Over the past year, year and a half, data breaches have surged substantially.
Target, Michael’s, and Neiman Marcus have all been impacted by customer data breaches, and now Home Depot customers are experiencing the same thing. The funny thing I have witnessed as these events continue to occur is our level of acceptance has increased. It appears that while these situations are frustrating, we are now accepting these “breaches” as somewhat being a new norm and our reaction to the impact has become desensitized. I do not believe this desensitization is purposeful, but with retailers and credit card companies alike trying to do right by consumers, I think it is becoming a risk we know is there and we will get through it.
The question I am ask myself on the flip side to these consumer breaches is, “do we have that same desensitization of our personal data with our employers?” Is it a bigger deal if our personal data – social security number, birth date, etc. – was stolen versus our credit card number? I would like to think many people would say yes. However, did you know that personnel data breaches continue to be on the rise? Employers like UPMC , Coca-Cola , and others have been the subject of employee data being breached, it just doesn’t seem like we hear about these breaches as much.
Many of the issues of employee data breaches are the result of employee themselves. Yes, employees themselves. What you will find is that many times employee data is leaked by accident through simple sharing of information to the wrong person – either internally or externally. In other cases, breaches are caused through network exposure of employees visiting personal sites or visiting sites which promote hackers to try to break in.
So while we all want to grip and complain when our employers block website access or use of thumb drives, there is a reason for this. Many IT departments are protecting us from ourselves because when we access these sites or use a thumb drive (we unknowingly has a virus on it), we are creating an opportunity of exposure. Therefore, in situations where organizations are now releasing blocks to web or website access or allowing use of unauthorized thumb drives, are we giving the middle finger to protecting employee data?
Are we continuing to give the middle finger to protecting employee data when controls become even more lax on sharing data internally? Meaning, are we still able to share key personnel data without data and/or email encryption? Or better yet, do we still trust that we can leave documents sitting around on our desks and trust people will not take them?
As someone who was the victim of identity theft by result of a manager taking my documents I presented for my I-9 and creating her own documents with her name, employee data protection is something I am attuned to. And it is something I think every working professional should be, as well!
Now I do not recommend going on any rampage of locking down data or web access, but I think it is worth wild as a professional in an organization to get a better understanding of how data is accessed, used, and shared. Some questions I generally ask myself, include:
Since most employee data within organizations is housed with the HR team, HR professionals have to take to heart on how to protect employee information. Ensuring documents are locked up or guarded is key – do not leave papers lying around with sensitive information assuming someone will not take it or look to see what is on the document simply because they are in HR.
Ensure personnel records are double secured – meaning locked filed cabinets in a locked room. It still amazes me when I go to some organizations and the assumption again is that because it is the HR file room, no one will attempt to gain access unauthorized. While I would say this is 98% true, risks still exist and it is important to be aware of those risks. Furthermore, ensure HRIS systems provide layered security and encryption and offer security mechanisms to limit idle open sessions, etc.
Security is a means of awareness and execution; it is something organizations have to embed within their cultures as technology continues to evolve. So if you are a professional in an organization, next time you go to send that email with confidential information or have a documents lying around with confidential information, be mindful of how you are protecting the information you have access too. Otherwise, you can simply say you are saying F*** You to safeguarding anything.