25 January 2022
Major changes to security requirements: is your HR system compliant?
If your cloud-based HR or payroll system is not protected with multi-factor authentication, your organisation may not be compliant with new UK security requirements. Find out what's changed and what you need to do to remain compliant.
Over 24,000 organisations in the UK are certified to the UK Government-backed Cyber Essentials scheme. While some organisations choose to comply to gain peace of mind over their security, compliance is mandatory for any organisation that wants to work with the public sector.
Starting this week, a major overhaul of the scheme could see thousands of organisations scrambling to implement new controls to maintain compliance. This is the biggest update to the scheme since it launched in 2014 and comes in response to the evolving and changing cyber security challenges that organisations now face.
From 24 January 2022, to become Cyber Essentials certified organisations will need to comply with changes in several key areas. This includes specific requirements on devices used for home working, greater focus on the use of smart phones and tablets, and more stringent requirements around software updates. See here for a full list of changes.
By far the biggest change is that all cloud-based services are now in scope. If your organisation hosts any data or services in the cloud, such as an HR or payroll application, these systems must comply with the following security requirements:
- Implement multi-factor authentication (MFA) for standard and administrative users.
- Ensure that users create strong passwords, including being at least 12 characters long.
- Change default passwords and remove or disable unnecessary user accounts.
- Use separate accounts for standard and administrative activities.
- Control the access assigned to each user, ensure the principle of least privilege is followed when granting permissions.
Also, you must check that the following controls are implemented by your cloud service provider:
- Firewalls are in place to prevent unauthorised access.
- Malware protection is installed to prevent the installation of malicious software.
- Regular security updates are applied to protect your systems from known vulnerabilities.
More about MFA
It is now an everyday occurrence for threat actors to use techniques such as phishing to steal passwords and gain unauthorised access to cloud-based services. This has resulted in a worrying increase in cloud-based data breaches, with over 75% of companies reporting that they have experienced one in the last 18 months. In an attempt to stop this worrying number of breaches, MFA is now required across all systems, where available, and must be in place on all cloud services.
Due to the complexity of the changes needed to implement MFA for all users, the requirement is only being enforced initially for administrative accounts in January 2022. MFA will be needed on all standard user accounts from January 2023.
As suggested by its name, MFA uses at least two separate factors to authenticate who you are – one of these is usually your username and password, this part is something you know. The other part could be:
- something you have – a mobile, a key card or a USB can all verify who you are.
- something you are – a fingerprint or facial recognition all prove you are who you say you are.
As the majority of individuals use as few as five passwords for all their accounts, this means by stealing just one password a threat actor could gain access to multiple accounts and services. Fortunately, MFA provides an extra layer of security making it more difficult for the threat actors to steal your details and your data.
What to do next?
More than 80% of the cyber-attacks on businesses in the UK could have been prevented by implementing some basic security controls. To ensure you have these controls in place, start by using this simple readiness tool which will help you understand where to start your preparations for Cyber Essentials and identify any key gaps you have.
The readiness tool is the first step on your journey towards becoming Cyber Essentials certified, but if you require further assistance the IASME consortium will be able to help you through the process.
Implementing MFA for your MHR systems
MHR have already made MFA a mandatory requirement for its customers from 1 July 2022. We recommend integrating your own Identity Provider (IdP), such as Azure AD, for simplified central management. If you don’t have your own IdP, or some employees do not use your IdP, MHR can provide you with its own MFA solution to meet your needs.
This should put you in a strong position to comply with these new requirements. If you are not already using MFA when accessing your MHR systems, or do not have a plan to move to MFA, please contact your Customer Relationship Manager.
Is Cyber Essentials enough?
The Cyber Essentials scheme defines only a minimum set of security requirements. Many organisations will require significantly more security, particularly if they are handling personal data. For these organisations MHR has developed iTrent Shield.
iTrent Shield is a suite of products that add advanced protection over the sensitive HR and payroll data stored in your iTrent application. The User Behaviour Analytics (UBA) module uses AI-powered algorithms to baseline normal activity and alert you to any potentially malicious behaviour, such as a user stealing personal data or someone changing bank account details without authorisation. The Advanced Anti-Virus module analyses all uploaded files in a safe, sandbox environment to identify malicious software before it gets to your users. This is extremely important for HR teams needing to open CVs from unknown third parties as part of their day-to-day job.
Need assistance from MHR?
If you would like assistance to ensure your MHR systems meet the Cyber Essentials requirements or are interested in our advanced security options, please contact your Customer Relationship Manager.