Cyber risks for human resources
July 15, 2014
What are they and how can we prevent them?
It was reported on July 9 that Chinese hackers broke into the computer networks of the United States government agency that houses the personal information of all federal employees in March, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances.
The hackers gained access to some of the databases of the Office of Personnel Management before the federal authorities detected the threat and blocked them from the network. It is not yet clear how far the hackers penetrated the agency’s systems, in which applicants listed their foreign contacts, previous jobs, and personal information like past drug use.
Thankfully, incidences like this are not widespread, according to Lance Henderson. But, they are still risks that are worth preparing for, especially for those in human resources.
Henderson, Head of Sales and Relationship Management for the Zurich Employee Benefits Network, says that human resources departments and benefits administrators have access to lots of personal employee information that could potentially be a target for hacking.
“Everything is digitalized now,” he says. “So, information like social security numbers, bank routing numbers, and additional data is being gathered as employees are offered more benefits and services that are non-contributory or can be purchased through the employer via payroll deduction. Then that information is often relayed to third parties or other service providers. There’s a lot of data going from the employee to employer to third party providers. So there are a lot of opportunities for hacking.”
What’s scary is, according to the Harvard Business Review, most breaches take time to discover — usually months rather than weeks, and sometimes longer, as seen in this month’s incident.
But, there are ways to help prevent an attack. Henderson recommends having password protection and limiting the amount of people who have access to personal employee information.
But this event has sparked curiosity in the topic. What are other cyber risks you should be aware of? And how else do you protect your HR database? Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, is addressing this and other key points at the Strategic Global Workforce Management Forum in New York. He is speaking on cyber risks in general, as brought forth by The Atlantic Council and Zurich Insurance earlier this year, but also the impact this could have on HR.
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.