Penetration Testing Services Cloud Pentesting Penetration Network Pentesting Application Pentesting Web Application Pentesting Social Engineering February 27, 2023 5 HR Data Security Best Practices An organization’s Human Resources (HR) department oversees some of the most sensitive information, including employee and applicant records. As organizations are moving towards the cloud, the issue of HR data security is as critical as ever. HR professionals must be aware of common security issues related to HR data and coordinate with IT and security teams to guard employees’ sensitive information against ever evolving cyberattacks. The HR department faces similar issues across departments, such as remote working and non-compliance with good security practices. However, some security threats are more specific to the HR department, for example, vulnerabilities in HR management software. Why HR Data Security Is Critical Now Cybersecurity risks are getting worse, resulting in an increasing number of breaches every year. According to the Global Risks Report 2022 from the World Economic Forum, cybersecurity risks are being rendered obsolete due to the increasing sophistication of cybercriminals. According to IBM’s Cost of a data breach 2022 report, the global average total cost of a data breach is $4.35M. This report also finds that stolen or compromised credentials cause 19% of breaches, take longer to identify and cost $150,000 more than the average data breach. Employees’ personal data often receives the least attention when organizations seek to secure their IT assets. However, employees’ and applicants’ personal data is a treasure trove of information for hackers. An organization’s HR department will usually have information such as employee name, address, mobile number, social security number, bank account details, employment history, educational background, information about family members, etc. Once threat actors access this dataset, they can use it for social engineering and breach any organization, including the organization from which it was stolen in the first place. Additionally, this information can be sold on the dark web to other threat actors. When a data breach involves HR data, the impact is not limited to the organization. An organization faces reputational and revenue loss and additional financial damage after public disclosure beyond the initial cost to contain the breach. However, HR data breaches impact individuals too, as they face an increased risk of fraud, impersonation, and identity theft. Employee Data Breaches Can Impact Employees the Most In recent years, the cybersecurity landscape has experienced a new wave of opportunistic cyber criminals who steal PII (Personal Identifiable Information) to sell to any buyers on the dark web. This has led to an increase in cyber attackers whose only focus is scanning the internet to find vulnerable organizations with exposed sensitive data that is worth stealing. These cyber criminals steal the data and quickly make a profit selling it on the dark web. ransomware-as-a-service and initial access brokers, who work together, and have collectively raised the risk requirements for every business with valuable data – spanning from user data, financial data, and company secrets. A breach of employee data not only harms the business externally – as most breaches do. A breach that includes employee data affects retention and morale, as staff are exposed to a set of new risks that could cause personal financial harm, including fraud and identity theft. In the recent The Five Guys incident, the burger empire was hit with a smash-and-grab attack of HR managed data. The hackers accessed the company’s file server and stole job applicants’ personally identifiable information (PII). The extent of affected information included name, social security number, and driver’s license data. Increasing costs and reputational losses from public relations, compliance issues, fines, and potential litigation take years to overcome as a business. In October 2022, the UK’s Information Commissioner (ICO) fined Interserve, an outsourcing and construction company, with a £4.4M (~$5.3M) fine. The company failed to implement adequate security measures in place as the hackers gained access to the personal data of over 113,000 employees through a phishing email. In another case, the leading British newspaper The Guardian confirmed that hackers could access some of its employees’ data due to a ransomware attack in December 2022. The newspaper company termed this incident a sophisticated ransomware attack triggered due to a phishing email. Importance of security compliance for HR data protection The increasing complexity of threats and vulnerabilities will continue to challenge HR systems. These systems are not traditionally categorized in the IT tech stack; however, they have IT requirements for storage and operations. Considering the extent of the types of data available within the HR department, an organization may need to fulfil compliance requirements under multiple laws and regulations. When the California Consumer Privacy Act (CCPA) Was passed in 2018, employment data was exempted from most requirements. With the new California Privacy Rights Act (CPRA) amendments that came into effect on January 01, 2023, many categories of human resource data are now subject to compliance requirements. Covered employers must extend their compliance efforts to employee and human resource data. Employers must notify employees about the types of personal data collected and the purpose for which it will be used. In the event of a security breach, employers must identify the affected employees, and they could be liable for statutory damages. Similarly, the General Data Protection Regulation (GDPR) recognizes employees’ rights over personal data, like any other individual. Organizations must implement reasonable security practices to protect personal data stored with them. In contrast, the Health Insurance Portability and Accountability Act (HIPAA) does not apply to employment records. For instance, HIPAA did not prohibit employers from requesting Covid-19 vaccination certificates from employees. 