You don’t have to be a security expert to know that critical information isunder attack from all kinds of sources. Every day, you hear about the latestcomputer virus, hackers getting into supposedly secure networks, and people "stealing"other people’s identities for financial gain.
According to the 2002 FBI/CSI Computer Crime and SecuritySurvey, 90 percentof companies surveyed detected computer security breaches within the previous 12months, to the tune of more than $450 million. Fortunately, technology canprotect you and your data from these threats. However, the same survey foundthat nearly 35 percent of all computer crime is conducted by company insiderswith ready access to corporate information, a number that has grown steadilyover the past five years.
This brings a whole new perspective to security threats, many of which youmight not be aware of. As you look at your corporate information security, don’toverlook the following areas or incidents.
The Historian. Every organization collects employee data such asapplications, performance reviews, and personal information. Some organizationsgo "paperless" and store it all on an HRMS, but many go the conventionalroute and have employee files in file cabinets.
Unfortunately, some companies find it easy to use the employee’s file as astorage place for everything about the employee, including such things asmedical reports obtained in workers’ compensation claims. This kind ofsensitive information can be viewed not only by HR staff but also by people suchas external auditors, even if authorization has been obtained from the employee.In most cases, the employees don’t expect that non-job-related informationwill be contained in their employee files.
The Solution: Review all employee files to make sure that only job-relatedinformation is included, and move the more sensitive material, such as medicalinformation, into a separate file with restricted access (e.g., HR director oremployee health staff member).
The Second Cousin, Twice Removed. Is your business involved with theshipment of products or services through several avenues or vendors? How do youmake sure that the product you sent out from your office today will be the oneyou want the customer to receive, even though it has passed through someintermediate vendors?
It’s an important task, says Gary Morris, cofounder of the FedSecure Group,a security personnel staffing organization. According to Morris, many companiesthat deal with downstream vendors or intermediaries assume that they arechecking their employees through screening methods such as background checks.Without this assurance, a company could be exposed to product theft (e.g.,intellectual property).
The Solution: When selecting business partners, take time during the "courting"process to evaluate their security procedures, especially the ones that willdirectly affect your product or service.
The Keymaster. When asked, "Who is the most important guardian of yourdata?" usually the first answer is your information technology (IT) people.After all, they are the ones who develop your system, hand out access andpasswords, and make sure you have all the protections in place to keep your datasafe and accessible. They are also your biggest security risk because of thecontrol that they have. One disgruntled IT analyst can do enormous damage, whichis why your techies should be carefully chosen.
The Solution: Above all, make sure you get topflight IT staff. If datasecurity is absolutely critical to your business, take the time to do thoroughbackground checks on potential candidates. Leave nothing to chance, even in atight labor market. Be sure to select candidates who appear to be able to handlepressure situations and can perform many tasks at once (i.e., multi-task).
Information technology positions are ripe for burnout, so be aware of thesigns (e.g., depression, mistakes, and uncooperativeness) and establish ways toreward them that will keep them motivated and less likely to turn on you whenthings get tough.
The Friendly Consultant. From mission statements to benefit plans, fromsoftware installs to copier service, most companies have the occasion to hire orwelcome visits from outside consultants or vendors. In some cases, theseconsultants could be allowed access to information about your company that iscritical to your competitive edge. Or, unbeknownst to you, a recycling bin nextto a copier or computer could tempt a service person to peek at documents thatare intended for the trash heap (e.g., drafts of confidential memos ordocuments).
The Solution: Be sure to have outside consultants sign confidentialitystatements if there’s any possibility that they will come in contact withsensitive data. Any consultants worth their salt will be OK with it.
Also, train your staff to be aware of outside visitors who might be in thedepartment. Put in place ideas for protecting data, such as keeping sensitivedocuments out of plain view, especially when leaving the work area, andpassword-protecting any screen savers that are on workstations. This preventsthe "accidental bump" of a computer that brings up a screen withconfidential information on it. Finally, institute a shredding program for anydocuments that are not needed but shouldn’t be seen again.
The Home-Office Hombre. As more and more organizations have employees whowork from home, or even allow access to company networks from home, this is anever-increasing breach that must be addressed. Or perhaps you have a singleperson who directs an autonomous unit of your organization with little or nooversight. Even though you may trust the individual, you are still giving over apart of your business information to an unsupervised person who is often in aremote location.
The Solution: Strict guidelines should be in place to control external accessto company information. They should refer not only to direct computer access butalso to employees taking diskettes and other removable storage outside thecompany.
Employees should be trained in such security basics as closing a Web browser(a common way to connect to a corporate intranet) when they have finished andsaving work data to network file folders that are protected by corporatefirewalls, the network’s protective layer. Another suggestion, put forth byJohn Manry, vice president of development for Best Software, is to provide "staticInternet protocol (IP) addresses" for people who access the data from theoutside. These IP addresses are much like your home address and directinformation to a specific computer. This direct connection can more easily bemonitored and protected from outside influence.
