2018 will be the year of HR Data theft

Very recently, a disgruntled Twitter employeeⁱ on his last day of work deactivated the Twitter account of Donald Trump. This, although an isolated example of what employees can do to organization’s data or confidential information, simply tells us that no individual or company is safe from breaches or cyber threats – big or small.

We all know that data is the new oil! 

But if data is the new oil, it comes with a new price — of data manipulation and breach! 

And that’s why you need to make sure that the oil pipe is not leaking!

The digital world runs on data and allows an organization to create an offering that is specific to an individual. When you use Google to search for something, the results that show up vary depending on the browser you use, your location and if you have signed in to Google or not. The data collected from billions of users allows Google to sell advertisements that are intended to appeal to the individual user. 

The pattern is clear about data breaches. The hackers sneak in to the databases. Since they are in stealth mode, their presence is not detected for months. Could it be that your employees’ data has been compromised and you are blissfully unaware?

If you had a Yahoo email account, or have used one of its services like Flickr etc., it is quite likely that it was one of the one billion accounts that were hacked in 2013. It was one of the largest breaches ever. In October 2017, when Verizon, the new owner of Yahoo employed cyber-security professionals to comb through the details of the breach, they found that three billion records were affected. Talking of Verizon, the Phone numbers, names and pin codes of six million Verizon customers were left online for around nine days because of a wrong configuration.

On the same lines, in Sep 2017, Equifax reported that the personal data of 143 million Americans was breached. Cyber criminals accessed data such as Social Security numbers, birth dates and addresses during the incident. The breach happened on 29th of July 2017 but came to light much later.

The infamous Target data breach happened months before it was discovered. The hackers hacked into a supplier’s computer system and then worked their way to the credit card information database.

The Companies (Appointment and Remuneration of Managerial Personnel) Rules make it mandatory for a publicly listed company to declare the salaries of its ten highest paid employees. The Annual Report of a company lists the names of all employees who are paid more than a crore and two lakhs of rupees. 

This data is publically available and is regularly accessed by headhunters, competitors, curious employees and tax authorities. This information could reveal disparities in pay by gender or function. 

Sony Corp. agreed to pay as much as $8 million to settle claims from employees over the theft of their personal information in a computer hack linked to the release of the controversial movie “The Interview”. In December 2014, when the data got breached, it was alleged that North Korean hackers were to blame. The 2014 Sony hack revealed that women lead actors were routinely paid less than their male leads.

Besides compensation related data, there is much more that employee databases can reveal. Data about domestic partners can reveal sexual orientation of employees and medical records and related information can be prime targets for misuse. 

Access to data about succession planning can be precious to competitors and search firms alike. Even knowing the pattern of email creation of the company (e.g. firstname.lastname@companyname.com) can be used by hackers to send phishing documents to all employees. After all they need just one employee to click on the link. I know of an IT giant that uses algorithms to generate emails for new hires. The pattern is changed frequently. 

Psychometric tests are routinely taken by employees during training programs or when development centers are used to identify high potential employees. It may be worth examining, who can access this data and what checks and balances are in place to prevent leakage and misuse.

It may be wise to ask your employer’s HR department what data about you is stored (It is your data, remember!) Ask who has access to your data and how it is being protected. Ask if the data is encrypted. 

Where? Where is the data stored? Besides servers, a lot of data resides in individual devices and in paper that is scattered all over.

Who? An Access matrix will help people decide which roles (not individuals) need access. When the individual moves from that role, access must be revoked immediately.

How long? Create policies that specify how long after the employee leaves will the data be stored for. What kind of data needs to be stored for compliance and what is the procedure the HR team will follow for the rest of the data?

During mergers and acquisitions activity, pay special attention to data security. It is not just the security of the IT systems but also the average employee’s attitude towards data security and privacy that matters.

Ask for the HR data hubs to be audited for security with the same degree of stringency as you have for access to financial systems. 

Train and certify every employee in the HR team about data security and access. Make rules about access to HR databases through unsecured personal devices. Bring Your Own Devices can add an additional level of challenges to keep your HR data secure.

Make your data policy known to employees. It is their data. Ask them for ideas about best practices.

Create day-zero scenarios. Plan how you will react if you got to know that your HR data is available on the web. What if someone wants to use it to expose inconsistencies or even use it to hold you to ransom? Whose help can you take? What does it cost and how long does it take to address such a breach?

If 2018 becomes the year of HR data theft, make sure, you are not the victim. 

Reference: 
ⁱhttps://www.vox.com/policy-and-politics/2017/11/3/ 16602240/trump-twitter-account-disable-employee-last-day