HR sits on a powder keg of data security breaches
May 1, 2014
By Kristin Cifolelli, courtesy of SBAM Approved Partner ASE
How often do you stop on the way home from work and run errands with your company laptop in the back of your car? How often do your employees do it? How well do you (and they) safeguard work information you take outside the office? Do you know what happens to confidential and proprietary information your employees may download onto thumb drives, or wherever they save data, that they can access from their personal electronic devices?
Do those thoughts make you nervous? If they don’t, they should.
Coca-Cola Corporation, which is famously known for safeguarding its secret formula, discovered the hard way that its HR department wasn’t as good at safeguarding employees’ personal information. In January 2014 the company had to disclose that sensitive and personal information of roughly 70,000 current and former North American employees, including social security and driver’s license numbers, had been compromised. The data hadn’t been encrypted as required by company policy, and the laptops that held it were stolen by a former worker.
Many organizations today have yet to invest the time and resources to develop comprehensive data security policies that outline how their employees should handle organizational data. If they do have policies, they are often outdated or ineffective.
When we think about data security breaches today, we usually think about incidents with big retailers like Target having their credit and debit cards breached. But what many HR professionals don’t appreciate is how much confidential, propriety data they are sitting on, and the potential legal and financial exposure they risk if that information is compromised.
Breaches are costly and more common than employers realize – they just aren’t as well publicized as the Target breach. Creating, communicating and enforcing data security policies that help prevent data loss should become a top priority of every organization that employs people.
In July 2013 the Ponemon Institute conducted a Data Protection Trends Research study. According to Larry Ponemon, chairman of the Institute, more than half of Fortune 1,000 firms experience a breach of 1,000 to 100,000 confidential records, including those of employees, each year. The most expensive data breach event included in the study cost a company nearly $31 million to fix. The least expensive cost of a data breach was $750,000. It is reasonable to assume that Coca-Cola will be spending multiple millions on cleaning up the aftermath of its data breach.
Most breaches are not the result of some hacker sitting in a room full of computer equipment trying to crack a network’s security defenses. Those kinds of breaches are not that common. The greatest threat to an employer’s data security is its own employees. That is why this should be an HR concern, not just an IT concern.
Despite the explosion of personal devices coming into the workplace, 60% of companies still do not have a BYOD (“Bring Your Own Device”) policy in place, according to the Ponemon study. With more and more employees coming to not only prefer but rely on their personal devices, organizations need to figure out how to enable employees to work securely on those devices.
The majority of data security policy violations and security breaches happen because employees simply do not understand the risks associated with their behavior. Many are the result of simple human error or plain carelessness. Here are some examples; a full list of the possibilities could be endless:
- “Auto-prefill” in a company’s email system can result in confidential information going to the wrong person.
- Spreadsheets with hidden columns get shared with others inadvertently.
- People leave sensitive documents on copiers/printers.
- People take home thumb drives or paper files and lose or misplace them.
- People leave laptops unattended or in plain view inside a car, becoming easy targets for thieves.
- Personnel files are discarded without being shredded.
Do any of these potential breaches look familiar to you?
Ultimately, HR professionals need to work with their organization’s leadership and IT departments to develop data security policies that work in the real world. Here are some guidelines to keep in mind as you develop those policies:
- Build awareness so that employees understand and regularly follow procedures.
- Use clear, consistent and regular communication to keep employees informed as policies change to keep up with developing technologies.
- Ensure top leaders set the tone and visibly support security efforts by incorporating it into organizational culture.
- Make employees partners in the security effort. Employees will more willingly buy into the process if they feel that the compliance initiatives are there to help them, not to police them.