Sam is an HR director at a construction business and is in charge of a team of HR personnel. He is also responsible for maintaining employee records such as payroll records, social security numbers, and contact details.
One day, one of his team members, Tom, accidentally sends payroll record files to an unintended recipient, resulting in an HR data breach. Sam rushes to inform Cathy, the business owner.
Cathy is furious. She holds both Sam and Tom responsible for the breach, and they are asked to leave. When Cathy notifies the GDPR authorities about the breach, her business is fined a hefty sum for lapses in HR data security.
So, what went wrong? Sam didn’t create a proper framework to protect sensitive HR data. As a result, he and Tom paid for his error with their jobs.
The moral of the story: If your employee records aren’t secure, you’re sitting on a ticking time bomb—the consequences of which won’t be evident until a data breach hits you.
Compliance issues can result in crippling fines and a loss of customer trust. In fact, according to a 2019 IBM study, data breaches cost U.S.-based businesses an average of $8.19 million.
Why are businesses losing so much even when they know data protection is so important? We conducted an industry survey to understand the current HR data security practices. Shockingly, the survey revealed that awareness of employee data security as a serious issue is low, making a large number of businesses vulnerable to employee data breaches.
This article aims to equip you with essential knowledge on how to avoid an employee data breach. We’ll discuss the biggest employee data security mistakes that businesses make and provide you with an actionable framework to avoid them.
3 most-common mistakes leading to employee data breaches
1. Failure to recognize employee data security as a real threat
Our survey shows that about 55% of HR professionals don’t identify employee data security as a serious issue. If you want to ensure employee data security, the first step is to take data security seriously.
2. Inadequate training on data security
Our survey shows that about 41% of the businesses don’t train all HR personnel on data security. Further, we found that human errors persist because of the lack of three things: awareness, a data protection policy, and training.
3. Blind trust in HR software vendors
According to our survey, 46% of businesses don’t screen for data security features when buying HR software. Since your HR software vendor has access to sensitive data such as payroll records and social security numbers, it’s critical to carefully examine the security measures the vendor has in place to protect your company’s data.
Because of these complex challenges, securing employee data is not straightforward. You need to build a strong framework to ensure data security across your organization and HR team.
We’ve designed a five-step data security framework to help you minimize data security risks. We’ve also provided you with action items for each of these steps.
5-step data security framework
Step 1: Create a security awareness program
According to a Gartner report, “By 2023, organizations that implement specific and measurable security awareness programs will experience 75% fewer account takeover attacks than organizations that don’t.” (Full report available to Gartner clients.)
If your employees are unaware of the repercussions of a data breach, they aren’t likely to take it seriously. This hurts your data security goals in two ways: Your employees will make more human errors because of lack of concern, and they will become an easy target for external hackers.
For this reason, the first step is to create an awareness program specific to your business needs:
- Conduct discussions among all HR stakeholders on data security. Ensure that all stakeholders are on the same page about the repercussions of data security breaches.
- Ask all HR managers to conduct meetings with their team members and discuss the impacts of data security in detail.
- Send a company-wide email to make HR personnel aware about the threats from data breaches. Communicate that serious actions could be taken for negligence in handling employee data.
Step 2: Create a formal policy for data protection
Businesses need strong checks and balances to ensure data security. Not having a policy or using informal guidelines can make your business vulnerable to a data security breach. That’s the risk 34% of the businesses currently take by not implementing a formal data protection policy.
Having a formal policy works in two ways: While it informs key stakeholders about the do’s and don’ts of handling employee data, it also instills a sense of responsibility among employees to comply.
We recommend using the following approach for creating an employee data-protection policy:
- List all the potential areas of data security lapses from step one.
- Add to this list the data compliance requirements.
- Create a data protection policy encompassing each of these areas. For instance, if email attachments are a problem area, you can create an email policy that prohibits employees from opening attachments from non-business senders without the manager’s approval.
