Organisations have a duty under the Data Protection Act 1998 to keep employee data safe, and whilst the Computer Misuse Act of 1990 (extended last year) prohibits the unlawful use of any computer or system, recent years have seen a huge rise in business and ID theft within the UK, and it is reported to be one of the most significant and growing risks organisations of all kinds face.
HR professionals, who deal with a wide range of confidential information, can no longer afford to view data security as ‘an IT problem’ and the CIPD has been engaging with a number of communities and organisations including the Government, CPNI and influential groups like SASIG on the issue to promote greater awareness and understanding.(1) More engagement between HR and IT is crucial – and that starts with HR Managers feeling comfortable and confident in questioning external systems providers to make sure their data will be held securely.
The public sector has its own safeguards and requires certain security standards before companies can supply them. For example, as a government supplier Activ Absence is accredited with quality standard ISO 9001 and is listed on the G-Cloud. The organisation is also undergoing the rigorous ISO 27001 accreditation for data security, this is expensive but companies can’t supply the Government without it. In addition many of Activ Absence’s developers are security cleared to work on custom Government projects. Whilst public sector bodies insist on these security standards before companies can supply them, there are no similar safeguards for businesses or the third sector other than the age old caveat emptor rule: ‘Buyer Beware’.
New HR software providers are emerging, and it’s important to remember that ‘Software Developer’ isn’t a protected title. It’s perfectly legal for a 15 year old with no experience of business or software to teach themselves PHP, develop a piece of software and sell it to a multi-national organisation. Data security standards and coding methods vary widely, and if a company is not accredited or externally assessed, their software does not have to meet any given standard. ‘Look and feel’ and price do not give any level of professional assurance, so question unaccredited providers on their experience, their workforce, their development standards and their support. Any reputable provider will welcome questions.
If short on time remember that suppliers who are listed on the G-Cloud have already been thoroughly evaluated as safe to look after public sector data. Similarly providers who have ISO 27001 have been externally verified as complying with the highest data security standards. Price should always be less of a consideration than security. Accredited providers are not often the cheapest, but a breach in data security will almost certainly be more expensive in the long run.
Whilst choosing the right provider will help take care of the high tech threats, Government research(1) found that most data security breaches are down to employees, and therefore even when managing people with ‘old school’ methods like spreadsheets, HR must educate their people in maintaining the strictest standards of data confidentiality and restricting access to unauthorised users. This is not an ‘IT’ function, but a duty of each and every user of the system. Data breaches usually occur when staff do not understand risks, make mistakes or fail to follow their organisation’s data security policies.(1) Worse, many organisations do not even have a data security policy, or if they do, their employees have not seen it.
The first challenge for HR, then, is to ensure that their organisation has a strict data security policy that staff have read, understood and most importantly, follow in practice.
The CIPD now offer a free online course ‘Cyber Security for HR professionals’(2) as part of a wider partnership between the Government, senior HR professionals, information and cyber security professionals and key influencers. This course helps HR professionals understand and promote the importance of cyber security at work, and establishes the critical role that HR has to play in mitigating the competency and behavioural risks present in the workplace.
The first step is to ensure staff use secure passwords and that default data is removed under the company’s data security policy. Most attempts to hack begin with trying default logins – it is surprising how many people use logins like ‘admin’ and ‘system’ and the passwords ‘password’ or ‘letmein’.
Social media has made workplace passwords easier to hack. Names, especially, make bad passwords and usernames. Forget the no-names policy on reception – they are an easy find on Linked In. Meanwhile, Facebook profiles broadcast every piece of private data for the world to see. Hackers can easily find the names of children, pets and partners with minimal effort – so staff need to be trained that ‘PeterLucy’ or ‘Snoopy’ aren’t safe passwords either. Ideally passwords combine upper and lower case letters, numbers and special characters and are 12 characters or more.
However, the most important steps to protect data don’t even include the IT system. Good general security is as important as specific IT measures – in many cases, people are the weak link, not IT systems and since the advent of computers, gaining unauthorised access to information has been as much about social deception as it is about bypassing data security. In other words, hackers may not originate from some shadowy location in Korea or China and a modern data thief (or a terrorist, for that matter) can be someone within the organisation, a visitor in person, or someone on a telephone.
Cyber security therefore includes being careful about who companies employ, doing background checks and checking references, and also being cautious about visitors and callers. A recent survey by ID specialists Digital ID revealed that 59% of the businesses surveyed admitted they currently have no form of staff identification in place(3) but even where they do, they are not always foolproof. New technologies make ID cards more secure and harder to copy, but staff must be taught that it is ok to challenge seemingly authoritative strangers even if they have ID.
Train staff to ALWAYS check with IT before giving secure information to a visitor – and if it is a hacking attempt, have a procedure in place for users to quietly raise the alarm. This especially applies to those who come to ‘look at their computer’ without prior notification or a support request. It only takes a second to check with the department they claim to be from (get the extension number from the companies switchboard or company handbook, not the visitor!) Similarly, if someone telephones an employee asking for a username and password to ‘set up’, ‘fix’ or otherwise alter a computer, even if they sound genuine, train staff to take their name and telephone number and politely say they will call them back. It is very rare for an IT professional to need this information from a user.
It is worth mentioning that it isn’t only hackers and journalists that are interested in critical data. Other employees have a natural curiosity regarding what was said during an interview or an appraisal. Organisations have a duty to keep this information private – so train staff to protect data like their homes, and lock their PCs when leaving their desk (in Windows, Press Ctrl-Alt-Del, and then click Lock this computer, Lock Computer, or Lock.) It’s extra important to be aware of data security in new situations, for example, after a merger, when staff have to deal with lots of new internal and external contacts, and two new HR systems have to talk to each other. Post-merger security is a vital consideration in any pre-merger plans. Make sure both companies adopt a common data security policy.
Staff alertness at all times is crucial – each one is a cyber security guard. Security Expert Peter Sommer fondly recounted in his 80’s classic ‘The Hacker’s Handbook’ (4) how a TV programme showed PC users casually working in the background – and inadvertently broadcast access details for Herts County Council’s system on TV! The young hacker recorded it and patiently watched it back frame by frame to access the system. Peter Cheese, CIPD chief executive, said: “Risk is fundamentally down to how people make decisions and judgements and, while most people won’t do this with malicious intent, businesses can still be left exposed. More secure technology, of course, is part of the solution, but organisations need to think much more broadly and consider how they are equipping their employees with the knowledge and understanding they need to help to protect their organisation and its data.”