The Intralinks HR Security Series is a monthly blog series authored by Michal Kimeldorfer, Executive Vice President of Human Resources at Intralinks, created to inform HR professionals about the importance of information security when handling confidential files and provide best practices for secure collaboration.
The Human Resource (HR) department should be at the center of any strategic corporate decision. The hiring of a top-level executive, reorganizing a department or acquiring a competitor all require inputs from HR and the various sub-departments like talent acquisition, compensation & benefits and HR business partners.
When a company is engaged in these types of strategic activities, the information shared is mission-critical for the future of the business — and, in major corporations, can lead to market-moving outcomes. Making sure that information stays safe is paramount.
HR Information Vigilantes
Each HR professional — and, in fact, the department as a whole — is in a precarious position. They must not only protect highly sensitive information but also use it on a day-to-day basis to get their jobs done. Twenty years ago, everything was paper-based and kept under lock and key. Strict, arduous policies were put in place. The only people with the key to the lock would be the HR executive and an appointed record keeper. But those days are long gone. (Thankfully… What the heck did they do when the record keeper called in sick?)
In the digital age, that type of system just doesn’t fly. To operate at the speed of business, HR information has to flow freely to get the right talent in place, meet business partner deadlines and keep the compensation metrics project on track.
What’s more, not only do HR personnel have to protect the company’s high-level strategic plans, but they also need to protect the granular personal information of every prospect, employee, contractor and former employee that has ever interfaced with the company.
So who’s responsible for making sure that the company’s secrets are safe?
The average HR team uses a technology stack of internal and external solutions. Company shared drive, performance systems like SuccessFactors® and Workday®, benefits and payroll systems and 401K & ESOP administrators all house sensitive information. But who is responsible for keeping it secure? Is it your service provider? Is it your IT department? An even better question… should either of these groups even have access to that information?
In the unfortunate, occurrence of a data leak, the company that owns the data — and by extension the personnel who handle that data — will bear the responsibility and expense associated with a breach. Identity thieves have already hit major HR service provider companies. Among many others in similar situations, payroll giant ADP reported a breach in May 2016 that exposed the W-2 information of the employees of some of it’s clients. In September 2015, Excellus BlueCross BlueShield reported a data breach that affected 10.5M customers.
How is HR supposed to protect the data?
If you look at the trending data, the betting man will say that data loss is not a question of “if” — it’s a question of “when.” So you need to prepare. The best course of action is to create a four-prong, proactive approach that consists of technology, education, network and the removal of temptation.
We’ll outline each of these prongs in my next post.