It seems like every day a new data breach is in the news. In fact, there have been 1,140 data breaches in the United States so far this year (that’s 3.75 incidents per day), according to the Identity Theft Research Center. With this pace, it’s hard not to think about cybersecurity and what we can do to protect ourselves and our data. For HR professionals, who are responsible for a tremendous amount of employee data, keeping data secure must seem daunting, if not overwhelming.
As a cybersecurity professional for more than two decades, I understand the challenge. The good news is that a simple change in mindset can go a long way toward keeping HR data secure, particularly when it comes to health benefits data. To do this effectively, cybersecurity must become more than a checklist of best practices and industry standards — it must include an ongoing conversation about risk management.
Today, HR and benefits managers have countless digital tools at their fingertips, making it easier than ever to purchase, deploy, integrate, administer, and measure a wide range of employee benefit solutions. Many of these are digital health solutions that have great potential to deliver healthcare navigation and change the employer and employee healthcare value equation. But, with all of these new apps, programs, and services come additional concerns about employee data privacy and security.
Employers are responsible for ensuring their employees’ personal data and health information remain safe throughout their employee benefits and health programs. That means HR and benefits managers not only help their company and employees get the most value from all of these innovative HR and digital health solutions, but also actively manage cyber risk and protect employee information.
The good news is that the threats we see today are not that much different from threats 25 years ago when I began my career. The only difference is the scale — the number of endpoints has multiplied because each employee has a laptop, smartphone, and other devices, like fitness trackers. That’s why it’s important to practice good cyber hygiene. And HR leaders — who manage a company's administrative systems, hold large amounts of employee data, and handle onboarding of new employees — should play a big role in this.
Good cyber hygiene may start with a checklist to ensure compliance with best practices and industry standards, but it can’t end there.
To actively manage risk, HR leaders and health benefits professionals should keep three principles top of mind:
1. All data is not equal.
Many organizations provide the same amount of protection for their public information as they do for their private information — such as, financial reporting data, intellectual property, and especially personal health information or other personally identifiable information. Treating these types of information in the same way is not cost effective and does not manage the risk of losing that data.
Instead, organizations should know the types of data they hold and define the associated levels of protection around each. In addition, knowing where and how this data is stored and how it moves across the enterprise is crucial. The mobility of data today is a blind spot for many organizations making it very difficult to protect. It is this reason we need to include in our data protection models the ability for protection to travel with the data itself so that it is not solely dependent on existing access control systems.
2. Patching, patching, patching.
If a tree falls in the forest, and no one is there to hear it, does it make a sound? Evidence signals that too often organizations are not even aware of the vulnerabilities that lead to security breaches. The Verizon Data Breach Report of 2016 revealed that out of all detected exploits, most came from vulnerabilities dating as far back as 2007.
In fact, vulnerabilities dating to 2003 still account for a significant portion of hacks of software. The top 10 known vulnerabilities, from all years, accounted for 85 percent of successful exploits. We're not talking about being a little late with patching. We're talking about persistent neglect.
3. Something you have and something you know.
Identity is the only security control that has ever mattered in computer security defense — physical controls, firewalls, security domains, realms, and virtual networks. A single compromised login password that can access one or multiple environments is the most accessible path to bypassing all other security controls. Passwords are a single point of failure and a considerable risk to our ecosystems.
We have been poking around the edges of the proverbial keystone in our security architectures by first adding complexity to passwords, and then adding in single-sign-on to the mix. To implement real security that reduces risk, organizations can implement two-factor, or multi-factor authentication.