8 April 2020
How to ensure your HR tech is secure
In many organisations, HR technology often stores the most sensitive types of data the organisation holds, such as employee physical and mental health records, disciplinary information and bank account details.
This sentiment is echoed by many data protection regulations around the world, such as the General Data Protection Regulation (GDPR) in Europe where this type of HR data attracts an additional level of protection (“Special Category Data”). That said, although data breaches at household names are a regular occurrence in the news, there are seldom high-profile examples of where cyber-criminals have specifically targeted HR technology to steal an organisation’s employee data.
What is extremely common, however, is cyber-criminals targeting HR technology to undertake the significantly more lucrative activity of modifying employees’ bank account details to divert employee salaries into criminal controlled accounts. A recent example of this happened to the city of Tallahassee in Florida, USA, when cyber-criminals hacked into the city’s payroll system and diverted nearly $500,000 of staff salaries into their own accounts.
This risk to HR technology has grown exponentially with the uptake of cloud-based work systems, such as Office 365, and the increasing demand from employees to access HR systems from anywhere and any device. Once a cyber-criminal has obtained an employee’s password through a well-crafted phishing email and gained access to their cloud-based email system, the HR system password can be reset via email and allows the malicious actor to login and change the employee’s bank account details.
Another risk to HR technology from cyber-criminals is “ransomware”. If an organisation is not able to pay its employees as its HR system is offline, this can be a big incentive for organisations to pay the ransom, which further encourages the cyber-criminals to repeat these types of attacks.
Organisations must not allow the risk from cyber-criminals to stunt the adoption of new HR technology to empower employees to be more efficient and productive. Just as cyber security protections evolved with the introduction of the internet and smart phone, organisations must evolve their security control framework to allow them to use this new HR technology in a secure way.
In general, as a large proportion of cyber-attacks start with phishing emails, organisations must ensure their staff are trained in how to spot simple and more advanced phishing emails. Also, when adopting cloud-based systems, organisations must ensure that passwords are not the only barrier to stop a cyber-criminal gaining access to the system, but should enforce two factor authentications, such as sending a pin code via a text message to a phone.
For HR technology more specifically, organisations should implement email or text-based notifications to employees to alert them when their bank account details change to enable them to spot unauthorised changes quickly. For more cautious organisations, as employees changing their bank account details is rarely a monthly or even a yearly task, this functionality could be removed from internet facing systems and only be available to staff when they are connected to the corporate network. Ensuring staff do not have overly permissive access rights will also help to prevent against the threat from malicious employees.
If organisations don’t feel comfortable managing the increased security and regulatory risks around HR technology in-house, one option is to outsource their systems to a dedicated HR Technology provider, such as MHR. A dedicated HR technology provider will be able to provide organisations access to the latest in HR technology, such as digital assistants and smart phone apps, while ensuring that the necessary security controls are in place to protect their most sensitive data.
If organisations can find the right balance between adopting new HR technology and implementing the right level of security protections, they will be able to safeguard their most sensitive data while empowering employees through reduced administration, boosted performance and increased engagement.