Yes, it's necessary that an organization takes precautionary steps to prevent hackers and disgruntled employees from breaching data within its intranet. It must ensure that private information is kept secure, and that unauthorized access to electronic documents or files doesn't take place.
You have to deal with viruses and other assorted headaches. Then there are also less obvious threats, like unofficial applications -- including games -- that can corrupt or destroy data; keeping confidential or sensitive information-from trade secrets to business plans-from being mistakenly or inadvertently displayed online; and improperly designed firewalls that don't lock out those pesky potential hackers. Without proper version controls and backups, it's also possible for employees to overwrite or destroy key documents.
Unfortunately, ignorance isn't bliss when it comes to online security. Andy Maxwell, a Washington, D.C.-based intranet consultant for Watson Wyatt Worldwide, explains: "Human resources and finance are the two divisions of a company in which the data touches every employee. Any mistake or lapse in security can be absolutely fatal [for the business]."
John Kelly, a security expert with SCT Corp., a business applications software company in San Diego, adds: "The typical HR professional has long delegated intranet security policy to IT. Today, that's a huge mistake. The economic and legal risk is enormous-particularly if medical claim records or dependent information is revealed."
Here are 10 ways HR can play its part in protecting data that is available through an intranet:
- Consider using a PIN or password-based system to prevent unauthorized access to files. Although the use of an employee ID and password isn't the most secure method for authenticating a user (see "Getting to Greater Intranet Efficiency," page 72), it's a good balance of convenience and security. A single log-on procedure with appropriate restrictions on access can simplify processes and eliminate the need for employees to maintain multiple passwords, says Giuseppe Cimmino, manager of The Source Online, MCI Corp.'s HR intranet site.
- Use digital signatures to authenticate a person's identity. It's a technology that's evolving rapidly, but it's far enough along to pay dividends today. Digital signature/certificate technology makes it possible to verify that a person is exactly who he or she says he or she is.
- Confirm transactions to ensure they are valid. "Whenever any personal data is changed through an electronic system, the person originating the transaction should confirm it," says Kelly. That means sending a letter or e-mail in response to the employee or manager's request, ensuring that the transaction is legitimate and that changes have been recorded. Sending out a confirmation also offers an added bonus: "The person can review the information to make sure it's accurate," he points out.
- Know what data resides on your intranet. According to Steven L. Telleen-director of strategy and business at Santa Clara, California-based Intranet Partners, and the creator of the term intranet-as much as 30 percent of a company's online content is made up of "unofficial applications and information."
- Establish manager controls. Although it's possible to achieve impressive results using advanced intranet functionality, the more sophisticated the capabilities, the more security becomes an issue. For example, managers might suddenly have access to sensitive or unneeded data, such as an employee's ethnicity or marital status. That information could be used-or perceived as the basis-for making decisions about terminations and promotions. As a result, it's essential to consider what data different managers need, and then establish controls to limit access to the appropriate level.
- Establish access controls and other physical controls. Sometimes, the most obvious threat is the least considered. When one large supermarket chain in Southern California found a server on its intranet wasn't responding, an IT manager was dispatched to the scene-only to discover that the entire computer had been hauled off, along with an essential database. To be sure, all the network protection in the world won't do any good if equipment isn't protected.
- Use HRMS security controls and firewalls. "You should build a basic level of security into your base HR application, regardless of the vendor," warns Kelly. In fact, security in today's HRMS applications has become far more robust-yet it's only as good as the checks and balances that have been put into place. That means making sure security features are fully enabled, employees follow guidelines and appropriate firewall protection is in place. For instance, without the latter, it's possible for hackers to tap into data. Contrary to popular belief, these data bandits usually aren't teenagers breaking into the system from outside. They're often employees, temps or independent contractors working in other departments within the same company.
- Encrypt sensitive Web pages. When employees are allowed to view sensitive information on an intranet-such as 401(k) statements or pay stubs-it's essential to provide encryption through the browser. Netscape Navigator and Microsoft Internet Explorer support Secure Sockets Layer (SSL), but it's up to IT and HR to ensure that sensitive documents and files are sent from the server to the browser in an encrypted form. "It's cheap insurance that's very effective," says Maxwell.
- Develop and coordinate policies with IT. At many companies, human resources depends on IT to develop sufficient security procedures. That's a big mistake-security is a complex issue and that requires input from various departments. Maxwell notes, "HR must be involved to ensure that the appropriate level of protection is in place. Nobody knows HR data better than HR."
- Educate workers how to use the system correctly. Companies that teach their employees how to securely use an intranet can prevent a number of problems. In order to protect the company's data, it's important for workers to understand how to correctly use passwords, as well as log-on and log-off procedures and digital certificates.
At Washington, D.C.-based MCI, more than 30,000 employees company-wide access the intranet every month. They're able to exercise stock options, view electronic pay stubs, update W-4s and engage in distance learning. MCI also puts employees' names on the Web pages so employees know they're viewing confidential information.
Plus, there's a log-off button to ensure that data is no longer available once an employee has completed an online task. "Although the system automatically logs a person off after five minutes, we want employees to know they have a personal responsibility to protect sensitive data," Cimmino comments.
While a conventional, printed signature on paper can be forged, that's nearly impossible to do with a digital certificate. A document is encrypted using a password that's required by both the sender and receiver. Without the password, the file becomes a scrambled mess. Likewise, any attempt to alter the document once it has been encrypted renders it useless.
Such systems typically work best for sending sensitive documents outside the organization, yet "Issuing and maintaining them can be challenging," says Maxwell. The lag time in getting a new employee set up and revoking privileges for a terminated employee-typically a few days-can present problems because employees can't log on right away or can continue to have access after they've left the organization.
When IT managers at organizations use a Web crawler (a software program that automatically indexes content) to survey their intranets, many are shocked to see that servers and pages often sprout like weeds. In some cases, the extraneous content can pose a security or liability threat. Employees at some companies have actually posted classified information or put up opinions and statements not supported by the organization. More frequently, employees load games and various programs they find useful. These applications can crash the network and corrupt files and settings.
Not only is it important to limit physical access to computers with access control systems, it's a good idea to use video surveillance, if appropriate. Unfortunately, employees and vendors with free rein to offices mastermind the majority of break-ins.
However, the protection you place on your intranet materials shouldn't stop there. It's possible to set controls so that the browser won't display data stored in its cache. Thus, when an employee clicks on the "back" button, the previous screen is no longer available.
The system can also be set to disconnect an employee after several minutes of inactivity. "If a person gets up and leaves his or her PC, somebody else can't view the data," says MCI's Cimmino. Such a policy can ensure that the right set of eyeballs views appropriate data.
It's also essential to work with IT to ensure that electronic audits can track down violators, and also spot weaknesses in the overall security structure.
"A system is only as good as the policies and procedures in place. Security is about cultural issues, as well as technology," says Jude O'Reilley, a research analyst for Gartner Group in Stamford, Connecticut. In other words, all the protection in the world won't help if employees do not follow standard guidelines and procedures. It's up to HR to help educate employees use systems correctly and ensure that they're minimizing the risk of a security breach.
Keeping the company's systems and data well protected is the responsibility of everyone within the organization. Although the task can at times seem complicated and overwhelming, there's no alternative to using proper security techniques in today's digital workspace-and workplace. Anything less than total vigilance can be an invitation for disaster.
Workforce, September 1998, Vol. 77, No. 9, pp. 78-81.