In April 2018 the Government’s own Cyber Security Breaches Survey revealed that 19% of charities and 43% of businesses had reported cyber security breaches or attempts in the previous 12 months. That rose dramatically among larger businesses to 72%. The average financial impact was an estimated £3,100.
Not only does every successful attack potentially expose the victim to heavy fines, but negative publicity also makes customers weary of dealing with that organisation again: just think British Airways, or any of the other major names who have had significant security breaches in the past year. It’s not only customers who get concerned: employees would also share the same concerns should their personal data be compromised.
As more and more companies move away from using their own data storage facilities to cloud-based solutions from third parties, knowing how secure your data is and just how it’s managed becomes even more critical. Add to this the growth in mobile technology, and apps which allow employees to manage everything from their holiday entitlement to updating their own personal data, and you have a veritable minefield of possible security issues.
Technology isn’t going to go away - and indeed the range of applications is more likely to increase than decrease. So how do you make sure your employee data is as secure as it can possibly be? Here are a few steps HR departments should consider when assessing data security.
First, what is the supplier company’s level of security accreditation? Look for ISO 27001 certification which has been certified by a body which is recognised by the United Kingdom Accreditation Service (UKAS). That’s a good indication that they have the highest level of independently assessed security. Find out just how resilient their systems are – ISO22301 covers business continuity and is increasingly being used by organisations to ensure they have appropriate disaster recovery and business continuity in place. Even without ISO22301 they should still have documented what disaster recovery and back-up they have in place. Ask when is the last time they tested their systems by running an ethical hacking exercise. Have they ever had any real incidents? What were they and how did they deal with them? Be a little sceptical of anyone who says it’s never happened. As the Government figures show, a large number of organisations have suffered attempted hacks or security breaches. What you need to find out is how they handled these. What actions did they take at the time, and what did they learn from the incident to make sure it was less likely to happen again? What would happen if one of your employees misplaced a laptop or a work or personal mobile? Are your hard drives or mobiles encrypted and could important data on those devices be remotely erased?
Also examine your cyber security training. The Cyber Security Breaches Survey shows that despite the downsides of a hack, only 20% of businesses and 15% of charities invest in such training. Further, only 27% and 21% respectively have any kind of cyber security policies in place. Given a further study which suggests that up to 88% of data losses are down to human error, and both these omissions start to look short-sighted.
Digital, cloud and app based HR solutions are transforming working practices for the better, providing excellent opportunities for employers and employees alike. But investing in these types of technology without addressing the security of the data held by such technology would be missing a major opportunity to demonstrate to employees and customers that you take these issues as seriously as you possibly can. No organisation can be completely secure from the threat of attack, but by asking the right questions you can at least assure yourself that if the worst were to happen you have taken the correct steps to ensure the impact to your organisation will be absolutely minimal.
Ben Crick is managing director of Civica HR & Payroll