Cyber security heroes
12 April 2018
This article was featured in the May 2018 issue of the magazine.
Mike Green, Datagraphic’s chief information security officer, shares advice to help HR and payroll teams
Technology makes many positive contributions to the way we work, but with a growing acceptance of all things digital there comes a dark force keen to exploit cyber vulnerabilities.
A series of well-documented cyber-attacks, data breaches and data privacy changes – such as the General Data Protection Regulation (GDPR) – have made cyber security, which was once only discussed in IT departments, a priority for most organisations. But how can human resources (HR) and payroll teams play their part in fighting cyber-crime? Here are three good places to start.
Understanding when to use email
Email was launched in the late sixties and hasn’t changed much since. It was never designed as a secure way of transmitting data, but inevitably – because of its ease of use and low distribution costs – it has been seized upon for sending everything from payslips to employment benefits.
The problem is unencrypted email lacks protection when being transmitted from one inbox to another: making it vulnerable to being intercepted by unauthorised parties. It’s vital to assess what you send by email and consider if there are more secure methods for the delivery of personal information. I often use internet banking as an example here.
When was the last time you received a bank statement within, or attached, to an email? The banks don’t do it. They use emails or text messages to alert you of a new document, which you then view on a secure online portal, where your personal information is managed and protected. This is clearly a good balance, using email for low-risk notifications and a secure portal for the data that needs protection. It’s the way we’ve always worked at Datagraphic with our Epay application.
Employee information such as payslips, P60 certificates and reward statements should be presented securely online using this same banking model as all these documents contain data that would be valuable to criminals.
...how secure is the data you share externally with third-party processors...
Assessing security risks in processing
In HR and payroll, protecting employee personal information is often second nature: filing cabinets locked, computer files password protected and printing restricted. But how secure is the data you share externally with third-party processors such as payroll bureaus, IT hosting suppliers, printing companies, pension and reward providers?
Third-party processors deliver vital services, but it’s critical you, and they, don’t expose employee data to potential security risks when it’s transmitted, processed and stored. The GDPR increases scrutiny and control of third-party relationships and your data sharing arrangements should be carefully documented and managed. If you haven’t already done so, audit your suppliers’ security credentials. For some key questions you can ask I’ve recently shared my Validating your Vendor white paper which you can download here https://goo.gl/bTsCkH.
As part of your audit process, it’s essential to understand if your supplier works with sub-processors to deliver all or specific parts of your service. You need assurance that any sub-processor operates to the same high standards of data protection you have agreed with your supplier, so ask about sub-processors as part of your vendor validation.
Taking a step back, consider too how you transfer employee data to third-party suppliers. Unprotected files emailed or sent via file transfer protocol are increasing the risk of interception and data breaches. Look at ways to encrypt your communications. Secure file transfer protocol is an excellent option, automatically encrypting and decrypting data during transfer between locations. If you want to learn more about secure ways to transfer data I recorded a video you can watch here: https://goo.gl/MiR9Xc.
Training your teams to be cyber security heroes
In 2016, 33% of data breaches across the UK stemmed from an internal source and in the first quarter of 2017 the Information Commissioner’s Office reported a 27% increase in data sent by email to the wrong person.
The importance of internal information security training is often overlooked, but increasingly untrained individuals are opening organisations up to being targets for cyber-attacks and damaging data breaches. Time and money spent on the most up-to-date secure systems can easily be undermined if staff aren’t adequately trained.
If your team hasn’t undertaken IT security training recently make it part of their professional development. It’s so important that every person that works with employee data is aware of their information security responsibilities. Good training should include regular security updates, video tutorials, ongoing support, assessment of an individual’s level of understanding and further training as required.
A culture not a department
More often than not, cyber security sits within the IT department, isolated from the rest of the company and its employees. I hope this article outlines the importance of developing a culture where security is part of the way we work, rather than a barrier to it.