According to a recent national data privacy survey conducted by email security vendor Egress, 83% of security professionals said they believe employees have accidentally exposed data at their organization. Some of the most common accidents cited include forwarding sensitive data to the wrong email address and sharing attachments with hidden content that should have been removed. In most cases, these breaches are compounded by a lack of encrypting data before it is shared.
You have a legal and moral obligation to keep employee information safe. Here is how to safeguard your data.
1. Establish internal protocols
The first step to protecting your employees’ information is identifying where and when you interact with the data. Map out these touchpoints and track how records, documents and files flow through your organization. You will also want to define:
- How long and where documents are stored
- When and how documents are destroyed
Establishing privacy and security policies for anyone handling this data are just as important. In addition to ensuring all laws are followed, you will want to have a firewall installed between those with access to the information and those without.
- Protect your network: Firewalls and anti-virus software are a must. You should also consider segregating networks. Employee information could be stored on a different server and accessed by a secure network.
- Protect all portable devices: All devices on which data are stored should be encrypted. This includes portable devices like tablets, cell phones and laptops. It should also include portable storage devices like USBs.
- Protect your data: Any data stored on your systems should also be encrypted. This makes it unintelligible to anyone without the necessary codes to decrypt the information. And it provides you with a second or third layer of protection.
You may also want to take advantage of secondary verification or multifactor authentication. This asks users with access to the system to provide a password and a second form of authentication. This gives yet another layer of protection.
2. Educate employees about security protocols
Anyone with access to employee information should be intimately familiar with internal security policies and procedures. Be transparent about security risks and how you safeguard against them.
Training should include general instruction about phishing, social engineering and other attacks that target employee information. Be sure to educate employees on how to choose a secure password or provide access to software that will assign them a random password.
And, don’t forget, you are only as strong as your weakest link. Training should be ongoing, and no one should ever take employee data security for granted. If anyone violates protocol, discipline should be quick and serious.
3. Keep files confidential
Access to employee data should be limited to only those people with a business need. Experts recommend limiting access to human resources management and benefit administrators. Unless it is necessary for the individual to perform their job, employees should not have access to employee information.
Similarly, any access to human resource systems or employee databases must be password-protected. Make sure passwords are strong and difficult to guess. You can pick something that is relevant to you personally or use a software tool that selects a random password for your use.
And, while it should go without saying, never access employee data or human resource information systems on a public computer. You do not want anyone to track your history and gain access to the site. But you also do not want anyone looking over your shoulder or snapping a picture of your login credentials.
If you have questions about safety measures that may be taken, talk to your broker or benefits adviser. They can help you design and implement security protocols that protect your employees’ data.