Do you know what the number one concern of worldwide businesses is in 2022? You may think it would be supply chain issues, or possibly the threat of natural disasters. But while those did score high in a recent Forbes survey, respondents indicated that their number one concern was cybersecurity.
That’s understandable. Data, especially personal data about applicants or employees, is under greater scrutiny than ever before, and that includes new privacy mandates–and new liability risks–for businesses. Meanwhile, reports indicate that 93% of company networks are vulnerable to cyberattacks.
If your business is looking into data security improvements this year, our guide can help you form a plan. Let’s look at how data on employees, customers, and others in the workplace should be protected.
Use Best Practices for Data Storage
Best practices can change quickly in the data security world. Data storage methods that were considered secure only a few years ago can look problematic today, and it’s important to keep track of current recommendations. Current practices typically include:
- Secure servers: If your business uses any kind of cloud storage or server management, servers should be secured using the latest encryption options. Third-party servers should be managed by a licensed company with robust security practices and guarantees for data safety.
- Encrypted local data: If your business holds any employee and applicant data on local hard drives, that data should also be fully encrypted.
- VPNs (Virtual Private networks): While VPNs aren’t a solution for every business, they can offer many benefits to companies that haven’t yet considered them. A VPN creates a secure tunnel for online activities, so that the connection and the data being used online are encrypted (certain tools and sites can be whitelisted to help speed up tasks). That makes it much more difficult to spy on sensitive personal data. Applicant data in particular tends to move around a lot, both online and offline, as applicant pools are processed, so businesses that frequently deal with applicants may want to consider using a VPN.
- Antivirus software on business computers: This software is a mainstay for data security, and can help detect malware, block ransomware, and manage threats online, among other tasks. Look for antivirus software that is highly rated for business use.
- Reliable partners: Many businesses use third parties to help with the hiring process or to manage payroll. It’s important to choose reliable partners who have updated security practices of their own, no recent data breaches on record, and a good reputation among their users.
When in doubt, it’s a smart idea to arrange for a data audit for your company. An experienced third-party auditor or IT specialist can take a look at your current situation and create a list of priorities to address. Auditors experienced in your particular industry can also provide valuable information on industry standards and any specific requirements that may apply to your company.
Create a Robust Security Policy for All Employees
One of the most vulnerable points for employee data is employee behavior. If employees do not practice proper data security, their data and the personal information of many others could be at risk. Individual employee security will vary depending on the type of company and position, but a strong security policy can always help. Consider covering these important topics:
- Personal device management: It is common for employees to use their personal devices for work tasks. However, this can put their data and sensitive company information at risk: Personal smartphones and similar devices are often targeted by ransomware and malware – simply downloading the wrong app or clicking on the wrong URL in a text can invite them in. Workplaces should implement strict guidelines for managing work tasks on personal devices, and avoiding putting company data at risk–sometimes called “Shadow IT” because of how it is difficult to track. Some companies may benefit by requiring employees to download security apps on their devices, or only manage work tasks through a specific portal.
- Remote work: Industries around the world have seen a higher adoption of remote work situations. These should come with similar safeguards as when using personal mobile devices. Again, adopting a VPN has become a common strategy to help the flow of private data between work and home.
- Strong passwords: Passwords are a part of daily life, but they need to be robust to beat today’s malware. Businesses should mandate that employees use strong passwords of a certain length and certain combination of characters, and software should be set with those limits. Businesses may also consider adopting an office-wide password manager that can create and collect employee passwords.
- Two-factor authentication: This identification protocol should be required whenever employees try to access business data from a new device. It’s an excellent way to deter data theft.
- Bluetooth and Wi-Fi practices: When employees use devices to access business information over Wi-Fi, they should make sure the network is secure, and avoid using public Wi-Fi for business purposes (unless they have enabled a specified VPN, etc.). On business trips, employees should turn off their devices’ Bluetooth when it is not in use.
- Handbooks and training: Finally, security policies like these should be codified in the employee handbook or related materials, and employees should sign that they have read and understood the policy during their training phases.
Review Company-Wide Access Control Measures
“Access control” refers to both physical access (who has access to what rooms, etc.) and digital access–who has access to certain kinds of data, especially personal information about employees and applications.
If your company has not reviewed data access control, it’s a good step to help improve security. Different levels of access should be given to different position levels, and tailored depending on responsibilities. Entry-level employees, at minimum, should not have access to the in-depth employee information that a manager can review. This type of access control is usually easy to set up with the right IT plan and doesn’t involve extra costs.
Remember, access control should also include plans for when an employee leaves. That means resetting their passwords and access capabilities, as well as taking other measures to ensure there are no vulnerabilities.
Have a Plan to Investigate Security Incidents
Data theft prevention is always important, but companies should not overlook a plan to deal quickly with security incidents. That includes immediate alerts if it looks like a data breach has occurred, where minutes and sometimes even seconds can make a difference in how much fallout the company has to deal with.
There should also be protocols about how the data breach should be analyzed, who should be notified about the breach, and who the key decision makers are in case of an incident–following any necessary privacy compliance laws or other standards.
Afterwards, a thorough investigation should be required to help understand security vulnerabilities and make sure they are patched properly.
Strengthen Awareness About Phishing Scams
Phishing schemes frequently target employees in attempts to steal vulnerable company data or funds. If an employee falls for a phishing scheme, even the most robust data security can struggle to protect data from poor decisions. Today’s phishing schemes aren’t just emails from foreign princes–they can be sophisticated replicas of official emails from partners and banks.
The best way to deal with phishing is to make sure it’s part of employee training. In some industries, phishing schemes are a regular threat. Companies in these industries should offer regular security updates that keep employees aware of new phishing techniques.
Practice Safe Hard Drive Disposal
Disposing of business computers and hard drives is part of IT end-of-life planning, and should always include a data destruction plan. The challenge is that today’s hard drives are very durable, and even when wiped data can sometimes be recovered. This is why hard drives should never be thrown away casually: Instead, they should be separated from computers and destroyed.
In industries where data destruction is mandated, companies should look for hard drive shredding services that can provide documentation that hard drives were successfully destroyed.
Schedule Data Security Reviews
Data security and related threats can change quickly. IT departments or those in charge of security should plan periodic reviews to make sure systems are fully updated, and that any new issues or vulnerabilities are dealt with.
One of the most important elements of a data security plan is education: Both employees and IT specialists need to be aware of the latest compliance requirements and black hat attempts at data theft. One of the best places to start is KnowledgeCity’s course on Information Security for IT professionals, which covers all important elements of global compliance.
Another important resource is the KnowledgeCity guide to Cybersecurity, which includes courses on network architecture, using the right security tools, and how malware works.
If you are looking for a time-saving place to start, download our free guide on how to implement successful training programs for employees.
Subscribe to Our Newsletter
Join 80,000+ Fellow HR Professionals. Get expert recruiting and training tips straight
to your inbox, and become a better HR manager.