourage poor practices.
Provide Data Security Training
HR managers, IT professionals, and front line managers should all undergo some type of security training. These individuals all have access to sensitive employee data, so it’s critical to make sure they understand the importance of keeping this data secure. Vendor representatives may be helpful when it comes to teaching employees the best ways to use the features of an HRIS to improve security.
Create Cyber Secure Policies
Not all cybersecurity tactics require technical skills and seminars to achieve. Simply instituting smart policies can sometimes be a company’s greatest prevention against hackers. If HRIS data can be accessed remotely, it is important to institute policies against leaving devices unattended or failing to log out every single time.
Password sharing is another policy centric issue that has cost companies time and money. While password sharing is generally forbidden (otherwise what would be the point of assigning passwords,) it is a common practice in some workplaces where employees often need approvals from busy managers. Creating harsh disciplinary policies to discourage password sharing may seem like an annoyance when instituted, but may help to keep employee information secure and prevent internal breaches.
Minimize Data Collection
One of the main elements of the GDPR is an emphasis on minimizing the amount of data collected to just what is necessary to conduct business with the individual. Minimizing the amount of information collected and stored limits the amount of information available in the system, thereby limiting what hackers and thieves can potentially access in the event of a breach. Even if your business doesn’t operate in Europe, information minimization can assist with improving data security.
Have a Disaster Recovery Plan
A proactive approach in keeping HR information safe can mitigate security threats, but it is important to understand that breaches can still occur. Having a disaster recovery plan in place will minimize the amount of time that your system is down and help to re-secure your data faster. There should be clear procedures in place for responding to a data breach so that the right employees know what to do in the event of a breach.
When a breach does occur, it’s essential that HR managers understand how to handle the breach. Employees whose information has been breached must be notified and proper authorities must be contacted to investigate and report the breach. Having a plan in place can make it quicker and easier to recover from a breach, helping to secure information before further damage can be done and resolving issues stemming from the breach.
Every company must be proactive in order to keep employee data safe and secure. While an HRIS already comes with certain security measures in place, the best practices in this article can help to optimize the effectiveness of those tools.
If you’re in the market for an HRIS that can help you keep your information safer, we can help! Visit our vendor listing page to research your options or visit our vendor match page if you’d like some selection assistance from HRIS experts.
Authored by: Dave Rietsema