Minimizing Data Breaches for HR Software

Minimizing Data Breaches for HR Software

Pace Morgan staff consultants work with Information Security teams every day, the conversation often comes up about risk of HR data and the effort that HRIS software vendors are taking to prevent system breaches.  The results are varied and interesting.

Even with VPN encryption, tunnels, malware, virus protection, intrusion detection services and more, breaches can still take place. Although HR software vendors work to bullet proof their software for added safety, the end customer certainly has responsibilities as well to minimize their risk. Many that we spoke with consider that encryption at the software level is not their biggest risk. The chances of a hacker cracking the data encryption code exists, but that’s not the easiest way into HR data for bad actors. Even the Department of the Fed can’t crack those codes alone without the help of third parties. There are many simpler entry points.

What can you expect from HR software vendors to secure the Back Door?  One of two things, not often both.  Some maintain compliances and others provide a performance guarantee. That guarantee, however, does not displace the importance of Cybersecurity Business Insurance.

HR software vendor chart

Notwithstanding these protections,  you can take every precaution possible to prevent Back Door break-ins, but more often than not the real exposure potential is not the Back Door but rather the Front Door, via your log-in procedures and your data/system access policies. Your users are often looking to simply their logins and feel they have too many passwords already to easily remember each of them.  It’s often up to the employers’ Information Security team to set the rules, not the software vendor.  At the very least, consider these options:

  • Password History Limitations – disallowing reuse of old passwords. With this policy, you can discourage users from alternating between several common passwords.
  • Maximum Password Age – determines how long users can keep a password before they have to change it. The aim is to force users to change their passwords periodically.
  • Setting Complexity and Length Requirements – higher than basic password and account policies.
  • Consider Biometrics in conjunction with Single Sign On – (SSO) technology. SSO and simplifies the management of employee passwords placing full control in the hands of your IT staff. SSO can also override possible weaknesses in some systems with less secure password technology.
  • Institute strict desktop Log-Off Procedures – including auto log-off after 5 minutes of inactivity.
  • Provide Users with the Minimum Data Access Privileges – Only providing exactly what they need and nothing additional to conduct their day-to-day business.
  • Hire Staff Responsible for Overall Information Security – For larger organizations, a Chief Information Security Officer, or for smaller organizations, bring on a consultant who can thoroughly analyze your existing processes and implement improvements where recommended.

At Pace Morgan we can help you implement these steps by identifying both Full time hires for the Chief Information Security Officer (CISO) spot or simply providing consultants to do analysis and penetration testing. Taking these and other internal steps, in conjunction with your system vendor’s security processes, will help provide the highest level of security possible to your critical HR Information.