· Features

Technology Guide: Data protection - Partners in protection

HR professionals must take responsibility for the secure storage of employee data and for ensuring staff follow IT security procedures. So it is crucial that HR works closely with IT, says Paul Fisher.

The recent debacle surrounding two missing government computer discscontaining personal information of 25 million people will not haveendeared the techno-sceptics to the joint activities of IT and HRdepartments. Just how a junior member of Her Majesty's Revenue andCustoms came to have access to such sensitive information, and howprocedure could allow such data to be put in the mail, are just some ofthe questions the scandal has raised.

Although the leak is embarrassing for government, it focuses attentionon an area of growing concern - how companies hold and manage personaldata either on employees or customers, which, especially due tooutsourcing, is increasingly kept in multiple locations. A survey bycontent security firm Websense recently found that employees have a laxattitude to security (see box, right). Worryingly, it found half of theadmin staff questioned thought their company would not know if data hadbeen accidentally or wrongly leaked.

HR professionals should be worried. In October 2006 Amicus called for aninvestigation into the increasing risks of offshoring admin functionsfrom the UK to India. If IT is going to be embraced, it needs to besecure, but many in HR may not even know that insecure IT architectureand processes can contravene the Data Protection Act (DPA).

Jeff Brooke, information security assurance lead atPricewaterhouseCoopers (PwC) sees a disconnect between IT and HR. Hesays: "The HR director is often quite remote and doesn't really knowwhat to do about data governance," he says. "The majority of companiesdo not have an integrated governance plan and even software tools willnot help if you are protecting the wrong information."

Not everyone agrees that things are so bad but it often takes a securityincident to bang heads together. "If you'd asked me five years ago aboutthe relationship between HR and IT, I would have said there was hardlyany dialogue," says Mark Sunner, chief security analyst, MessageLabs."But post-Enron (which included insider trading and internal fraud),there has been much greater transparency between departments."

Not only must HR professionals take responsibility for the securestorage of data held on staff, they must also ensure workers understandthe risks they face when using the corporate networks, and the risk theypose to the business by not following IT security procedures.

HR directors need to think about these issues and they need to talk totheir counterparts in IT. Specifically, they need to know about thetechnol-ogy and services that can help them.

There is a mixed picture across organisations. Adrian Asher is theglobal head of security at gaming company Betfair. His HR departmentuses an off-the-shelf product called Ciphr. Crucially, when this productwas installed, HR worked closely with the IT security team to insist itwas secure. "By engaging with us at an early stage, we were able tominimise any delays and provide assistance in securing it during itsimplementation," says Asher. "Providing security from the beginning isalways the best option."

Working in this way also gives companies the assurances they need. Ashersays HR professionals often know the requirements but don't always haveconfidence that their systems will protect them from litigation. "Froman HR perspective, data security must be slightly daunting, which is whya close working relationship between HR and the information securitydepartment is a must," he adds.

At aerospace engine giant Rolls Royce, HR and IT togetherness isslightly different but still involves an integrated picture. "In ourcase HR directors don't request tools," says Nick Bleech, head ofsecurity. "Instead our CIO delivers them through SAP, with a webinterface provided by Arinso. They expect me to ensure it complies withthe policies and standards the HR team sets up." He adds: "Companiesface different challenges. Ours was to converge a 40,000-strong globalcompany on one standard set of HR processes, a shared-service centre andsupporting tools."

At blue chip Cable & Wireless, the HR director seems to be taking themantra that security is everyone's concern very seriously. "Our directorof HR sent out a note to the board a month or so ago, stating that allthe directors have an obligation to drive effective security withintheir teams, such as making their staff take an online SecurityEssentials training module," says Paul Hanley, global head of corporatesecurity.

So while there are varying degrees of involvement of HR in IT themessage seems to be that both functions have to work together.

A very good example of this is the authoring of Acceptable Use Policies(AUPs) where individual companies set the ground rules for use ofcompany networks including email and web use. This is often an areawhere HR and IT can clash and it has been made more complex recently bythe arrival of so-called Web 2.0 applications such as Facebook, Bebo andYouTube. Their popularity in the workplace has made many AUPs out ofdate. And both IT and HR are under pressure from the top to seetime-wasting and indulgent applications banned. But what are the mainconsiderations for HR?

Often part of the problem is that HR is simply not up to speed with thetype of threats that exist and how sophisticated the attackers havebecome. Apart from targeting consumers through 'phishing' (see box,right), a growing number of criminals know that there is money to bemade from targeting company employees through more sinister means -blackmail, extortion or even cash for company secrets. All can be doneelectronically.

Brian Spector, general manager of the Content Protection Group at dataprotection specialists Workshare, is not complimentary about either ITor HR: "A lot of HR people are floating, with a lack of advice fromother departments. But more than any other, HR should be working withIT. HR professionals should know that employee data is confidential.They, more than any other group, are responsible for regulation but areoften not given the tools to help them in the decision-makingprocess."

Outsourcing and off-shoring data storage is popular among seniormanagement looking to make savings on IT, and increasingly this willinclude the most sensitive data held about company employees - bankdetails, social security numbers, and so on. This data can then bestored off-site. Under the DPA the employer remains the data controllerin an outsourcing situation.

Bridget Wood, employment law specialist at Blake Lapthorn Tarlo Lyons,explains: "Companies that outsource their HR functions need to ensurenot only that detailed data protection provisions are included in theoutsourcing contract but also that the service provider has a formalsecurity function in place and that quality IT security guidance isobtained in relation to the outsourcing contract. The contract itselfshould ensure all possible technical and organisational measures arethere to protect employees' personal data and also set out theemployer's right to monitor the service provider's compliance with theseobligations."

In short, if your employee records data leaks overseas you are going totake the rap. And it is a real risk. Statistically breaches are likelyto happen more, not less, in the future. This, more than any otherreason makes it a good time to develop an HR/IT strategy for protectingemployee data. It would also be a good way to stay out of court.

- Paul Fisher is editor of SC, the UK's leading IT security magazine


- Over a quarter of UK workers who use PCs at work (26%) copy data ontomobile devices for work at least once per week, posing a real risk ofclient information 'going missing'

- 40% regularly use USB sticks for moving data, potentially withoutawareness of the security threats this poses

- Almost a fifth (18%) reveal their work passwords to at least one otherperson, showing no understanding of the importance of security

- Over a third (35%) say responsibility for IT security is left up tothe individual employee when they are outside the workplace

- Nearly a quarter (21%) of UK workers who use PCs at work say thattheir organisation's security policy is not communicated very well

Source: Dimension Data 2007


Hacker: Any person who tries to break into a computer system to find andsteal information, most often financial details Malware Term forsoftware written to attack and harm computer systems

PCI DSS (Payment Card Industry Data Security Standard): Developed byleading card schemes to improve storage and security of credit carddetails

Pen tester: A person employed to legitimately test the vulnerability ofa company's systems to hackers

Pharming: Process whereby users are directed to a lookalike boguswebsite used to steal individuals' details

Phishing: An attempt to retrieve individual or bank account details bydirecting individuals to a bogus website that resembles a real bank -see pharming, above

Spyware: An illegal program that captures passwords and other sensitivedata

Trojan: A program that a hacker can use to take control of a computerremotely Worms Computer viruses that can replicate themselves as theypass round the internet

Zombie: A computer that has been taken over and used to commit attackson other systems.