Data security shouldn’t just be an IT concern

Payroll and HR have a key role to play in protecting company data

On April 8, the Canada Revenue Agency announced its systemswere vulnerable to the Heartbleed bug and removed public access to its onlineservices.

This incident raised awareness of the issues surroundingsecurity, risk and privacy that the use of technology can create in theworkplace.

Payroll data can be at particular risk because it is sought afterby nefarious individuals and groups. As the keepers of that data, it isimportant that payroll and HR professionals lead company-wide understanding ofthe importance of data security.

An integrated approach to data security includes not onlythe IT department, but also payroll, HR and operations. Both the organizationand the individual employee must take responsibility to help ensure that thecompany’s and employees’ confidential information remains secure.

All companies, no matter what size, should have a datasecurity plan in place that includes the details of: the organization’sresponsibilities, the employee’s responsibilities and what to do if a datacompromise occurs.

The organization

Company-wide security systems are the first line of defense.Companies can follow the steps below to help implement a more secure dataenvironment.

Develop and implement a server plan.  Include dedicated practices that ensurecomputers are patched and managed with the latest anti-malware software.According to Verizon’s 2014 Data Breach Investigations Report, servers havetypically been the top target for a compromise as attackers know that is wherethe data is stored.

Institute basic network security. Ensure basic networksecurity or perimeter protection, such as firewalls, are up and running. Afirewall provides a critical line of defense by limiting access to specifictypes of Internet traffic going to and from authorized addresses.

Review, review, review. Have a dedicated team who regularlyexamines the usage logs to ensure that the right people are accessing the rightinformation. The sooner you know if a compromise occurred, the better.

Create an incident response plan. Your company should have awell-defined and proactive incident response plan with clearly documentedprocedures for effectively handling significant events such as unauthorizedaccess, disclosure of data, denial of service or illegal probes. The planshould include escalation procedures, the identification of the members of theincident handling team and a communication plan based upon the securityincident.

If you use a third-party provider for your human capitalmanagement systems, its processes must also be part of your organizationalplanning. When choosing a service provider or re-negotiating your contract,ensure that data protection is built into the system, the data centre isproperly protected and the provider has a contingency plan if a compromiseoccurs. Ask for references and complete your due diligence.

Hold your outsourcing partner to high standards. A 2013Ponemon Institute study sponsored by Experian identified significant gapsbetween the more stringent in-house data security practices to whichcorporations hold themselves and those to which they hold their variousvendors.

Know your provider’s protocols. Run through data securityprotocols with the provider so you have a full understanding of what isexpected of each organization. Insist the provider notify you if a compromiseof data occurs on its end. Early notification can help you communicateeffectively to employees and clients.

Insist on best practices standardization. Confirm theprovider adheres to best practices in security protection through recognizedand established standards.

Know who you are doing business with, and ask the providerhow it will protect data. A benefit of using a third-party provider is that,with the continuous changes in technology, an in-house security system mayquickly go out-of-date. A third-party provider should be constantly improvingits data security to be ready for the most malicious viruses and malware.

The employee

Every individual in your company must take ownership of datasecurity. It is important to remind employees that it is not only the company’sdata, but also their own personal data — such as banking information — we areall working to protect. No one wants their bank account exposed. All employeesshould follow best practices such as:

Password management. All passwords should be complex andinclude a mixture of letters, numbers and symbols.  Employees must change their passwordsregularly and should avoid sharing them with others.

Be wary of unsolicited links. Do not open links to websitesan employee receives from someone they do not know, or if the link looksunusual.

Report any issues. If a virus or malware is detected, stopusing the computer and contact the IT department immediately.

The best firewall is the “human firewall.” Through safeemployee data practices, your company can lower its risk.

A compromise in data occurred, now what do we do?

Stop and take a breath. You have prepared for this and havethe steps in place. Pull out your incident response plan and execute each step.The goal is to contain and fix the issue. First, contact law enforcementbecause a compromise in data is a criminal matter.

Next, if the incident involved a compromise of credentialswhich can be used to access your third-party service provider, contact them sothat they may take appropriate steps. You may also want to contact a firmspecializing in data security.

You must then communicate with employees and provide themwith all the details of the situation and the actions that are taking place tofix the problem. Provide employees with a detailed description of what isrequired of them to safeguard their computers and data.

If customer data is affected, execute the communicationsplan within your incident response plan and give clear details as to actionscustomers must take. Once again, the goal is to contain and fix the issues asquickly and efficiently as possible.

Taking aggressive action to implement data security withinyour organization will assist in making your company less of a target. As apayroll professional, you must be part of the development of a plan and mustalso be a key player of the response team if an incident happens.

Your in-depth knowledge of your company’s systems can helpearly detection and assist with fixing an issue if one occurs. Yourrelationship with employees can also provide an opportunity to communicateeffectively while executing the incident response plan. Data security must be apriority and you can take a lead role in helping your business be more secure.

Roland Cloutier is the chief security officer at ADP.

Latest stories