Step 3: Frequently train your employees
The human link is indeed the weakest link when it comes to implementing a data security policy. According to a Gartner study (full report available to Gartner clients), about 50% of employees are willing to exchange personal data for better offers and prices. This carefree attitude makes employee compliance the biggest challenge in implementing a data protection policy.
For this reason, it’s important to address the human factor of the data security situation. An effective way to do that is by creating a robust training program that provides your employees with actionable guidelines on how to avoid human errors or avert external attacks.
We recommend the following approach for creating a training plan:
- Create a training schedule for data security. Also, conduct ad-hoc training each time you make changes to an existing policy.
- Use business incidents and real-world examples whenever possible to explain the elements of the policy.
- Provide employees with a dedicated email address or portal to report concerns discussed in the training. For instance, employees could forward external emails with attachments to seek advice on whether to open them.
Step 4: Screen HR software vendors thoroughly for data security compliance
Our survey shows that only 46% of businesses screen their HR software vendors for data security compliance. This means that about 54% of businesses are placing a blind faith in their software vendor when it comes to data security.
This is a recipe for disaster as there have been increasing incidences of breaches by software vendors. Take, for instance, the PageUp software breach that compromised the records of 2.6 million users across 190 different countries.
That’s why you should screen your software vendors thoroughly:
- Study all the HR data regulations that apply to your business. Our survey indicates extremely low awareness of data compliance—only 21% of HR professionals are aware of GDPR (General Data Protection Regulation) requirements, and just 16% are aware of the ECPA (Electronic Communications Privacy Act).
- Ensure that the products you shortlist are compliant with all the HR data regulations that apply to your business.
- Go through service-level agreements (SLAs) and terms and conditions thoroughly before finalizing a vendor. Ensure that sufficient data security measures are mentioned in these documents.
Step 5: Audit the third-party service providers you use
Helen Poitevin, VP Analyst HCM at Gartner, cites one of the biggest HR security troubles as “data transfers with third parties that manage outsourced services (like benefits or payroll or comp benchmarking services) and require sensitive information to be shared.”*
Your HR software vendor is not the only external party that has access to sensitive HR data. You may also be using other services that require you to share sensitive data. And as Poitevin points, this is one of the biggest threats surrounding HR data security.
Poitevin recollects her experience on this issue: “I have even heard of a BPO payroll provider sending over a payroll results file to the wrong client and not being too bothered about the fact that the wrong client was able to see all the payroll information down to very specific named individuals.”
For this reason, if you are using third-party services such as payroll and benefits, you need to look into their data security practices as well:
- Identify all the third-party services that require you to share sensitive HR data.
- Screen their SLAs and terms and conditions.
- If needed, audit these services to get clarity into how they manage your data.
Securing the 5-step framework for long-term use
Ensuring employee data security is not a one-time job, but a continuous practice. Once you’ve implemented the five-step framework, you need to revisit some of the steps regularly to ensure long-term data security.
- Revise your data security policy quarterly: Once you’ve drafted the policy, it’s equally important to revise it regularly based on industry best practices. According to our survey findings, only 19% of businesses revise their policy quarterly. This puts 81% of businesses at risk of a data security breach.
- Conduct frequent training: Since the human link is the weakest link in data security, it is important that you train your HR staff frequently. We recommend conducting these training sessions quarterly. Currently, only 21% of businesses conduct training sessions quarterly, which means that 79% of businesses need to increase their training sessions.
- Include data security training in employee onboarding: Induction training is a great platform for informing employees about the data protection policy before they start working with HR data.
In September 2019, GetApp used Amazon Mechanical Turk to survey 158 HR professionals and business owners. Respondents had to live in North America and be self-employed, employed part-time, or employed full-time to take the survey. Respondents also had to work in a business that is headquartered in the U.S. or Europe. They work in one of three departments: human resources, strategic planning and management, or as the business owner.
*We contacted Helen Poitevin, VP Analyst HCM at Gartner to understand her perspective on employee data security. This quote is excerpted from the discussion on Sept. 6, 2019.