With more and more of our personal data stored in the cloud, the issue of HR data security is as critical as ever. Businesses must be able to reassure employees that their data – social security numbers, banking details, home address, etc. – is secure. For the business itself, cyber-attacks remain a threat, often exacerbated by the leap in remote and hybrid working arrangements resulting from the COVID-19 pandemic.

In recent years, some of the biggest potential threats to your data security have been the growing use of mobile applications and BYOD practices, and the lack of user awareness of cyber threats. And then there’s the matter of complying with the growing body of data-related legislation, such as the EU’s General Data Protection Regulation (GDPR). Those issues are not going away but in 2023, looking forward, these are not the only issues that should be on your ‘watch list’…
Data protection laws worldwide

On the subject of the EU’s GDPR legislation, it may have been first but it wasn’t the last. Other legal frameworks mandating the safeguarding of personal data are emerging around the world. Examples include Brazil’s LGPD (General Personal Data Protection) law and California’s Consumer Privacy Act. The clear implication is that one by one, the world’s legal jurisdictions are putting protective measures in place. More and more, an HRMS will need to manage multiple legal frameworks in its data security compliance.
External partners

According to recent research, by 2025, up to 60% of organizations will decide who to collaborate with based on the level of cyber security risk they present. This isn’t to label all potential partner organizations a risk, but it does mean a likely demand for more rigorous assessments when an organization looks to outsourcing services as an option.

This same principle also applies to large-scale corporate changes, such as investment, mergers and acquisitions, or engaging with third party suppliers (in other words, you can also expect to see cyber security become a more important factor when selecting new HRMS platforms and suppliers).
Ransoms

Ransomware attacks – where a cyber attacker hacks a business’s systems and shuts them down contingent on payment of, well, a ransom – have been on the increase throughout 2021. Partly, according to some experts, because the victim companies are paying up, thus encouraging more lucrative attacks. Protection against ransomware is therefore a rising issue. But the pressure is two-sided: not only are attackers targeting your systems, but you could be penalised legally if you pay.

Another prediction is that by the end of 2025, 30% of governments will have implemented legislation regulating ransomware payments, fines and negotiations.
The Internet of Things

Connecting physical devices, systems and other mechanisms via the internet makes for better and easier control. But that connection is also a vulnerability. An outside attack on such operational technology (or OT) systems is not only potentially harmful to the business, it is an attack on the physical environment and as such, represents a potential physical threat to employees and customers by means of the internet. While such threats tend to make the news when they are against larger-scale operations managing public services (such as the unsuccessful attempt against Florida water treatment plant last year) any organization of reasonable size carries its own vulnerabilities – think about how your air conditioning is controlled… or your security access systems.
Remote and hybrid working arrangements

As the pandemic continues, so remote and hybrid working becomes less of an emergency measure and more of a ongoing arrangement that employees expect to be able to access in the future. With more and more employees accessing their employer’s systems (including HRMS) from home, so the security issues increase. A recent study by Tenable and Forrester noted that 74% of employers have experienced cyber attacks linked to vulnerabilities in technology used for remote working. Three main risk factors were identified: migration to the cloud, extension of the software supply chain, and a lack of visibility into employee’s remote home networks.

And naturally, the commercial and HR-related security threats in recent years have not gone away.
Previous HR security threats over recent years include:
Digitalization

It’s an accepted feature of our world that what was once stored using paper and ink is now to be found in digital form. The benefits of cheap storage and easy access are many, but digitalisation also carries risks. A recent global survey by Kasperksy found that ‘easy access’ also means more accidental publication or deletion, and also opens the door to deliberate data theft. As an indication, the survey found that 37% of people have, “accidentally accessed the confidential information of their colleagues, such as salaries or bonuses at work.”
Biometrics

In the battle against time theft and buddy punching, biometric time clocks are a winner. However, biometric technology also ‘creates’ a great deal of data; personal data such as fingerprints, voiceprints, retinal patterns, the shape of a hand or ear, or simply facial images. All of which has the potential to be lost or stolen, and then used in unintended ways. Not to mention the detailed inclusion of biometric data in the EU’s GDPR.
Cyber attacks

In a sense, HR is particularly susceptible to cyber attacks. Dealing with recruitment alone, HR teams receive emails from unknown sources, containing unverifiable attachments (usually resumes, but…). A recent Europol report noted that phishing (attempting to steal data or install malware in order to hold the victim’s data to ransom) is the most common form of cyber attack in the EU. Linking to the above issues around losses of personal data, it’s exactly that kind of data that can be used to make a phishing attack seem less dubious when received.
5G

2019 saw the rolling out and expansion of 5G networks around the globe. The improved data transmission speeds enabled by 5G mean we’ll be seeing a massive increase in coming years in the number of connected Internet of Things devices – potential weak links in the data security chain. Furthermore, the increasing network involvement in our daily lives (from location-specific weather reports to finding a parking spot) means more data gathered and stored.
Insiders

The so-called insider threat is always present; the risk that a disgruntled (or just bad-intentioned) employee will use their system access to steal data. The likelihood is that this will lead to greater monitoring of workforces as a precaution and that, in turn, must be balanced against the negative effects of intruding on employees’ privacy.
Bring Your Own Device (BYOD)

As the tidal wave of mobile use is accompanied by the desire for individuality and personal device use, organisation’s implementing BYOD programs are tackling increased security issues. Security of information up- or downloaded on the move is always a concern but when that data might include payroll and benefits data it is particularly sensitive. The devices may vary from user to user but the security policy and protocols should not.

Guide: five ways HRMS helps you get more out of your HR data
Mobile applications

With mobile come applications and a constant flow of data to and from the internet and the cloud. The latest startup collaborative HR app may offer unparalleled functionality and speed but how proven is its HR data security; apart from anything else, just where is it storing your data? This issue is certainly exacerbated by a BYOD approach and in-house policies might want to consider whether a list of ‘banned apps’ is worth having; and if is, how will it be monitored and enforced.
Compliance

Even if the data is safe from hacking and cyber attacks, another risk is non-compliance with the local legislation (and multi-national operations may have to consider different and even conflicting laws). One example is the U.S.’s Health Insurance Portability and Accountability Act (HIPAA) which demands native encryption on any device that holds relevant data.
Risk of litigation exposure

Another risk beyond simple data loss or theft is the fact that once information is mislaid, you may be subject to legal action from the employee whose data it was. The organization (usually through HR) has a duty of care to safeguard employee privacy and that includes HR data security.
Lack of awareness

The biggest risk is always human error and that particular factor is greatest when your users are unclear about the true danger of HR data loss. As an indicator, a 2014 Ernst & Young annual information security survey found 30% of respondents didn’t see security as an important issue when it came to smartphones and other devices. Once respondent was quoted as saying, “The weakest element in information security is the human factor. As a result, we are constantly improving the awareness programs and introducing new security instruments.” Put simply, lack of awareness = lack of care = loss of HR data security.

In short, the potential data security threats remain, for all the technological advancements of the past decade, a blend of hardware risk, software misuse and human error. Ignore any of these elements at your peril.