Bloomberg Law for HR Professionals is a complete, one-stop resource, continuously updated, providing HR professionals with fast answers to a wide range of domestic and international human resources...
Sept. 7 — The human resources department is a target for cyber-crime because it controls employees’ personal information, so it must take an active role in its own defense, consultants say.
“Yes, there are associated risks that other departments may not face, as HR holds some of the most valuable data in an organization—the personally identifiable information of their employees,” said Shawn Neibaur, systems administrator at Lindon, Utah-based HR software company BambooHR.
“In addition, HR often controls the onboarding of employees, meaning that an attacker who compromises HR could register themselves as an employee and gain access to other systems. Also, HR is a facilitator for the entire company, so attackers may try to impersonate HR personnel to gain compliance from other departments,” Neibaur said.
“HR is an essential part of the security training process and needs to be involved and invested, not only in protecting their own data, but also in training other departments in basic information security and social engineering techniques,” he told Bloomberg BNA in an Aug. 31 e-mail, referring to manipulative methods cyber-criminals use to impersonate someone their victim trusts and thereby gain unauthorized access.
“Proper security buy-in and support from HR is just as important as support from the executive team,” he said.
Susan Vitale, chief marketing officer for Matawan, N.J.-based talent acquisition software provider iCIMS, said HR should take special steps to protect itself, over and above following IT’s instructions.
“Ensuring that roles within HR are clearly defined, both organizationally and within any computer systems that HR uses, is especially important to ensure that data is only accessible to those who need access to it,” she told Bloomberg BNA in an Aug. 31 e-mail.
For example, “it is important that a hiring manager for a certain department doesn’t have the same access settings as an HR manager,” Vitale said. “Be sure to ask your vendor if these settings are configurable. Also, reviewing audit trails for unexpected activities quarterly is effective. These two relatively straightforward activities can dramatically decrease the risk of a security compromise.”
In small organizations that may not have a full-fledged IT department, HR needs to be even more proactive about its own defense, Neibaur and Vitale said.
However, Neibaur said, “while there are many technical aspects to information security, the most important security controls require little more than common sense and a healthy sense of skepticism. By educating staff on the hazards of social engineering, the HR department can mitigate the most common intrusion method without needing to write a single line of code or harden a server.”
Said Vitale: “It is important for smaller organizations to understand the security posture of their service providers, especially if they don’t have a dedicated IT or information security department of their own. If this is the case, understanding the security capabilities provided by the software vendor should be a top priority.”
Questions she suggested asking the software vendor are:
“A vendor committed to security will have implemented a much stronger security environment than a smaller organization could actually afford themselves,” Vitale said.
To contact the reporter on this story: Martin Berman-Gorvine in Washington at email@example.com
To contact the editor responsible for this story: Tony Harris at firstname.lastname@example.org
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)