Protecting Your Virtual HR Files
The ability to computerize personnel records has proven to be a big help to businesses of all kinds. The opportunity to convert mountains of paper into compact, searchable computer files has let businesses and government save time and money, as well as providing better service to their employees.
But for many businesses, these records are the most sensitive information they harbor. Their other operations may include little or no personal data, but personnel records carry a great deal of potentially damaging information. Social security numbers, contact information, banking records for direct deposit, and so much more could ruin an employee's life if it fell into the wrong hands.
As is often the case, our ability to store things in a new way outpaced our ability to secure them in their electronic locations, and of course, the hackers are always a half-step ahead.
A good electronic protection system is critical. When this information goes offsite to the Cloud, you may need scalable virtualization security to keep everything protected. As long as you properly maintain your security system, it will do its job.
And while this is largely a technology issue, there is a human element as well. Ultimately, every hack and intrusion is conducted by human beings somewhere, either by cyber criminals or by people on the inside of your organization.
Handling that human element is what separates good security from poor security. An effective system will help you track some key information about who is seeing your HR records.
Who Should See Them
There are people who need to know what's in your personnel records, and then there are people who do not. People in a supervisory role have a reason to be viewing the evaluations of employees within the company, of course; but a person's colleagues have no reason to access that information--at least, no legitimate reason to access it.
A security system will keep you apprised of what areas of your storage are being accessed and who is accessing them. If unauthorized personnel is seeing files they shouldn't see--either deliberately or recklessly--you have a situation that you need to handle.
How Often They Should See Them
Along with the identity of users, you need to monitor the frequency of their access. Someone in payroll can be expected to view W-2's and other income-related information, but since these often do not change for many years, there is no reason for them to be repeatedly accessed.
Why is this an issue? Repeated access to the same employee's records--or simply to the area where multiple employee records are stored--is a sign that the user could be gathering information about the workers for inappropriate reasons. This may include identity theft, corporate espionage, or even to blackmail an employee about a potentially embarrassing confidential disciplinary action.
What They Do With Them
Because many personnel records are multiple pages long, a hacker or errant employee couldn't necessarily do that much damage with an occasional glimpse here and there. Things like employee evaluations, in particular, are largely in narrative format, so a few lines here or there aren't necessarily a problem.
But when files are downloaded, copied, renamed, shifted around, and so forth, that's the time when something may be going on. And when your system alerts you to this type of file activity with no justifiable reason, it's time to take action.
The savings associated with the heavily-computerized management of personnel files are clear. There's no reason to let fear propel you back into a paperwork mess that costs money, takes up space, and gets ruined with the first water leak or fire. The important thing is to keep records properly secured in their virtual file drawers so that the risks they present are properly managed.
