Sergey Nivens - Fotolia

HR leaders need to rethink their HR data protection strategy

Most HR leaders have yet to make HR data protection their top priority but experts insist securing HR data remains a company's responsibility first, then the vendor's.

HR software provider ADP LLC maintains a security alert page on its website where it posts information on threats it believes customers should know about.

Why does an HR provider feel the need to keep its clients up to date on HR data protection or security issues? Because HR data has become a hot commodity on the dark web, where personally identifiable information can fetch healthy sums for the bad guys.

"HR departments and human capital management groups are starting to understand the level of criticality of the information they have," said Roland Cloutier, ADP's chief security officer.

During its fiscal year, which concluded on June 30, ADP experienced an eye-popping 230% increase in the number of questions clients posed about its data protection policy. What's more, while such inquiries used to come exclusively from large customers, Cloutier said, they now come from customers with fewer than 25 employees.

With that backdrop, it's no surprise that ADP employs more than 400 security and privacy practitioners around the world, 14 of whom work exclusively on finding the right answers to those questions. As a result, the company has become a source of cybersecurity information for an industry that has only recently found itself in the crosshairs of the business world's growing security concerns.

"Even competitors go to our website so they know what problems are out there and how to deal with them," Cloutier said.

HR data protection begins with the company

But there's only so much ADP, or any HR vendor, can do. The bulk of the responsibility for HR data protection lies with the companies housing that data. Then again, it's hard to tackle a problem when you have no one trained to do so.

"I'm unaware of a company that focuses on the security elements of the HR department," said John Sumser, editor in chief and principal analyst at HR Examiner.

The fact that most companies haven't identified HR data security as a priority is something HR leaders need to rethink.

"This is a ball that's been hit to HR's part of the outfield," he said, "and they need to catch it and play it."

While securing any data requires security basics, such as patching, authentication, logging and auditing, HR experts such as Cloutier and Sumser stress due diligence. Cloutier recommends that companies start by taking stock of what HR data they have and where it goes.

For instance, many companies are storing millions of instances of credit card information they didn't even know they had, and that's information that can easily be gleaned by running data leakage prevention and grid scanning software designed to discover such hidden data pools.

Once a company is familiar with the types of data it's storing, it should perform some data flow mapping analysis to better understand how that data moves through each business process. Where does it start? What systems does it touch? Where does the data end up? And what protections are in place to secure it during transit?

Vendor security is crucial to securing HR data in the cloud

Along those lines, ADP hosts a security council a couple of times a year, inviting customers to come and share their best practices and get feedback from ADP on what does or doesn't work.

One example of how ADP does things: Cloutier said the company has a team of 24 people whose job is to vet the security of every vendor with whom it does business.

"I will not allow you to be a vendor for my company unless you have your security together," Cloutier said.

I will not allow you to be a vendor for my company unless you have your security together.
Roland CloutierADP's chief security officer

Vendor security is a particularly huge consideration in HR, which has adopted the cloud more aggressively than most other business functions, entrusting HR data to third parties. Kate Bischoff, a Minneapolis-based employment attorney and HR consultant, recommends putting vendors through the kind of process to which ADP subjects them.

Getting answers about security protocols, recent audits, past breaches and whether a vendor has cybersecurity insurance can go a long way toward providing companies with peace of mind. Conversely, the less forthcoming vendors are in their answers, the more red flags should arise in an HR executive's mind.

"Pick [a vendor] that can answer questions and doesn't hide behind legal mumbo jumbo," Cloutier advised.

Employee education goes a long way in HR data protection

As important as vendor security is, Sumser believes that a company's own employees are the biggest threat to HR data. Sumser, Cloutier and Bischoff agree that training workers about data protection and security protocols is well worth the investment of time and money.

Cloutier believes organizations need to set the tone from the top by establishing clear guidelines and expectations, and then training employees on how to adhere to them.

"They're not security professionals," he said. "They need to be instructed."

Bischoff suggests getting employees to consider such things as how data moves around the organization, what potential risks it presents and what their responsibilities as employees are.

It is critical that employees understand how the rules of engagement with HR data have changed, and thus, so have their HR data protection responsibilities, Sumser said.

"Data that didn't use to be available to employees is now available, but it may or may not be appropriate to share it with the rest of the world," he added.

And the changes will just keep coming. The internet of things is one example of technological innovation that's pushing this frontier even further. Increasingly, HR departments -- ADP's included -- are turning to software bots that automate HR processes, thereby adding a complication to the security mission.

At ADP, the bot is called Hello Work, and it enables employees to do things such as reschedule meetings or request time off with a simple voice command. Behind the scenes, the bot then interacts with multiple systems to complete the task.

While such automated tools promise to impact workers in positive ways, Cloutier cautions, "it's going to take a lot of security to ensure we do it right."

Ironically, Cloutier cites trust as one of the core values that leads to strong security of HR data. Having spent 27 years in law enforcement and corporate security, he has had plenty of reason to mistrust people. Even so, his approach to security starts with his faith in people to make good choices.

"I actually believe that the majority of the world is good people," Cloutier said. "They want to do the right thing."

But just in case, a few pesky little precautions can't hurt.

Dig Deeper on HR data management