How safe is your HR information?
Posted by Jane on Jul 04, 2017
Cyber-attacks are in the news lately, from the NHS system shutdown to countless news stories about foreign influence on Western politics (fake news or not, there’s certainly a lot of smoke that suggests a fire!). But what about businesses? It’s a rare company that doesn’t find itself the custodian of large amounts of customer and employee data, stored electronically. How safe is it?
Leaving aside customer information, your employee data is certainly sensitive and worth protecting: names, addresses, national insurance and other identifying numbers, and of course, bank account and payroll details. In fact, everything an enterprising hacker needs for complete identity theft and fraud.
The reality of cybercrime
The Department for Culture, Media & Sport and the National Cyber Security Centre published statistics in April 2017, showing nearly seven in ten large businesses in the UK had experienced a security breach or cyber-attack, with an average cost of £20,000 per business over the last twelve months.
The most commonly experienced breaches came via fraudulent emails; plausible attempts to persuade employees to disclose financial information or passwords, or open attachments that turn out to be full of viruses, malware or ransomware.
But what about small businesses? Well, according to a report from Beaming, evened out across all business sizes, 2016 saw an average of nearly 230,000 attacks per business in the UK! Now, SMEs will be experiencing significantly less than that but still, do you know how much unwelcome attention is bouncing off your firewall daily? Do you know how long it would take to recover from a successful cyber-attack? Are you asking, what else could I be doing to strengthen our defences?
Basic tips to protect your people data
- Implement a company policy on how you manage your cyber security – if you’re not sure where to start, the British Standards Institute offers some guidance.
- Password strength is key but people still not only use easily guessed words (without capital letters or digits) but also use the same password for everything which is begging for trouble. Clear and simple guidance on setting passwords will help. (Here’s a 2016 guide from online tech gurus, CNET.com).
- Have a cyber recovery plan – like any other ‘business disaster’, your recovery time will be shortened if you’ve already got some procedures agreed and communicated to the workforce.
- The biggest issue is employee awareness and while policies and guidance can help, a short training session can really bring the issues home and offer some practical skills, including how to spot those dodgy emails. (The CIPD has a free online training module available).
- Have your e-defences tested by an outside cyber security company – the IT security version of the mystery shopper – and pinpoint any specific weaknesses.
And in addition to the above, it’s worth noting that from May 2018, all UK businesses which hold personal data (i.e. practically all of them) will have to comply with the new EU General Data Protection Regulation (GDPR) legislation. Of course, after Brexit, who knows, but it’s certainly relevant in the short term.
Request your free trial
Online software, simple pricing, and a smart business tool to make it
easy to manage people