In our increasingly data-driven workplaces, an interesting partnership has emerged to prevent and minimize the impact of a data breach: human resources and IT. By working with security, privacy, risk and compliance teams, HR and IT departments can support the core principles needed to combat the threat of data breaches. It's only logical that the two would team up. As I've said before, security and privacy should be everyone's job. And in the case of HR, one of its biggest responsibilities is collecting and storing a lot of sensitive employee data, so partnering with IT to ensure that data's safety only makes sense.
Establishing a good program starts with ongoing education of your employees. In the absence of security education or experienced people (including employees, users and customers), the risk of making poor security decisions with technology increases. This means your internal and external systems need to be easy to use when they're secure and difficult to use when security controls are lacking. Training and education surrounding data security cannot be a one-time or annual training course: it must pervade the culture of your company.
Once the right educational efforts are in place concerning security, privacy and risk and compliance, HR and IT can consider several areas to support a “risk-based approach” to protecting your organization.
Understand What You Need to Protect
Many companies worry about “dark data” or data that exists across various enterprise systems that may not be properly managed. This can include file shares, SharePoint, social systems or other collaboration systems and networks. To set the appropriate levels of data protection, organizations need a clear understanding of what and where this data lives as well as how to classify it. For example, many companies apply security controls in broad terms using the same security procedures for all data. But pictures from a company picnic shouldn't have the same protocols as those protecting an organization’s critical infrastructure design, customer credit card data or employee benefits information.
To determine — and safeguard — your organization’s crown jewels, ask yourself the following questions:
- What kind of data is your organization trying to protect and from whom?
- What are the systems used within your organization, as well as those used with partners, vendors and customers? Which of these systems hold protected data — protected or governed by law, regulations or contractual requirements?
- How will data be stored in and flow through these systems, so the appropriate security controls can be applied?
- How will your organization prevent sensitive data from being stored in the wrong place?
Upon answering these questions, HR and IT can work together to identify and catalog data that needs to be protected.
Related Article: Your Riskiest Data Is Often Hiding in Plain Sight
Establish Role-Based Access
After identifying the data your organization holds and making decisions about where it should live, it’s time to consider who can access it and how it needs to be protected. As a rule, employees should have the least amount of access or privilege needed to allow them to do their job. With data that is sensitive in nature, such as personally identifiable information or protected health information, limited and appropriate access remains critically important. The right identity and access management is a necessary part of preventing data loss. User-based controls can also be layered in to support data centric audit and protection (DCAP), a type of holistic data-centric security that applies an organization’s data privacy measures to specific pieces of data.
Organizations must remain vigilant in monitoring roles within the company and the data access that accompanies those job functions. Both HR and IT play a critical role in ensuring employees are not intentionally or inadvertently provided with “too much” data access. Unfortunately, overburdened IT administrators may default to the opposite approach, giving users unauthorized or unnecessary access to avoid sinking under the burden of excessive and sometimes impossible workloads. Keep an eye on this to make sure HR and IT are on the same page with the user-based controls granted to each employee.
Related Article: Why You Need a Data Archiving Strategy
Actively Monitor Data Access
On any given day, employees begin or end their employment at a company. And when employees leave their role, HR and IT must take a fast approach to ensure all of their access is managed effectively until the moment they leave the company. While it’s hard to say how common it is for exiting employees to have access to their workstations, there are significant risks to allowing them to do so without supervision. Some companies immediately terminate access to exiting employees, while others provide supervised access to data and work environments as employees transition out of the organization. At a minimum, organizations should consider the following:
- Enforcing a policy that states that when an employee is exiting their job, the data they are removing should be reviewed and approved before they go.
- Enforcing a policy that states once an employee is exiting a job, their access to systems with customer data on them should be limited and supervised.
HR and IT should have oversight into the permissions of employees to sensitive data as discussed above.Remember the case of the FDIC, when an employee accidentally exposed the data of 44,000 customers? Intentional or unintentional, breaches caused by employee behavior are the easiest to prevent and solve.
Related Article: Don't Be the Next Equifax: Tips to Avoid a Security Breach
Implement Sensible Controls
The right security controls should make it easier for people to do the right thing rather than the wrong thing with data. Data without controls can create operational, privacy and security gaps that put company assets at risk. It can also create unintended consequences and increase the potential for inadvertent or unauthorized disclosure of sensitive information. Make sure that controls are built and centered around the data they are intended to protect.
One of the key drivers of shadow IT, or any IT-based systems used without organizational knowledge and approval, is the approved corporate systems are too difficult and cumbersome to use. Employees flock to their own personal storage systems as a result. HR and IT share the responsibility to avoid this fundamental mistake, and instead, make it easier for people to use corporate systems with the proper controls. Limiting the availability (and need) for shadow IT is a major component of bolstering security and data protection, while reducing risk.
To encourage business users to do the right thing when it comes to adhering to established corporate data policies, HR and IT departments can work together to:
- Make it easy and attractive for employees to use approved company systems to do their jobs, but also trust and verify that employees are doing so.
- Consider enforcing a policy that requires all “company” data to be scanned, tagged and classified, so it cannot possibly be intermingled with and/or inadvertently removed from a company system by a departing employee.
By consistently tagging and classifying corporate data, organizations can effectively layer in other security and data protection controls, such as those that direct and contain data within appropriate systems or manage appropriate identity management and access controls.
Data Security Is Everyone's Job
Preventing data breaches is an important job — but it can’t be done alone. Both HR and IT have a job to do when it comes to establishing and maintaining successful security, privacy and compliance initiatives. Effective and lasting data protection centers around understanding data, determining its appropriate containers and then layering in protection to that data.