Email encryption is an important privacy and security measure to take for any profession that involves sending sensitive data via email. If you work in human resources, though, you need to be extra vigilant.
HR professionals wear numerous hats. The joke is that you’re the staff therapist, referee, cheerleader, disciplinarian — and that’s before you get into the mountains of paperwork for which HR managers are responsible. Between offer letters, tax documents, endless insurance documents, worker’s comp forms and direct deposit forms, the HR department is a vault full of the personal identification data that hackers and cyberthieves find irresistible.
Never was that more obvious than when Sony was hacked in 2014. Not only did the cyberattack expose embarrassing conversations and leak invaluable intellectual property, but it also exposed sensitive HR data pertaining to Sony employees, including celebrities and plenty of everyday, out-of-the-spotlight workers. That data included unencrypted spreadsheets full of medical data, turning a garden variety data leak into a huge HIPAA privacy violation.
The stakes are high for HR professionals, but what can they do about it? To understand what security challenges HR departments face on a daily basis, we spoke with two experts on digital security and privacy:
● Gordon Rapkin is the CEO of Archive Systems (@ArchiveSystems), a Fairfield, NJ-based unified document management company that provides secure, paperless solutions for HR departments. Given the nature of his company’s products and services, HR security is a matter of great importance to him, and he’s passionate about making other C-level executives see the value of HR security and privacy solutions.
● Paul Kubler, CISSP, CCNA, Sec+, ACE is a Cyber Security and Digital Forensics Examiner at LIFARS LLC (@LIFARSLLC), an international cybersecurity and digital forensics firm. He’s a former employee at Boeing, in the Global Network Architecture division, the nation’s largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
Whether you’re an HR professional or an entrepreneur whose business includes an HR department, there are four strong reasons you need to use a strong data and email encryption solution:
Social security numbers? Bank account numbers? Medical insurance data? Yup, HR has that. Some of it may live on a secure server, some of it in the cloud, some sitting in unencrypted documents on a company laptop. Still other data is floating around in your HR manager’s inbox.
All of that sensitive data means one thing: your HR department needs to be a bastion of security.
Says Rapkin, “HR departments own employees confidentiality — end of story. And there are no excuses. Too often, HR is low on IT’s list of priorities, and HR is lacking a strong enough voice to focus corporate action on protecting employees’ personally identifiable information.”
Kubler has also noticed that the voice of HR doesn’t get the priority it deserves, making the job of protecting employee confidentiality and privacy even more difficult. Security investment is already a difficult sell, given that the ROI of privacy measures like email encryption on reveals itself during actual security incidents.
“HR needs to worry a lot about email security, as they are one of the most targeted groups in organizations,” says Kubler. “The damage that can be done is potentially monumental — one need look no further than the 2011 RSA breach to see the ramifications of that. HR needs to be trained well on how to keep themselves protected and have a secure backbone in the IT space that can help secure them.”
Rapkin agrees. “HR departments need to build a culture of security and they need to adopt a posture of paranoia that keeps them ever vigilant about employee data. When it comes to protecting employee information, there is no such thing as ‘pretty good protection’ — only absolute protection counts.”
There are many layers of security you have to worry about when it comes to sensitive HR data, says Rapkin. “HR has several different information systems, and tons of paper files. The information systems require IT attention to ensure they are secure and all data is safely encrypted when at rest and when it is in transit. Too often, the perimeter of the organization and perhaps even access to the HR applications are secure, but the data in the system is not encrypted.”
Without the crucial layers of protection provided by server and email encryption, your sensitive HR data is left vulnerable. “This leaves the door open to an industrious hacker to go around the application and attack the unencrypted database directly. Think of this as a candy bar — crunchy on the outside, but soft in the middle. Break through the outer layers of protection, and the data is yours.”
And this isn’t just an issue with digital data. “The second problem area is all of the paper HR documents and how they are used. The file cabinets and file rooms may be locked up and secure, but the minute an employee asks to see the contents of these HR files, a colleague will typically copy the files and mail them, or scan the files and email the images. Both are terrible practices that leave employee data exposed.”
This means that HR needs a data management solution that includes digitizing paper documents and implementing data and email encryption. “The ideal solution is for HR departments to convert all of the paper files to a secure digital document management environment,” says Rapkin. “A proper digital environment acts like a vault. Everything in the vault must be encrypted, and nothing should ever leave. When someone requests access to a document, they should only receive a secure link back to the original image in the vault, not an email with an attachment, and there should not be an option to download the document or do anything with it that would expose it to risk.”
Of course, this also means implementing and enforcing a strong access policy. “When documents are accessed, they person looking at the document needs to pass through multiple security hurdles, including two factor authentication (request access, receive a PIN on your phone, and enter the PIN into the application to open the vault),” says Rapkin. “Any and all access to employee documents needs to be logged and monitored so that there is always a secure audit trail of who touched what, and when.”
“The content and use of email for HR professionals can also affect their security,” says Kubler. “When sending sensitive documents, you should be using email encryption over established channels to prevent accidental sends. There should also protocols in place in case accidental declassification happens, this way a well formed response can be carried out that makes the company look better.”
But what happens if you don’t use email encryption and other security measures to protect HR data? You’re looking not only at a hit to your company’s reputation, but also potential compliance violations. “If email got leaked or hacked it can be extremely detrimental, which is why companies need security devices that can detect data exfiltration. If it successful, there are always compliance protocols to deal with. These protocols vary by organization and type of data, but an already written plan can help to drastically reduce the damage.”
Bottom line? Make sure your security policy includes email encryption, know your state’s breach notification laws, and make sure that your disaster recovery plan includes what to do in case of a data leak.
“The last problem practice in many HR departments is the pervasive use of spreadsheets to hold really sensitive data,” says Rapkin. “Typically, a HR person will download lists of employees with all sorts of sensitive data such as salary, date of birth, address, etc., and put it all into a spreadsheet on their computer. Their purpose may be to model salary ranges or increases, or to create demographic reports, but the reality is that these spreadsheets are prime targets and high-risk failure points.”
And that’s one thing when the data is sitting on a server. Once it’s in your inbox, it’s a whole different can of worms, says Rapkin. “Even worse, the typical behavior is to email the spreadsheet to a supervisor of field manager — yikes! At a minimum, any spreadsheet containing personally identifiable information needs to be encrypted and password controlled, and the password should not go in the email with the file attached. Even better, the spreadsheet needs to be controlled by technology that makes it self-destruct after a very short time. That way it will not sit in the recipient’s in-box or on their hard drive forever.”
Email encryption is important not only for your private messages, but also the attachments you send along. That’s why Virtru uses the Trusted Data Format (TDF) to render your email attachments unusable to anyone who doesn’t have the encryption key required to read them.
If you’re in HR, your inbox is likely bristling with data that could harm not only your company’s reputation, but also the livelihoods of your colleagues, if it falls into the wrong hands. One of the easiest way to protect yourself and your company is by using email encryption. And the easiest way to use email encryption is to download Virtru.
Virtru is a simple browser add-on that works with the email service you’re already using for a completely seamless, secure email experience. Where other email encryption options require tech know-how, all Virtru requires is the flick of a switch.
And remember — you’re not the only department that has to worry about sensitive email data. Contact us to learn more about enterprise email encryption options for your whole company.