Serg Nvns - Fotolia
HR data has become an attractive bounty in recent years. With an emerging black market drawing hackers looking to sell swaths of personally identifiable information pilfered from HR systems, many companies have struggled to keep pace with the growing demands for HR data protection.
But YRC Worldwide Inc. is a step ahead. The freight shipping holding company, based in Overland Park, Kan., has seen two primary changes in how it manages its HR data. First, it moved data into the cloud last year -- shifting the bulk of day-to-day security responsibility to its vendor. Second, it adapted to the changing rules dictating how long to retain data and how best to save it.
In fact, YRC CIO Jason Ringgenberg believes that HR data itself hasn't changed anywhere near as much as people's sensitivity to the risks surrounding that data.
"Because of what they read in the newspapers, people are more concerned about their personally identifiable information," Ringgenberg said. "Part of it is the fear of the unknown."
Employee engagement key to HR data protection strategy
Like any smart CIO, Ringgenberg is able to use that anxiety to benefit YRC by ensuring that employees get a consistent message that security is an important and constant consideration.
YRC has a pretty aggressive strategy: Security responsibilities are specified in its code of conduct and new employee orientation paperwork, and are also the subject of periodic updates, ongoing employee education programs and occasional campaigns. Employees are trained on everything from establishing strong passwords to identifying crypto blockers and phishing attacks. The company also conducts surprise tests designed to verify that security protocols are being followed.
YRC's commitment to adequately training and communicating with its employees has been met with cooperation. The lingering memories of breaches at companies such as Sony Pictures Entertainment, Target, Home Depot and, most recently, Equifax certainly don't hurt.
"People are very aware of the risks," Ringgenberg said. "And I think they are very willing to accept the tests."
One of the messages employees at YRC and beyond are getting is that they -- more than any technological failings in a company's security setup -- are the most frequent cause of data breaches, whether it's due to sloppiness, inattention or intentional malice. As a result, Ringgenberg said that employee engagement is one of the key preventative measures available to companies, and that's what every expert he's spoken with on this topic believes.
"We need to continually educate employees about the security of their data, and of our data," Ringgenberg said.
Cloud-based security aids HR data protection
This is not to say that technology doesn't help to support that effort. For instance, with phishing having emerged as one of the main methods for getting employees to unwittingly expose corporate data, YRC has been experimenting with cloud-based security tools, such as one that uses artificial intelligence to identify suspicious email solicitations and learn from each new attack attempt.
Plus, YRC had to flex its security responsibilities since its move to the cloud. Those responsibilities now fall upon three groups: the company's HR department, which manages data access controls and permissions; IT, which puts policies and procedures in place and ensures that vendors' security measures are up to snuff; and its cloud providers, who provide and manage all the primary day-to-day defense mechanisms that used to fall under IT security.
Jason RinggenbergCIO, YRC Worldwide
In the case of HR data protection, the vendor in question is Oracle, and with its recent announcement of a self-driving, autonomous database, the security around that data figures to get a serious push. It's a development that only emboldens Ringgenberg's already bullish stance about cloud security.
For Ringgenberg, people who do not wish to move to the cloud owing to security concerns, amounts to saying, "I'm more secure than Oracle; I'm more secure than Amazon."
"Who's going to patch stuff faster than Oracle?" Ringgenberg asked.
Meanwhile, the evolving rules around how data is kept and retained have forced Ringgenberg to hold vendors' feet to the fire about how service-level agreements are worded. More than anything, he wants to know how long it takes for a vendor to purge unwanted data, and whether encryption is being applied or not. However, he would prefer data to be encrypted as much as possible.
For those companies who consider it too much of a leap of faith to place HR data protection in the hands of a cloud provider, Ringgenberg believes they are trying to avoid the inevitable. They can only hold out so long, and it's only a matter of time before all support of on-premises applications dries up completely.
The dirty secret of moving to the cloud, Ringgenberg added, is that it doesn't really change the security strategy. Organizations still need governance, user training, regular patches, encryption and all the tried-and-true security measures. The big difference, he said, is that they have security conscious partners to ensure every contingency is addressed.
"You have to do all of those things or you have to make sure those things are done," Ringgenberg said. "You need to stay continuously on top of it."
And when it comes to the private information of an organization's employees, the stakes have never been higher.
Know the six data security questions to ask SaaS financial software vendors
Learn why SaaS HR software now dominates the enterprise software market
Here's why CFOs are getting on board with cloud-based ERP systems