If securing your employee personably identifiable information (PII) is top of mind for your organization, the following will discuss where vulnerabilities can occur and what you can do to limit your companies exposure. Cloud computing is quickly becoming the de facto standard for many HCM solutions. Ensuring your service providers have ample security built into those systems is just one step in ensuring your employees are protected against many of the latest scams including persons filing fraudulent employee 1040 returns with the IRS and identity theft. The continued stories coming from employers just reinforces the need to ensure we are proactive as we protect our employee information. There are many things that you can do as a company to ensure your employee information is secure. These include:
This is a fancy term that basically requires that the user enter multiple pieces of information into the system prior to the system granting access. The most common form requires the user to enter a code sent to the users mobile device via a standard text message. Other systems will allow the user to “grant access” from an app installed on their mobile device or even utilize a thumbprint from the device. This approach ensures that access to critical systems is not compromised simply by having a user name and password.
Many systems are smart enough to know when the user is accessing the system from a new device or even geographic location. When login attempt are made from untrusted locations, the system can require the user to provide additional information in order to validate the identity of the user. We see this today as we login to our mobile banking accounts from a new computer. Many of these systems will present one or more security questions to the user that were likely completed during the creation of the account. They may ask who your childhood best friend was, what was your high school mascot or something similar. Additionally, systems can oftentimes detect when a user is accessing the system outside of their home area. This could be from a different network connection location (e.g. coffee shop), city, state and most commonly a different country. Certain countries have a reputation for hacking attempts and thereby are often black flagged when access is attempted from these countries.
One of the easiest to implement, albeit most frustrating for many users, is the requirement for the user to periodically change their password and require that the password contain multiple character types (i.e. uppercase, lowercase, numbers &/or special characters). These requirements make it difficult at times for users to remember their password in an ongoing fashion. As such, IT departments must ensure they have a good process in place for resetting these forgotten passwords.
Education (employee and management)
Having a culture that emphasizes security is one of the best things that an organization can do to protect confidential information. Doing things like reminding uses not to write down passwords and that there are nefarious individuals and organizations whose sole goal in life is to get information from them. I have heard the stories where someone purportedly received a call from the “IRS” indicating that the electronic W-2 file was corrupted and they need to send it again via email ASAP otherwise they are going to be penalized for late filing. Now, many of us understand that this is likely not a legitimate request and should be ignored. But, these schemes do work on a percentage of those that are solicited. Taking the time to remind employees to be suspicious of any request for PII will greatly mitigate the risk of a security breach.
Create privacy and security policies
Taking the time to document privacy policies as well as security policies will help employers think through the possible vulnerabilities in the systems and processes.
Secure access to storage devices
Ensuring that only authorized individuals have access to locations with physical storage mediums is critical. In addition, ensuring the data stored is encrypted is a great option. This ensures that if someone walks out of your place of business with a discarded or stolen storage device, the data on the device is protected. In addition, having a policy that keeps sensitive information off of the user’s computer is a great practice as well.
In summary, security should be top of mind for all businesses. One breach of sensitive information can have long lasting and far reaching implications for organizations and their employees. Integrity Data takes this topic very seriously as our systems store millions of individuals sensitive information. We have a comprehensive security policy in place and continue to look for ways to protect the information of our users. To that end, we encourage the users of our system to take the time to enable multi-factor authentication for their Google and Microsoft accounts. See below for more information on reviewing your Google and Microsoft account security settings.
Now is a good time to review your security settings
Reviewing your security settings is always a good idea – whether you use Google authentication or Windows Live ID authentication to access the cloud version of our ACA Compliance Solution. Since Gmail accounts from Russian, German and Chinese email providers have had their login credentials compromised, this remains a hot topic. Our Client Engagement Manager, Tom Franz, recommends:
- Changing your passwords on a regular basis
- Gmail and Windows Live ID users can enable a 2-step verification process for added protection.
- As a start, Gmail users should perform a “Security Checkup”
Customers leveraging Windows Live ID’s to authenticate should review their security settings here