Some experts warn that the recent hacking of the U.S. Office of Personnel Management and theft of nearly 22 million federal employees’ personal data should serve as a wake-up call for any human resources leader responsible for sensitive employee information.
Todd Thibodeaux, president and CEO of CompTIA, a nonprofit trade association for the information technology industry, said that even if hackers get basic information, much less security clearance data, it can be used to harm employees and the companies they work for. “No one is immune from today’s cyberthreats,” Thibodeaux said.
Even basic information, like an old street address or Social Security number can be used to acquire credit cards or take out bank loans, Thibodeaux said. And every time an HR team handles this information, they could be exposing it to a hack.
Fallout from the massive cybertheft that was reported July 9 — the biggest breach in U.S. government history — has initiated a governmentwide “30-day cybersecurity sprint” to beef up agency protections against cyberintruders.It also resulted in OPM director Katherine Archuleta’s resignation July 10 and the appointment on July 13 of acting director Beth Cobert, who said she, too, was a victim of the data breach.
Philip Hagen, principal consultant with Lewes Technology Consulting, an IT security training and consulting firm in Lewes, Delaware, said one of the biggest mistakes HR professionals make is passing around employment paperwork via email.
“This creates a significant risk, as those documents contain sensitive information that is an attractive target for thieves to acquire,” he said.
And losing that information doesn’t just make the employee vulnerable. It also represents a significant legal and financial risk to the company and the brand, he said. “If an HR department’s standard practice is to send documents containing Social Security numbers over email and that information is stolen, the company could be liable for damages to the employee,” he said.
Avoiding data breaches may seem like the IT department’s responsibility, but the OPM cybertheft and Archuleta’s resignation are indications that it ultimately is the people responsible for collecting the data who will be held accountable for its security.
So how can HR leaders keep their employees’ data safe?
First they must recognize their role in information security, Hagen said. The best way to do that is to create a cross-functional team that includes IT/security, the legal department, and the leadership team to develop processes and security controls to keep data safe. Hagen noted that each group holds a distinct role on this team: HR determines what information is used in their workflow, legal identifies what of that information represents a risk to the company if lost, IT/security design and implement solutions to mitigate those risks, and leadership approves and pays for it.
“A full-team approach is critical to ensure all parties’ requirements are being sufficiently addressed,” he said.
Once those controls are in place, don’t forget the training to ensure every employee understands how and why to keep their data safe, Thibodeaux said.
“Spreading cybersecurity awareness, knowledge and training throughout the entire organization, from the receptionist at the front desk to the IT worker in the back office, is essential,” he said. “Otherwise, you risk becoming the next cybersecurity headline.”