Employers are concerned with finding employees they can trust. What they might not consider is how much trust an employee has to put into their employer. From the initial application to the final exit paperwork, an employee might entrust their employer with hundreds of personal details. Social Security numbers, financial account numbers, private medical records, information about their children and spouse – all of this personal identifiable information sits in the employer’s filing cabinets and servers, only protected from thieves by whatever security measures the employer puts in place. With cybersecurity threats becoming more sophisticated all the time, employers have to be proactive about protecting their workers’ data.
Restrict Access to Personal Identifiable Information
To minimize the chance that an employee’s information will be made vulnerable to theft, minimize the number of people who have access to this information. This may mean doing a thorough assessment of how internal documents are handled, and of how you refer to employees internally.
There are a lot of questions to ask when assessing your current information security procedures. For example, are employee Social Security numbers used for anything other than legal purposes including tax reporting? Even using partial SSNs as employee ID numbers needlessly exposes this sensitive data. How many people are involved in the onboarding and payroll processes? From an IT standpoint, how is access to digital personnel files restricted? Would an unauthorized person need more than a single password to get past any security measures protecting files, and if so, how many people know the password?
Assess Physical Safeguards
While there are currently plenty of potential threats to your company’s digital information security, your data’s physical safety is as important as ever. It takes a cyber-savvy person to hack your files, but anyone can grab a thumb drive off of an unstaffed desk. In a busy office, workers may let physical security measures slip over time – filing cabinets are inadvertently left unlocked overnight, paper files are left out on desks when people run to the bathroom, and so on. So even if you already have policies around securing physical data, it’s important to frequently monitor how well they’re being followed.
For example, are doors leading to secure areas being propped open when they should be locked? Do HR employees leave sticky notes with sensitive payroll information on their desks or computer monitors? Are obsolete devices and files kept in locked storage until they’re destroyed? How many people have keys to locked storage, and where are those keys kept?
Choose Destruction as a Disposal Method – For Everything
Data thieves can do a lot with a little bit of someone’s personal identifiable information. That’s why every scrap of paper that has any personal data should be shredded instead of thrown away or recycled. The same is true for any device that has the capacity to store data. This includes hard drives, thumb drives, discs, employee ID badges and access cards. Even the hard drives from old copy machines should be destroyed; they can retain images of the files that they previously scanned.
Shredding and data disposal companies may even let you witness your files and devices being shredded, and provide logs with serial numbers of any devices that are destroyed. Those records may prove useful if you ever need to prove that you’ve appropriately disposed of certain items.
Create Comprehensive Policies With Real Consequences
Employees will generally work with you to protect everyone’s information if they understand your expectations and the repercussions for failing to meet them. To that end, have you created and shared clear policies around sensitive information and data security? Have your security policies been recently updated and distributed to everyone? Security policies may clarify guidelines around using personal devices for work, removing sensitive documents from the workplace, updating passwords, etc. They may also include a document retention policy that establishes timeframes for how long sensitive files must be kept, ensuring that the company is not keeping more personal data on hand than is strictly necessary.
Furthermore, have you established a roadmap for actually enforcing those policies? How will an employee be reprimanded or retrained after violating a given policy? These are some of the questions to think about when reviewing your current procedures.
Establish Breach Protocols
Even with layers of security measures in place, mistakes happen. Part of crafting a comprehensive data security policy is establishing the procedures that will follow a data breach. If a worker’s personal identifiable information is ever exposed, ideally that lapse will be discovered quickly so your company can take proactive steps to minimize fallout. Do employees know who to contact to report a potential breach? Who will that person contact next? Are employees allowed to make anonymous breach reports? What will the workforce be told when a breach happens? Will the employer offer credit monitoring to any affected employees? Employees may be rightfully concerned when their data is exposed, and will look to the company for clear answers.
Is your company doing everything it can to maintain technology and information security in the workplace? There’s a lot more to learn about this topic, and a lot of employers have questions. Join our upcoming webinar, The Intersection of HR & Information Security on Wednesday, March 25 at 1:00 PM EST. Our team is always here to help with all of your hiring questions, contact us today.