James Thew - Fotolia
When it comes to personally identifiable information, HR is sitting on a gold mine. Hackers know this, but they don't see a lot of PII security -- and that disconnect poses a clear risk.
By definition, all HR organizations must have access to and then retain a certain amount of PII, an amount that has grown over the years. Appropriately protecting all this data is a job for which HR is ill-equipped.
"In general, HR is not well-trained for security," said Torsten George, vice president at RiskSense Inc., a cyber-risk management firm based in Albuquerque, N.M. HR staff "know how to run background checks on employees, but they are lacking the necessary skills on the treatment of information, and that creates huge problems." In a more perfect world, George noted, HR would be the advocates for protecting PII and would perhaps even be responsible for training employees in handling PII. Instead, he says that the HR department is often the target for phishing attacks seeking PII.
PII security means more than just data protection
In general, enterprises still focus mostly on securing the corporate network, a worthy goal but one where 100% success is deemed unlikely by George and many other security professionals. There are simply too many ways in which network security can be compromised, one of the most potent being phishing attacks where the loss of one person's network password can provide access to mountains of corporate date. Meanwhile, not enough time and focus goes to protecting the most critical data, including PII, which needs different security measures. "I don't care if hackers surf around my network, as long as they can't get the data I care about," he said.
Torsten Georgevice president, RiskSense Inc.
There are no magic bullets. Building the safeguards to protect PII requires multiple steps and interlocking efforts. One of the best steps is to establish policies and procedures on what is considered acceptable use. "It is vital to write down a definition of PII for an organization that discusses how to prioritize protection of PII," George said. Then, once you have created that policy you need to start driving awareness and implementing training. Beyond that, organizations need to know where PII is located and which departments have it and which kind of PII they have. The companies that are most successful at protecting PII are the ones that put a lot of emphasis on awareness, he added.
As an example, George points to a Japanese biotech firm where the security team tests vulnerabilities by running mock phishing attacks within the company. If employees opens an attachment from one of these mock attacks, their screen turns red and they are told they are in violation of company policies. "If it happens three times within a certain time period, they are cited by HR and sent to the security team to undergo more extensive training," said George.
"Companies usually find that when they invest in awareness training and cultural change, it is really the most cost-effective way to improve security of PII," he added.
Create a robust PII security strategy
With the growing number of privacy mandates and concerns, George said HR organizations should also ask whether all types of collected information are truly necessary. "If you minimize the handling of that information, particularly items that allow someone to correlate different types of information and make it identifiable, you are reducing your vulnerability," he said.
Many companies have encryption as almost their sole defense for PII, according to George. This is something that should invite further review by decision-makers. "The technology has improved and there is now less latency, but the data still needs to be encrypted while it is being used, at rest and in motion; and each of those states of data can require different kinds of protection strategies and techniques," he said. "There are data loss prevention and threat prevention methods that can help, but you have to have an overall plan." You can't have silos; you need a strategy that looks at the handoffs between these states, he added.
Building more security into HR is a good step forward for protecting PII, but it's not the end. "The only way to fully ensure corporate and staff security is to monitor all systems storing PII, and routinely run penetration tests against them," said Mike Baker, founder and principal at Mosaic451, a cybersecurity service provider and consultancy based in Phoenix, Ariz. For example, he noted, if an organization's payroll data is not sufficiently secure, it is not a question of if but when hackers will breach it. And that extends to outside and cloud providers. "HR organizations that are using sites that provide W-2s or other sensitive information online should take proactive steps to protect their employees from tax fraud," he said.
Among the steps he suggests are:
- Generate random PINs or passwords that have strong security and are not based on employees' personal information.
- Deliver login credentials to employees via postal mail or put them in sealed envelopes and hand them out in person at the workplace. Never send them through email.
- Never post online portal links on public websites.
- Configure the online portal so that as soon as employees log in for the first time, the system requires that they change their PIN or password, and that the new one has strong security.
To make it all work smoothly, "you should have security personnel on site who can help employees with lost PINs and other login problems," Baker said.
One potentially overlooked PII security risk to guard against is employees taking a careless attitude with devices. Mehboob Alam, a consultant who was formerly a technical architect at the Icahn School of Medicine at Mount Sinai Hospital in New York City, has been involved in both enterprise and healthcare environments. He said that an all-too-common problem arises when people in HR need to conduct work and are tempted to download HR information onto a laptop or USB device. "Then [that sensitive PII] either gets lost or perhaps [the employees] are using it at home and get hit with ransomware."
Privacy concerns spurred by HR analytics
Address security doubts by discussing with vendors
Millions of patient records peddled on dark web