If you attended the recent CIPD Annual Conference at Manchester Central on 6th and 7th November, you may have listened to a talk from our very own CEO and Co-Founder, Jason Dowzell who discussed how you can encourage your employees to be security-savvy.
If you missed it you can download the slides by completing this short form:
Jason covered some important aspects regarding data security in HR, including system passwords, phishing and social engineering and how they can breach your sensitive data.
What is sensitive data?
Firstly, to be security-savvy, we need to understand what sensitive data actually is. In short, it’s any data that relates to a living individual who can be identified or financial data such as bank and credit card details.
Why is data security important for HR?
HR departments usually hold an abundance of sensitive data for employees and it becomes their responsibility to protect the availability and integrity of this data. Any data breaches will cause huge implications such as:
Diminished company reputation
Non-compliance with data protection laws (the GDPR)
Fines – up to €20m or 4% of global turnover
Potential job losses or prison sentences
Are there any fines pending?
Yes, the Information Commissioner’s Office (ICO) is currently investigating British Airways relating to a cyber incident in September 2018, where user website traffic was diverted to a fraudulent site instead. This resulted in a data breach where 500,000 customers’ details were harvested by the attackers.
The penalty?
Potentially a £183.4m (1.5% of turnover) fine. Ouch!
Value of sensitive data on the black market
The big five – date of birth, visa credit card credentials, credit card details, NI number and bank account numbers all possess an associated value on the black market.
Strangely, visa credentials are the lowest value, due to a very short timeframe that they can be used due to improvements with the bank’s security processes. On the other hand, your bank account number is by far the most valuable piece of data at £230.
Next time you’re on the train and you’re giving out your bank account number over the phone, be careful who may be listening.
Date of birth
£8.50
Visa credentials
£3
Credit card with a magnetic strip
£9
NI number
£23
Bank account number
£230
Ways data can be leaked
Although the news headlines may make you believe that the only way data can be leaked is through online hackers, in reality, data can be leaked in many ways.
System failures
Employee carelessness
Denial of service (DOS) attacks
Fraud
Misuse of resources: email, internet, phone
Physical risks
Espionage
Viruses or spyware
Use of unlicensed software
The biggest data breaches of the 21st century
Precautions you can take to prevent a data breach
HR professionals can implement many measures to ensure that sensitive data isn’t leaked from the company. Certain precautions are more easily implemented and can carry more weight, for example, stronger passwords or updating your PC regularly.
Here is a full list of precautions:
Create strong passwords and change them often
Update your PC regularly
Don’t leave sensitive data on desks
File data securely
Shred documents if necessary
Lock your PC whenever you’re away
Don’t uninstall security software
Block suspect sites
Back up data
Don’t share office door codes
Only allow expected visitors entry to your building
Ensure every visitor signs in
Block USBs and easy data sharing
Report all incidents early to your data protection officer
A ‘strong’ password is your best defence against data breaches
This may be something that you already know as almost every website, system or even a mobile phone may ask you for a password or passcode to keep your data secure.
But what many don’t know is what actually constitutes a strong password.
The most important factor is the length of a password. The longer the better, especially if it’s three words or more. To make that password even stronger you can mix in uppercase and lowercase letters, as well as symbols (such as @, ! or #) too.
It’s important to remember to change it regularly, never write it down and don’t use the same password on multiple sites.
The most secure password
As mentioned, password length is the most important factor when creating a secure password. However, theoretically, all passwords can be cracked, but some much sooner than others.
Here are some examples and their theoretical time to crack:
Password
Theoretical time to crack
examples
5 secs
examples1
42 mins
examples1@
1 month
Examples1@
6 years
Ex4mple$1@
6 years
twoeasyexamples
1,000 years
A fundamental mistake that most employees will make when it comes to choosing a password is using a common phrase or using the same password from other login details just because it’s easy to remember
Potentially, hackers have a 10.4% chance of guessing a password in just 20 attempts.
1. 123456
4.1%
11. login
0.2%
2. password
1.3%
12. welcome
0.2%
3. 12345
0.8%
13. loveme
0.2%
4. 1234
0.6%
14. hottie
0.2%
5. football
0.3%
15. abc123
0.2%
6. qwerty
0.3%
16. 121212
0.2%
7. 1234567890
0.3%
17. 123456789
0.2%
8. 1234567
0.3%
18. flower
0.2%
9. princess
0.3%
19. passw0rd
0.2%
10. solo
0.2%
20. dragon
0.1%
Passwords such as ‘solo’ or ‘football’ will be topical in relation to recent film releases or major sporting events. It’s best practice not to choose passwords based on recent events as hackers will ensure these are factored into their algorithms.
What is a phishing attack?
Phishing is trying to get you to follow a link and provide information to the sender like a password or account number.
Phishing attacks will happen often and as an HR professional, you need to ensure that the employees in your company abide by a few simple tasks to maximise email security. These are:
Only open email that you need for your job
Transmit sensitive data via approved methods i.e. NOT unencrypted email
Don’t open email attachments in unexpected emails, even if it’s from someone you know
Only keep data locally for as long as is necessary to process
Even if the email looks legitimate, it may not be. Phishing attacks can be clever and very convincing. Here are a few examples:
Example one:
Example two:
How to avoid phishing attacks?
Don’t click on any links from unknown senders and even from a known sender, use caution.
Only ever communicate personal data via the phone (if it’s a known contact) or secure sites (look out for the padlock icon in your web browser’s URL bar).
Never give out your PIN or password when an email asks for it. Banks etc will never ask for this information.
Preventative action against social engineering
Firstly, social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain.
To prevent social engineering, never give out your password, PIN or account number over the phone, even if you’re asked for it – especially if you didn’t initiate the conversation. If you didn’t initiate the contact, offer to call them back through an externally verifiable number.
If you or one of your employees is on the phone and communicating sensitive data, always be aware of your surroundings as you never know who may be listening in.
Never be afraid to say ‘no’. This can be one of your most effective ways of ensuring data security.
The web is no different and there are measures you can take to heighten your data security:
Only access websites you need to perform your job
Be cautious about entering personal data on website forms
Use different passwords for personal or downloaded software to your key business systems
Don’t post sensitive data on social accounts
Avoid installing software unless necessary for your job and you understand the licensing agreement
Log internet usage to flag potential threats or repeat offenders
Never download screensavers, games or other executable files (.exe, .vbs, .com)
Only give personal data on sites with a SS certificate (padlock next to the URL)
To summarise how HR can encourage their employees to be security-savvy
Use common sense!
Treat all data as if it were about you or your family
Only access systems you’re authorised to
Only access data you need to do your job
Only share sensitive data with others on a ‘need to know’ basis
Only send data outside of your network using approved means of protection
Always report incidents no matter how small
Review your current processes to make sure they don’t pose a risk
Remember, you can download Jason’s slide covering data security in HR by completing the form below.
To understand more about how you can encourage your employees to be security-savvy, feel free to contact us or follow us on our social media channels.
Ensure you have the right HR system in place to manage your sensitive data. Natural HR’s core HRIS will secure your employee data in a single place, make data entry faster and more secure as well as allowing only relevant users access to the information they need to do their jobs. To see Natural HR in action, request a demo today.