The Second-Generation Reporter. Have you ever attached a document to ane-mail to send to another person? Most likely, yes. The ease ofinformation-sharing these days has been a boon to corporate productivity.However, according to John Cafolla, senior vice president of HRMS productdevelopment for Oracle Corporation, this is one of the most common but uncheckedsecurity breaches in corporations today. He notes that individual records storedwithin an HRMS, such as an employee’s address or birth date, are oftenprotected by access rights or passwords. However, many HR analysts will use theHRMS report writer to pull this protected information out of the system andplace it into an analysis program such as Microsoft Excel. From there, they dothings like develop mailing labels, analyze the data (e.g., determine averageage of employees), or send the information on to other colleagues. Now the dataresides outside the protected HRMS application and is potentially subject tounwanted access.
The Solution: Cafolla suggests that organizations "view security from theprocess standpoint rather than the record standpoint." In other words, don’tconcentrate your security efforts so much on protecting your data (the record),which is easy to do through your HRMS. What you should do is educate your HRstaff on the sensitive nature of personal data and how to properly handle it(the process). For example, you may want to make it a policy to save anyinformation that is taken from a secure source (e.g., an employee record fromthe HRMS) to a certain file on the network that can be specifically protectedfrom outside access with a password.
If you are evaluating an HRMS, choose a system that has a reliable functionwithin the application to generate the reports that you may need. This "reportingmodule" should be flexible enough to produce the information you need withinthe HRMS so that you will not have to pull information out to a separateprogram, such as Excel.
Finally, work with your information technology staff to strongly incorporateand encourage the use of data encryption on any e-mail messages that containsensitive information. Data encryption is the process of making files andmessages unreadable by anyone other than a person who knows a secret code foropening the information. Although data encryption can add time to yourcommunications, it provides a much higher level of security.
The Absent-Minded Traveler. If you are a multinational organization, youmay feel like you are meeting all of the security issues that pertain to thelaws of your own country, for most of us the United States. But are you aware ofdata privacy and protection laws of other countries? You might think they arethe same, but think again. Says John Cafolla: "In each [European Union]country in which you operate, you have to register the types of personal datayou will store and the use you will make of that data. For practical reasons,most companies now seek individual employee consent to the use and transmissionof personal data—to avoid potential legal challenges from disgruntledemployees. In comparison, the United States tends to operate on an ethicalprinciple of protecting personal data—but there is not a legal liability onthe employer, or on the individual employee, with access to the personal data ofothers." Clearly, many countries have specific legislated recourses forinvasion of data privacy; in the United States, the ultimate legal recoursewould be the courts.
The Solution: If you have expatriate or foreign- national employees, it isimportant to have someone in your organization responsible for knowing the legalramifications of corporate information-sharing between countries and what stepsshould be taken to access and share it. This generally will reside in your legaldepartment or with legal counsel. It also means you should make sure thatpolicies and procedures are in place for domestic employees who communicate withyour foreign-bound employees, and vice versa.
Joe/Jane CEO. It seems so simple, but humans are the most unreliable formof security you have, so much so that many companies overlook reliableindividuals within the organization who may be the worst offenders. Forinstance, take a look at your CEO or president and ask yourself: Who’sensuring that your top person is being airtight with company information?
That's a tough question when there are very few, if any, people that theyreport to. This is not to say that CEOs and presidents are inherently corrupt,but you should determine the most reliable ways to give your CEO the informationhe or she needs without compromising your corporate information. For example, isyour CEO computer literate? Putting a computer on his or her desk just becauseeveryone else in the company has one can be disastrous when e-mails are beingsent without proper training.
The Solution: First of all, any corporate security initiative that a companyundertakes should have the full support of top management and be rigidlyenforced down the line. Simply putting a policy and consequences in writing willnot have teeth if practice doesn’t follow. You also want to make sure thatyour HRMS is designed to match up the need for data to the person using it.
John Manry suggests using systems that provide flexible security protocolsthat are tailored to both the size of the organization and the work beingperformed. In most cases, higher-level managers do not need the kind of employeedata access that an HR generalist will need, but often that is exactly the case.This only exposes the information to more individuals than necessary.
The overriding theme of information security is that you must develop aculture of respect for the products and services your organization spends itstime developing. The rhyme from World War II still rings true today: "Looselips sink ships." Get your ship in order, and protect what you’ve workedhard to produce.
The information contained here is intended to provide useful information onthe topic covered, but should not be construed as legal advice or a legalopinion.
Workforce Online, June 2002 -- Register Now!