Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


12:00 PM
Brian Vecci
Brian Vecci
Connect Directly
E-Mail vvv

To Attract and Retain Better Employees, Respect Their Data

A lack of privacy erodes trust that employees should have in management.

It's the first day of your job and you're filling in the I-9 ID verification form, scanning your passport, and completing a direct deposit sheet. This sounds great until someone realizes the human resources folder is open to the "Authenticated Users" group, meaning every employee and contractor in the company has easy access to your information.

Employees tend to believe their data will remain private because they trust their employer to keep it safe — a faith that is sometimes misplaced. This US tax season, 130 organizations and counting fell victim to W-2 business email compromise scams in which employees were tricked into releasing personal information of other employees, affecting 120,000 tax payers. This lack of privacy negates any trust that employees have in management to keep their personal data safe.

Employee Data Ends Up in the Darndest Places
Employees place trust in their employers as soon as they hand over their personally identifiable information — name, address, Social Security number, bank account information — and agree to background checks. This data should be considered extremely sensitive because in the wrong hands it can be used to harm employees in many ways, including identity theft, taking out credit, or filing false tax returns, as happened in the American Type Culture Collection W-2 leak this year.

Employees trust their employers to store data in a private and secure manner, but new employees typically provide sensitive information without asking, "How long will you hold on to this? Who will have access to it? Who will review that access? Will you know when something goes wrong?"

Just like transactional data, much of this information is stored in databases or corporate HR systems either on-premises or in the cloud. One mistake organizations make is that they fail to realize personal information often finds its way into files and emails — a PDF of a W-4, a driver's license image saved in an email, or, worse, a spreadsheet with many employee records. These files are then stored among the millions of other files in file shares, SharePoint, and Exchange platforms on-premises and in the cloud.

These file and email stores were designed for easy collaboration but lack the security controls to protect sensitive information and meet regulatory compliance needs. Just as a new employee may not question her new employer's security practices, in our eagerness to create and share information quickly, too few have questioned the adequacy of the controls surrounding our information.

Unfortunately, most organizations don't actually know where all their employee data is stored or how it's being used. A recent Forrester Consulting survey commissioned by Varonis found that 41% of security professionals know where employee data is located and 41% classify it based on its sensitivity. Only 45% audit all use of this data and analyze it for abuse, the same results we found in our 2017 RSA booth survey.

It's worth noting that Forrester found only 38% of respondents enforce a least-privilege model against this data. This means that 62% of organizations expose their employee data to more individuals than need access, increasing the risk for misuse.

The Cost of Stolen Employee Data
In addition to the hard dollar costs associated with a breach, including cybersecurity insurance premium hikes, damages, and regulatory fines, there are many other costs that are difficult to quantify: brand damage and reputational damage. One cost that organizations may fail to consider: employee trust. Would you choose to go work for a company that was in the headlines because its W-2s were breached over one that hasn't? 

Mitigating the Risks and Attracting Top Talent
Companies that say "We not only say that we take our employee data seriously but here's exactly how we do it" will have an advantage in the labor market to hire and retain the best employees. This is one way that an effective data security strategy can drive revenue and growth. 

There are five key areas every organization needs to focus on when it comes to protecting all of its sensitive data.

  • Classification: It's imperative that you know where your employee data resides so you can begin to restrict access and monitor for abuse. Most organizations find that manual tagging or classification efforts are insufficient. An automated classification system will look for potential sensitive data, including employee information found in HR documents.
  • Least privilege: Limit access using the principle of least privilege or "need-to-know" — who has a legitimate need to access that data today? To enforce a least-privilege model means to continually make sure that the list of people who have access need access. People's roles change.
  • Monitor your data: Use of sensitive data must be monitored. It's impossible to detect abuse and figure out who should have access if the asset isn't being monitored. If I have access to employee data I never touch because it doesn't apply to my job anymore, that's relatively easy to identify based on my access behavior. Otherwise, you're relying on someone to notice and mention that I don't need that access, and I usually have other things to do. Monitoring data usage is also key to analyzing and alerting on abuse. Sophisticated user behavior analytics can discern when access is suspicious.
  • Retention policies: Data you don't need any more is at risk for being stolen or misused. Almost every organization I've worked with has policies for retaining employee data and a system for enforcing those policies, including automatic reviews of stale data.
  • Employee training: No matter what controls and technologies you use, make sure that your employees understand the value of the assets they use. Any employee who comes into contact with potentially sensitive information must get training on the systems and controls that protect that data, how to make sure they're enforced, and the risks associated with mishandling that data. Make it clear that you respect your employees' data and your employees will know you respect them.]

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

Brian Vecci is a 19-year veteran of information technology and data security, including holding a CISSP certification. He has served in applications development, system architecture, project management, and business analyst roles in financial services, legal technology, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/5/2017 | 3:38:52 PM
Re: Staffing firms
@BrianV: It's really quite a tradeoff to compare either side of the pond, isn't it?  On the one hand, as an American, I can see the benefits of the "right to be forgotten" in this increasingly digital age.  On the other hand, as an American, I am VERY grateful for the speech freedoms and other freedoms that we so often take for granted yet are -- quite frankly -- unavailable in even more democratic EU members like Germany and France.
User Rank: Apprentice
4/4/2017 | 1:21:38 PM
Re: Staffing firms
Too true. This kind of thing is one of the protections GDPR hopes to afford EU citizens ("the right to be forgotten"). I think eventually we will see similar protections everywhere, and enforcement aside, those orgs that can ID and get rid of PII that they don't need will have a clear advantage over those that can't.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/4/2017 | 8:00:35 AM
Staffing firms
The worst part is if you've ever worked with a staffing firm.  A lot of those jerks hold onto your data in perpetuity.  No.  Matter.  What.

I know a number of people in my professional circle who were pretty peeved at and had brusquely severed their relationships with a particular large staffing firm that shall rename nameless -- and, MANY years later, found their data compromised in a data breach, despite requesting (demanding?) that their information be deleted.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.
PUBLISHED: 2021-05-12
Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14.
PUBLISHED: 2021-05-12
Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a cross-site scripting (XSS) vulnerability that can lead to an account takeover via custom email templates.
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.