5 Recommended Best Practices for HR Data Security When taking the initial steps to identify the data that is owned or managed by HR for data security, these are the proven essential requirements needed to ensure HR data security is protected and routinely tested for security and compliance. Implement an HR Data Security Policy It is recommended to implement a dedicated HR Data Security Policy to prevent HR data from being left out from the coverage of organizational security measures. If not, security requirements pertaining to HR data can also become a part of the comprehensive security policy and procedures an organization already has. A dedicated HR data security policy can start with the basics, such as the CIA (Confidentiality, Integrity, and Availability) triad. CIA stands for Confidentiality, Integrity, and Availability. The “Confidentiality” component focuses on preventing unauthorized access to data, while the “Integrity” component deals with accuracy, reliability, and authenticity, i.e., preventing tampering, modifications, or destruction. The “Availability” component ensures that data is available for intended users while being kept confidential with integrity. The security measures can be based on zero-trust architecture. The inherent trust is removed from the network, and every user and system are treated as hostile until they authenticate themselves and gain confidence. The underlying network can be segmented into smaller segments or subnets, each acting as a small network. Network segmentation allows administrators to manage the traffic flow using granular policies efficiently. This can be complemented with threat monitoring and vulnerability management solutions. Threat monitoring refers to continuously monitoring the network and connected endpoints to identify security threats such as intrusions, data exfiltration, etc. Vulnerability management is identifying, prioritizing, managing, and mitigating vulnerabilities in applications, endpoints, and systems. Further, the dedicated policy can include the defense-in-depth approach to cybersecurity. In this approach, organizations implement multiple layers of security measures for the comprehensive protection of HR data. If a threat actor gets through the first layer of defense, they will be contained by the next layer. An example of this approach can be requiring multi-factor authentication for logging into corporate accounts. Maintain Compliance Requirements The HR department has a principal duty to protect employees and the company. In the present times, this means that they must take a different role than what they have done in the past. The first step is to identify the applicable laws and standards to ensure that an organization complies with necessary legal and regulatory requirements. For example, no federal privacy law in the US regulates how personal data is collected and used. However, there are sector-specific and state-specific laws that regulate the personal data of users. State laws may have different requirements when it comes to reporting data breaches. At times, newly introduced state laws may overlap with existing state and federal laws. Similarly, an organization’s liability as an employer may vary for data breaches. Manage Third Party Security Risk An organization’s HR department may use one or multiple vendor software for hiring, human resource management, payroll, attendance management, background checks, and other HR tools. Working with a third-party provider introduces new risks for the organization. A dedicated due diligence process ensures that vendors and suppliers have met the organization’s compliance requirements per GRC (Governance Risk & Compliance) (governance, risk, and compliance) policies for third-party risk management. Read our detailed guidance on third-party risk management here. Continuously Scan for Vulnerabilities A vulnerability scan is a security exercise to identify existing vulnerabilities in an organization’s IT systems. Also referred to as vulnerability assessments, vulnerability scanner tools report their findings against one or more databases of known vulnerabilities. Good vulnerability scanners come with automation capabilities where it is possible to configure and schedule vulnerability scans across different components of IT infrastructure, such as web applications, networks, APIs, etc. Vulnerability scans are usually the first step in understanding the existing loopholes and flaws in an organization’s IT systems that hackers can exploit. Conduct Regular Penetration Testing Penetration testing, or pen testing, is simulated security testing exercise that seeks to exploit the existing vulnerabilities in IT systems. A penetration testing team follows the tactics, techniques, and procedures (TTPs) adopted by the hackers to examine the impact on a business if one or more vulnerabilities were successfully exploited. A pentest can include manual and automated testing exercises for comprehensive coverage. Pen Testing as a Service (PTaaS) has proven to be an excellent option for mid- to large organizations that manage a large amount of HR data. Improve HR Data Security with Pen Testing as a Service HR data security comprises some of the most sensitive data any organization must protect. When taking the necessary steps to improve security posture through vulnerability scanning and penetration testing, businesses can proactively protect their systems with PII data and operate with confidence in today’s security and compliance landscape. To streamline security testing of systems storing sensitive data, including HR data, security leaders can simplify their processes with BreachLock’s Pen Testing as a Service (PTaaS), which combines the power of AI, Automation, and expert, in-house, certified Pentesters, who deliver fast and comprehensive pentests at scale. Schedule a discovery call today to discuss your specific requirements with one of our offensive security experts. Industry recognitions we have earned Tell us about your requirements and we will respond within 24 hours. Fill out the form below to let us know your requirements. We will contact you to determine if BreachLock is right for your business or organization.