Sergey Nivens - Fotolia
When hackers broke into Sony Pictures' network, harvested data for two months and then leaked much of that data in November 2014, they ushered in a new era in which HR departments find themselves in the crosshairs of a global problem: inadequate HR data protection.
Much of the data released included confidential details (such as names, addresses and Social Security numbers) about Sony employees, and the aftermath led to a class-action suit filed by the employees, resulting in a multimillion-dollar settlement. The case provided a compelling reason for businesses to treat HR data more than ever as a valuable asset that must be secured as vigilantly as customer data, financial information and intellectual property. It also served as notice of the financial exposure they could face if they didn't.
But that presented a question that continues to vex companies: How do you protect a pool of data that IT security hasn't traditionally worried much about, that constantly changes, that is accessed by many and that is increasingly stored in cloud-based systems?
One apparent answer: not by expecting HR teams to secure that data -- at least not yet.
Who's responsible for HR data protection?
"There's no significant training that I'm aware of for HR people to get smart about data security," said John Sumser, principal analyst and editor-in-chief of HRExaminer.
Worse, Sumser said, "The level and complexity of the data that needs to be protected is exploding, and people don't necessarily understand what it is."
For instance, it's much more common today for HR to store credit report data about employees -- an example of what Sumser refers to as "radioactive data" -- for many reasons, such as ensuring that employees with poor credit histories aren't put in charge of large amounts of cash. Add that to a list of data types that includes Social Security numbers, income histories, direct deposit banking information and more mundane personal data, like addresses, phone numbers and family details, and you have a perfect storm for bad guys looking for data they can sell.
"HR has some of the most valuable information in any organization, and it can be readily sold without much manipulation," said Kate Bischoff, an independent employment attorney and HR consultant in Minneapolis.
For that reason, HR leaders have to move HR data protection and security up their priority lists, because if they don't, who will?
"It has become HR's job to protect this information and to be cognizant of the risks," Bischoff said. "This has never been a strong suit for them. This is a different set of skills they've never had to have before."
That's largely because they haven't had the bandwidth. HR leaders are typically overwhelmed by a constant flow of ever-changing demands, from onboarding employees and managing benefits to ensuring a safe working environment and monitoring employee engagement. Even with heavy regulatory burdens to comply with, such as those related to the Health Insurance Portability and Accountability Act in the U.S. or Europe's pending General Data Protection Regulation, security concerns simply haven't been top of mind, but experts like Sumser and Bischoff believe that needs to change.
Better engagement could pay unexpected benefits
As it turns out, employee engagement is a huge part of the solution to HR data protection issues. Sumser pointed out that the effectiveness of an organization's cybersecurity often comes down to the human element, and when you get right down to it, employee behavior is, not surprisingly, a reflection of the way employees are treated.
"If management is hyper-mercenary and is characterized by executives that make momentary passes through the organization in order to collect a check, employees will approach things the same way," Sumser said. "They will do things that treat the company more shabbily than if they think of it as a sacred relationship of some kind."
In other words, if employees who have access to HR systems don't feel good about their jobs, they're more likely to be slipshod in adhering to security protocol or perhaps even be more likely to act with ill intent. Sumser believes that investing in making sure that employees are satisfied with their jobs and feel tied to the organization is the most important strategy for maintaining the security of HR data.
If that is really the case, then American companies have a potential crisis on their hands. A recent Gallup poll found that 70% of American workers are not engaged, and 51% are either actively looking for new jobs or watching for openings. And what happens when employees aren't engaged? They stop caring about the well-being of their employer, as evidenced by a 2016 study that found that more than a quarter of U.S. office workers would sell their passwords, some for as little as $100.
Most trends support these findings, suggesting that employee engagement is more elusive than ever. Sumser said factors such as shorter employee attention spans, organizational bloat and ever-shortening tenures are conspiring to erode the ties between employees and employer. Even more disturbing is the fact that, as companies grow and their processes become increasingly repetitive, the skill levels they need are lowered, thereby squelching employee plans for career advancement.
On the other hand, the employee engagement surveys companies conduct today can help by giving them insight into which employees are the greatest flight risks. Knowing this can help an organization identify which employees are mostly likely to present a security risk, enabling it to take proactive action.
Efforts to get ahead of the problem aside, there is a reason to be encouraged about the current state of HR data protection. Paul Hamerman, vice president and principal analyst at Forrester Research, said the fact that so many HR systems have moved to the cloud has actually provided many of the technological safeguards that previously weren't in place.
"On-premises systems are potentially more vulnerable to employee data loss than cloud systems and HR service providers," Hamerman said. "Commercial-grade cloud and outsourcing services in the HR realm tend to far exceed the security and reliability measures that individual companies are able to put in place in their own data centers."
That said, the current state of cloud security is not enough for HR executives to rest their hats on, because if the data is compromised, the C-suite and board of directors won't hold cloud vendors responsible. Instead, the blame will fall to HR, and that's a reality HR leaders need to take seriously.
"HR leadership has an important responsibility to protect the security, integrity and privacy of sensitive personal data related to employees, job candidates and contractors and to comply with increasing regulation of data privacy, domestically and abroad," Hamerman said.
To satisfy that responsibility, however, HR organizations must put better controls in place if they want to avoid becoming the next Sony.
Said Bischoff: "We need to make sure we know who has access to this data and how we're governing that access."
Read how some companies manage HR analytics
Protect SAP ERP data
Learn why CFOs are comfortable with cloud ERP security