Top 5 Tips to Incorporate Cybersecurity into Your HRIS
Cybersecurity is a prevalent issue that has received an increased attention in various organizations lately. It is to no surprise for us since it has continuously become a hot topic brought to the spotlight by the significant data breaches in the past few years which happened even in Singapore.
With benefits such as lower investment cost, automatic system updates and backup, freedom to work from anywhere anytime, many companies are switching to cloud computing especially on cloud HR system. The advent of the cloud has created significant changes to organization in the past few years. Although it brought lots of benefits, companies are still hesitant to move their data to cloud which mainly because of security concerns.
The recent cyber-attacks waged against HR data services firm ComplyRight and talent management platform PageUp prove how employee data remain vulnerable to identity theft even in the era of stricter data privacy rules. The mere existence of such data creates risk, companies that store sensitive employment information – whether through a third-party service or an in-house HR information system (HRIS) – become the prized target of cybercriminals. By gaining access to employee names, birthdates, social security numbers, salaries, and bank details through HR documents, data thieves can proceed with a number of other system hacks.
In Singapore itself, one of the most recent and the worst cyber-attack happened in Singapore on July 2018 is the hackers infiltrated the databases of Singapore Health Services (SingHealth), a total of 1.5 million SingHealth patients’ non-medical personal data were stolen, while 160,000 of those had their dispensed medicines’ records taken too. This incident once again has bought the public attention on the internet security.
How can HR departments ensure their HRIS is safe from hackers?
At the start of HRIS software implementation, HR and IT managers need to ensure the nature (and coverage) of security measures the software vendor will put in place is sufficient for the size and complexity of the organization. The data management system will also need to comply with the Personal Data Protection Act (PDPA) of Singapore.
For HR teams that rely on HRIS vendor for its cloud hosting services, it is important to check that the service provider not only implements a robust security system) but also complies with PDPA rules on how and where to store personal data and but also ISO security policies.
Below are the other five tips you may consider: –
1. Use Strong Passwords
Passwords are the key to any online platform, however people tend to use simple password or same password across multiple accounts. It creates the convenience but at the same time the convenience has come at the price of your privacy. Imagine the common password like “12345” or just the word “password” can be hacked in less than one second. Cyber criminals can then use your account to access your other online accounts. It is essential to use a strong password which is long, combine with different alphanumeric and special characters. To make it safely, often change this strong password for example every month.
“Sp1V@19t$” is a good example of strong password.
2. Enable Password Policies
In reality, there is no such thing as unbreakable password even when a strong password policy is enforced. Nevertheless, the implementation of such policy will make the journey of hacking longer, and it requires a more powerful hardware to perform the malicious hacking.. With LeapsUP system, administrator is able to control the expiry of password which enforces the frequency of password change. Employee’s account will be disabled after numbers of attempt with invalid password. The password cannot contain employee personal information such as employee name, ID and etc.
3. Enable Two-Factor Authentication (2FA)
Two factor authentication or also known as 2FA or multi factor authentication become more popular especially in banking industry which requires you to confirm the ownership by providing two separate passwords. Typically, user will receive a one-time code via email or SMS or you may use an authenticator application such as Google Authenticator or Microsoft Authenticator as an added verification step. The codes are changed for every request therefore two factor authentication makes it a lot more difficult to hack through your account.
LeapsUP enables 2FA to tighten up the security. A separate code will be generated from Google Authenticator or Microsoft Authenticator. Employee can now safely access to his/her personal information.
4. Internal Cybersecurity
It is a fact that cannot be denied that employees can be one of the weakest links in an organisation’s cybersecurity and are often the source of data breaches. Most of cases are unintentional, employees might accidentally email sensitive information or even share administrator account.
These are not easy to prevent but through a proper monitoring tool and audit trail, the breaches will be easily identified. Here are a sample of monitoring report to determine the user who performs certain tasks.
Aside from this, system provider who complies with ISO 27001 will be formally audited to ensure that the actions below are properly adhered to: –
- Systematically examines the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts.
- Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
- Adopts an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an on-going basis.
We are proud to announce that Frontier e-HR is ISO 27001 certified, we ensure that our customer’s business security risks are well managed.
5. Use Encryption for Confidential Data.
Last but not least, encryption is an important and effective way to ensure that the data is protected from unwanted breaches. A simple encryption will involve employee password to be encrypted and safely stored in the database. Even IT or system administrator are not able to see the clear text password. System with password unencrypted is just like leaving the business’s door unlocked and compromises corporate business data and easily become the next target to hacker.
Password to employee: “Sp1V@19t$”
Password stored in database: “!@#$# ($&(@#*&!*@$(W@#$”