If you attended the recent CIPD Annual Conference at Manchester Central on 6th and 7th November, you may have listened to a talk from our very own CEO and Co-Founder, Jason Dowzell who discussed how you can encourage your employees to be security-savvy.
If you missed it you can download the slides by completing this short form:
Jason covered some important aspects regarding data security in HR, including system passwords, phishing and social engineering and how they can breach your sensitive data.
What is sensitive data?
Firstly, to be security-savvy, we need to understand what sensitive data actually is. In short, it’s any data that relates to a living individual who can be identified or financial data such as bank and credit card details.
Why is data security important for HR?
HR departments usually hold an abundance of sensitive data for employees and it becomes their responsibility to protect the availability and integrity of this data. Any data breaches will cause huge implications such as:
- Diminished company reputation
- Non-compliance with data protection laws (the GDPR)
- Fines – up to €20m or 4% of global turnover
- Potential job losses or prison sentences
Are there any fines pending?
Yes, the Information Commissioner’s Office (ICO) is currently investigating British Airways relating to a cyber incident in September 2018, where user website traffic was diverted to a fraudulent site instead. This resulted in a data breach where 500,000 customers’ details were harvested by the attackers.
Potentially a £183.4m (1.5% of turnover) fine. Ouch!
Value of sensitive data on the black market
The big five – date of birth, visa credit card credentials, credit card details, NI number and bank account numbers all possess an associated value on the black market.
Strangely, visa credentials are the lowest value, due to a very short timeframe that they can be used due to improvements with the bank’s security processes. On the other hand, your bank account number is by far the most valuable piece of data at £230.
Next time you’re on the train and you’re giving out your bank account number over the phone, be careful who may be listening.
|Date of birth||£8.50|
|Credit card with a magnetic strip||£9|
|Bank account number||£230|
Ways data can be leaked
Although the news headlines may make you believe that the only way data can be leaked is through online hackers, in reality, data can be leaked in many ways.
- System failures
- Employee carelessness
- Denial of service (DOS) attacks
- Misuse of resources: email, internet, phone
- Physical risks
- Viruses or spyware
- Use of unlicensed software
The biggest data breaches of the 21st century
Precautions you can take to prevent a data breach
HR professionals can implement many measures to ensure that sensitive data isn’t leaked from the company. Certain precautions are more easily implemented and can carry more weight, for example, stronger passwords or updating your PC regularly.
Here is a full list of precautions:
- Create strong passwords and change them often
- Update your PC regularly
- Don’t leave sensitive data on desks
- File data securely
- Shred documents if necessary
- Lock your PC whenever you’re away
- Don’t uninstall security software
- Block suspect sites
- Back up data
- Don’t share office door codes
- Only allow expected visitors entry to your building
- Ensure every visitor signs in
- Block USBs and easy data sharing
- Report all incidents early to your data protection officer
A ‘strong’ password is your best defence against data breaches
This may be something that you already know as almost every website, system or even a mobile phone may ask you for a password or passcode to keep your data secure.
But what many don’t know is what actually constitutes a strong password.
The most important factor is the length of a password. The longer the better, especially if it’s three words or more. To make that password even stronger you can mix in uppercase and lowercase letters, as well as symbols (such as @, ! or #) too.
It’s important to remember to change it regularly, never write it down and don’t use the same password on multiple sites.
The most secure password
As mentioned, password length is the most important factor when creating a secure password. However, theoretically, all passwords can be cracked, but some much sooner than others.
Here are some examples and their theoretical time to crack:
|Password||Theoretical time to crack|
A fundamental mistake that most employees will make when it comes to choosing a password is using a common phrase or using the same password from other login details just because it’s easy to remember
Potentially, hackers have a 10.4% chance of guessing a password in just 20 attempts.
|1. 123456||4.1%||11. login||0.2%|
|2. password||1.3%||12. welcome||0.2%|
|3. 12345||0.8%||13. loveme||0.2%|
|4. 1234||0.6%||14. hottie||0.2%|
|5. football||0.3%||15. abc123||0.2%|
|6. qwerty||0.3%||16. 121212||0.2%|
|7. 1234567890||0.3%||17. 123456789||0.2%|
|8. 1234567||0.3%||18. flower||0.2%|
|9. princess||0.3%||19. passw0rd||0.2%|
|10. solo||0.2%||20. dragon||0.1%|
Passwords such as ‘solo’ or ‘football’ will be topical in relation to recent film releases or major sporting events. It’s best practice not to choose passwords based on recent events as hackers will ensure these are factored into their algorithms.
What is a phishing attack?
Phishing is trying to get you to follow a link and provide information to the sender like a password or account number.
Phishing attacks will happen often and as an HR professional, you need to ensure that the employees in your company abide by a few simple tasks to maximise email security. These are:
- Only open email that you need for your job
- Transmit sensitive data via approved methods i.e. NOT unencrypted email
- Don’t open email attachments in unexpected emails, even if it’s from someone you know
- Only keep data locally for as long as is necessary to process
- Use work email for business only
- Delete any spam straight away
- Don’t circulate jokes, videos, letters, hoaxes etc
- Don’t click on links in an unsolicited email
Before opening any email, always ask yourself…
- Am I expecting this?
- Does it make sense?
- Would they send this to me?
- Look for attachments and links
- Why now?
Even if the email looks legitimate, it may not be. Phishing attacks can be clever and very convincing. Here are a few examples:
How to avoid phishing attacks?
Don’t click on any links from unknown senders and even from a known sender, use caution.
Only ever communicate personal data via the phone (if it’s a known contact) or secure sites (look out for the padlock icon in your web browser’s URL bar).
Never give out your PIN or password when an email asks for it. Banks etc will never ask for this information.
Preventative action against social engineering
Firstly, social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain.
To prevent social engineering, never give out your password, PIN or account number over the phone, even if you’re asked for it – especially if you didn’t initiate the conversation. If you didn’t initiate the contact, offer to call them back through an externally verifiable number.
If you or one of your employees is on the phone and communicating sensitive data, always be aware of your surroundings as you never know who may be listening in.
Never be afraid to say ‘no’. This can be one of your most effective ways of ensuring data security.
The web is no different and there are measures you can take to heighten your data security:
- Only access websites you need to perform your job
- Be cautious about entering personal data on website forms
- Use different passwords for personal or downloaded software to your key business systems
- Don’t post sensitive data on social accounts
- Avoid installing software unless necessary for your job and you understand the licensing agreement
- Log internet usage to flag potential threats or repeat offenders
- Never download screensavers, games or other executable files (.exe, .vbs, .com)
- Only give personal data on sites with a SS certificate (padlock next to the URL)
To summarise how HR can encourage their employees to be security-savvy
- Use common sense!
- Treat all data as if it were about you or your family
- Only access systems you’re authorised to
- Only access data you need to do your job
- Only share sensitive data with others on a ‘need to know’ basis
- Only send data outside of your network using approved means of protection
- Always report incidents no matter how small
- Review your current processes to make sure they don’t pose a risk
Remember, you can download Jason’s slide covering data security in HR by completing the form below.
To understand more about how you can encourage your employees to be security-savvy, feel free to contact us or follow us on our social media channels.
Ensure you have the right HR system in place to manage your sensitive data. Natural HR’s core HRIS will secure your employee data in a single place, make data entry faster and more secure as well as allowing only relevant users access to the information they need to do their jobs. To see Natural HR in action, request a demo today.