Recent high profile cyber breaches and strict data protection rules such as the introduction of the General Data Protection Legislation (GDPR)
in Europe has caused many companies to sit up and begin to asses internal security procedures and the data they hold. The focus has primarily been on customer data and the risk associated with a breach of customer data, which of course is very important for a business and largely applies in the B2C world. One area however that seems to be overlooked is that of protecting the data belonging to your employees.
In the words of Richard Branson, “Clients do not come first. Employees come first. If you take care of your employees, they will take care of the clients”
. Employers all over the world store and process sensitive data belonging to their employees on a daily basis for HR, Finance and Payroll functions. Data such as names, address, email address, date of birth, phone numbers, bank account details, tax identification numbers, medical records and other personal data are held in every company worldwide. This data is becoming increasingly more valuable on the dark web. When preparing for GDPR and carrying out internal audits on the customer data held, companies must also factor in the valuable data belonging to employees. Include internal processes relating to the storing, managing and protecting of employee data and most importantly, who in the organization has access to employee data and why?
These principles apply to companies who outsource their payroll function or manage it in house, it is this function of the business that primarily holds critically important sensitive data belonging to the employees. If outsourcing, it is the responsibility of the organization to vet the payroll vendor/supplier and ensure the security of their employee data and that correct measures and controls are in place by the vendor to protect the data from a breach.
When discussing employees and sensitive data we must also look at the very real risk of insider threats both malicious and unintentional. One of the largest threat to an organization when it comes to cyber-crime and security breaches is the employees themselves, one study by Gartner
- 62% of breaches involved employees looking to establish a second stream of income from their employers’ sensitive data
- 29% stole information on the way out the door to help future endeavors
- 9% were saboteurs
In recent months we have seen many examples of high profile breaches which were as a result of employees such as in the case of Allied Irish Bank
which was reported in August 2017, where an employee mislaid documents while traveling between branches for a meeting. The lost data affected 500 customers
, data included names, balance details, fee information and internal codes. Another recent breach is the case of Equifax
which was announced September this year, in this case it was a failure in keeping software up-to-date and a failure to install security updates in a timely manner by IT staff. A study by Mimecast
revealed, 45% of IT executives say malicious insider attacks is one of the risks that they are most unprepared for.
Breaches such as AIB and Equifax suggest that companies are not investing in the education of their employees in relation to the handling of sensitive data causing employees to make negligent decisions. Cyber education needs to be integrated into your business strategy, and all employees of the business need to be involved.
Cyber education should to be a top down initiative. Employees should be educated on potential threats, malicious outsiders gaining access through phishing emails but also the organizations policies and procedures when handling sensitive data belonging to both employees and customers. Lack of education and non-compliance results in employees opening the doors for dangerous activity. To find out more about how Payslip’s Global Payroll Management Software helps protect the sensitive data of employees book a demo of our software today