Think about your first day in your current job. Now, think back to all the information you provided on that first day – your bank account details, National Insurance number and copies of your driving license and passport for example. It’s all personally identifiable information (PII), which is fine until you realise the HR folder is open to all users in the company.
People tend to assume that all their data will remain private because they trust their employer to keep it safe. Unfortunately, this faith is sometimes misplaced. Earlier this year, UK retailer Sports Direct revealed that 30,000 unencrypted employee data files were stolen – but didn’t tell employees until it was published in the news.
Similarly, publishing company Mansueto Ventures was targeted by cyber criminals via an email scam similar to those used against companies such as Snapchat and Seagate.
Mansueto Ventures, which publishes Fast Company and Inc., has not revealed specific information about the attack but it’s understood that sensitive data about current and former employees was leaked. It’s this lack of privacy and security which negates any trust that employees have in management to keep their personal data safe.
Knowing where your employee data is stored
New employees, eager to get started, happily provide sensitive information without asking what the company is going to do with it, how and where it is stored, who will have access to it and how long they are going to hold on to it.
Unfortunately, many organisations don’t know where all their employee data is stored – a recent Forrester study highlighted that only 41% of 150 organisations knew where their employee data was located.
Much of this information is stored in databases or HR systems, either on-premise or in the cloud. However, more often than not, personal information also finds its way into files and emails – an image of a driver’s license shared via email, or a copy of database records downloaded and saved locally for example.
These files are then stored in some sort of file share or SharePoint system, and are easily accessible by all. These systems were designed for easy collaboration but lack the controls to properly monitor and protect sensitive information in a way which meets regulatory compliance needs.
But what happens when you play fast and loose with data? The aftermath of a breach, as most people know, is a costly period. Not only is the company suffering from lost revenue, regulatory fines (such as the upcoming GDPR) and subsequent cyber security insurance premium hikes, there are also factors such as brand and reputation to consider.
But there is one other cost that many fail to take into account – the loss of employee trust. For example, would you choose to work for a company in the headlines because of a data breach? Or report to a manager known to be careless with data?
Effective data security
There are five key areas which every organisation should consider when protecting employee data:
Classification – Over and above everything else, an organisation needs to know exactly where all its employee data is stored before access permissions can be allocated. There are automated classification systems available which identify and flag any potentially sensitive information on a company network.
Least privilege permissions – Enforcing a least privilege model means employees only have access to the data they need to do their job. Limiting access on this ‘need-to-know’ basis – and keeping those privileges up-to-date – means that sensitive data is only viewed by those who truly need to see it.
>See also: Employees lack security awareness
Monitoring data access – Use of sensitive data must be monitored. If data isn’t monitored, how can you determine whether the correct people are accessing it or whether access is being abused?
Data retention – Ensure there are policies in place for data that is no longer required – for example, when an employee leaves. Whilst it’s necessary to retain some data – for references/pensions etc. – personal data that is unlikely to be needed again should be removed from the organisation’s records.
The importance of employee training – Employees need to understand the value of the assets they’re working with. Any employee coming into contact with sensitive information should be trained to use the systems and controls that protect the data, and understand the risk associated with its misuse.
It’s easy for an organisation to say it takes the security of employee data very seriously, but very few will specify how they do this. Those that do automatically have a competitive advantage in finding and keeping the best employees for the job.
Sourced by Brian Vecci, technical evangelist, Varonis
Nominations are now open for the Tech Leaders Awards 2017, the UK’s flagship celebration of the business, IT and digital leaders driving disruptive innovation and demonstrating value from the application of technology in businesses and organisations. Nominating is free and simply: just click here to enter. Good luck!