Protocols and policies
The frequency with which HR is asked to share
information with other functions puts its data
in a particularly vulnerable position. “You
might have the best HR tech platform around
in terms of penetration testing to a gold
standard, but internally what flies around is
spreadsheets,” says Shah.
“Finance will ask HR to send them cost
structures but they will handle cost structures
differently to how HR does. So in order to
reconcile the two systems, the data will get
downloaded onto a spreadsheet and emailed.”
This “culture of spreadsheets and emails”
leaves HR data vulnerable, adds Shah: “HR
should put in the right protocols so there is a
model where data is transmitted from the
HR system into a relevant system or other
part of the organisation using the right
encryption protocols.”
Cyber security software
Investing in dedicated cyber security software is
also important, says Shields, who recommends
“active defence products” that act on the firewall
and spot common, advanced and emerging
attacks. “There are definitely systems that
should be deployed,” says Herold, suggesting
As new technology comes out, there’s already someone
a combination of data leak prevention (DLP)
software (which will alert the organisation if
employee data is being exfiltrated from the
organisation) and intrusion detection systems
(which will alert the organisation if someone
tries to inappropriately access or modify
HR records).
“DLP helps keep personnel records from
leaving the company whereas intrusion
detection helps keep unauthorised entities
from accessing personnel records, so they
form two purposes – keeping people from
getting to the information to begin with and
preventing the people who do have access to
it from taking it outside the organisation,”
she explains.
Social engineering events
“If you get a knock on the door and open it
to someone wearing what looks like a police
uniform, you’d normally take that person on
face value, let them in and think they were
someone who you can have a secure
conversation with – people behave to social
norms,” explains Shah. “What we increasingly
see is cyber hackers trying to create events
like this.”
These events – known as social engineering –
could involve hackers finding out when an
organisation is going through its performance
review cycles and sending phishing emails
asking managers to submit security information
to confirm their teams’ bonuses. “You might
think your organisation has done this
deliberately to make the information secure,
but this has been engineered to get you to hand
over information,” says Shah.
He advises HR to send social engineering
emails to its teams and wider workforce to test
if they fall for them, and then provide more
training for anyone who does.
The crucial thing, with the threats only
getting more sophisticated, is for HR to keep up.
“It’s changing literally by the hour,” says Shah.
“As new technology comes out, there’s already
someone figuring out how to break it.” HR
figuring out how to break it
HR Technology Supplement Cyber security
24 HR October 2019 hrmagazine.co.uk
/hrmagazine.co.uk