Although improvements in the latest technology are mesmerizing, hackers and data breaches are becoming more inevitable. With cybersecurity taking over a majority of HR’s time, various companies are looking toward security strategies that do not require as much human interaction. Read this blog post from SHRM to learn more about cybersecurity powered by artificial intelligence (AI).
As hackers grow ever-more inventive and data privacy laws are enacted around the globe, HR leaders are faced with the challenge of protecting and storing sensitive HR data but not curtailing employees’ ability to use that data to make timely workforce decisions.
But there may not be enough cybersecurity colleagues to call upon for advice and technical assistance, which compounds those challenges. Approximately 65 percent of companies reported a cybersecurity staff shortage last year, according to the 2019 Cybersecurity Workforce Study conducted by (ISC)2, an international nonprofit association for IT professionals. As a result, more companies are turning to security strategies that don’t require human intervention, such as cybersecurity powered by artificial intelligence (AI) that can proactively monitor and neutralize new kinds of cyberthreats.
New Strategies for More-Sophisticated Attacks
Research suggests that concerns over data security are occupying more of HR leaders’ time and resources. The 2019-2020 Sierra-Cedar HR Systems Survey found a 17 percent increase from the prior year’s survey in the number of respondents deploying cybersecurity strategies, with 70 percent of HR organizations reporting they have and regularly update such a strategy. That’s good news, because the FBI reported receiving 350,000 complaints of Internet crimes in 2018, a rise of 23 percent over five years. Those crimes caused an estimated $2.7 billion in financial losses.
Security experts say the loss of sensitive data like payroll information, Social Security numbers and notes from internal investigations or employee assessments has implications far beyond the HR department.
“When HR systems are breached, it goes beyond the personal data stolen, because HR is central to so many processes across the organization,” said Corey Williams, vice president of marketing and strategy at Idaptive, a cybersecurity firm in Santa Clara, Calif. “HR systems are the starting point for much of the access employees have throughout the organization. HR data doesn’t sit on an island like other data, and when you have vulnerabilities at the HR level, you’re exposing the entire enterprise to wider attacks.”
AI-powered security tools represent a new approach to combating threats to HR data. While not a cure-all, these technologies can protect against malicious attacks driven by automated malware and have capabilities, such as pattern recognition, that can identify suspicious behavior and block potential problems or threatening online traffic in real time.
To protect against insider threats, whether malicious or from workers not following sound security practices, some AI-based cybersecurity tools can be trained to learn employees’ behaviors when using corporate networks. Research shows that such threats are a growing problem. Insiders caused 48 percent of reported data breaches in organizations in 2019, according to a recent benchmark study from Cambridge, Mass.-based Forrester Research, up from 26 percent of total data breaches in 2015.
More companies are adopting “zero trust” policies that feature a “never trust, always verify” approach to network access or identity authentication and employ tools like multifactor authentication (MFA). MFA is a way to confirm user identities through at least two different factors. In the last year, according to the Sierra-Cedar survey, large organizations increased their use of MFA by 20 percent, and approximately 55 percent of small organizations reported using MFA for HR applications.
Williams said stolen or weak user credentials is still the top cause of data breaches in organizations. “We’ve seen growing sophistication in the way passwords and credentials get stolen,” Williams said. “That includes malware, hackers writing more convincing phishing e-mails that get employees to click on harmful links and other approaches. Companies have found that depending on passwords alone for access is becoming untenable.”
Balancing Security with the User Experience
HR leaders have to strike a balance between taking the right data-security measures and ensuring employees can still use HR networks and software in efficient and user-friendly ways—a balance that ideally won’t make the workforce feel excessively monitored or handcuffed when using technology.
“Security is often viewed as a teeter-totter, where you are either increasing data security or you are improving the user experience with technology,” Williams said. “But it doesn’t have to be an either-or scenario.”
For example, employees who typically access the same corporate networks or applications in the same fashion likely don’t need additional security oversight, but someone accessing that same system from a country he’s never been to before and with a different device would need more controls.
“We’re seeing more innovation in applying security tools to separate high-risk from low-risk system access,” Williams said.
HR leaders also can help enhance security by encouraging their companies to re-evaluate user access policies, experts say. “As people work for a long time in companies, they tend to accumulate access to systems, and that access doesn’t necessarily get taken away as they move up or around a company,” Williams said. “Employees are often ‘over-provisioned’ in terms of their access to sensitive data in systems, which can create increased vulnerability for companies.” Automated processes tied to the life cycle management of employees can ensure system access is changed or removed as people change roles in a company, he said.
James Graham-Cumming, chief technology officer for Cloudflare, a cybersecurity company in San Francisco, said being more judicious in granting data access is a wise but sometimes overlooked security strategy. “It’s not uncommon for CEOs or other senior leaders in a company to have access to all or most corporate systems because they simply feel a need for that access,” Graham-Cumming said. “Yet these are more-visible or even public figures who are often targets for hacking. The reality is your C-suite or vice presidents may not need access to all of your systems.”
Managing Vendor Risk
Data security and privacy threats can grow as HR functions add more technology platforms to their ecosystems and create more integrations with third-party providers. A recent study by research and advisory firm Gartner found that because human capital management systems are built to integrate with many third-party services—such as LinkedIn, for example—those integrations can expose organizations to risk through “misconfigurations” that result in unintentional data leakage. Depending on the level of integration, problems with security in vendor systems can open the door for attackers, the Gartner study found, as was the case with the retailer Target in 2014.
Security experts say HR leaders should ensure vendors have best-practice data security and privacy protocols in place, such as MFA, in addition to passing an external Service Organization Control, or SOC, 2 audit, which confirms they’re in compliance with recommended practices for data security, processing integrity, ensuring privacy and more.
Jared Lucas, chief people officer with the cybersecurity firm MobileIron in San Francisco, said security-related employee training also is more important than ever as malware grows more sophisticated, phishing attacks increase and bad actors use AI-powered methods to hack corporate systems.
“Effective, regularly updated training in what to look for and what to be wary of can close a lot of holes in a company’s data security strategy,” Lucas said.
SOURCE: Zielinski, D. (10 February 2020) “How Next-Gen Technology Can Keep HR Data Safe” (Web Blog Post). Retrieved from https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/next-gen-technology-can-keep-hr-data-safe.aspx