Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


12:00 PM
Brian Vecci
Brian Vecci
Connect Directly
E-Mail vvv

To Attract and Retain Better Employees, Respect Their Data

A lack of privacy erodes trust that employees should have in management.

It's the first day of your job and you're filling in the I-9 ID verification form, scanning your passport, and completing a direct deposit sheet. This sounds great until someone realizes the human resources folder is open to the "Authenticated Users" group, meaning every employee and contractor in the company has easy access to your information.

Employees tend to believe their data will remain private because they trust their employer to keep it safe — a faith that is sometimes misplaced. This US tax season, 130 organizations and counting fell victim to W-2 business email compromise scams in which employees were tricked into releasing personal information of other employees, affecting 120,000 tax payers. This lack of privacy negates any trust that employees have in management to keep their personal data safe.

Employee Data Ends Up in the Darndest Places
Employees place trust in their employers as soon as they hand over their personally identifiable information — name, address, Social Security number, bank account information — and agree to background checks. This data should be considered extremely sensitive because in the wrong hands it can be used to harm employees in many ways, including identity theft, taking out credit, or filing false tax returns, as happened in the American Type Culture Collection W-2 leak this year.

Employees trust their employers to store data in a private and secure manner, but new employees typically provide sensitive information without asking, "How long will you hold on to this? Who will have access to it? Who will review that access? Will you know when something goes wrong?"

Just like transactional data, much of this information is stored in databases or corporate HR systems either on-premises or in the cloud. One mistake organizations make is that they fail to realize personal information often finds its way into files and emails — a PDF of a W-4, a driver's license image saved in an email, or, worse, a spreadsheet with many employee records. These files are then stored among the millions of other files in file shares, SharePoint, and Exchange platforms on-premises and in the cloud.

These file and email stores were designed for easy collaboration but lack the security controls to protect sensitive information and meet regulatory compliance needs. Just as a new employee may not question her new employer's security practices, in our eagerness to create and share information quickly, too few have questioned the adequacy of the controls surrounding our information.

Unfortunately, most organizations don't actually know where all their employee data is stored or how it's being used. A recent Forrester Consulting survey commissioned by Varonis found that 41% of security professionals know where employee data is located and 41% classify it based on its sensitivity. Only 45% audit all use of this data and analyze it for abuse, the same results we found in our 2017 RSA booth survey.

It's worth noting that Forrester found only 38% of respondents enforce a least-privilege model against this data. This means that 62% of organizations expose their employee data to more individuals than need access, increasing the risk for misuse.

The Cost of Stolen Employee Data
In addition to the hard dollar costs associated with a breach, including cybersecurity insurance premium hikes, damages, and regulatory fines, there are many other costs that are difficult to quantify: brand damage and reputational damage. One cost that organizations may fail to consider: employee trust. Would you choose to go work for a company that was in the headlines because its W-2s were breached over one that hasn't? 

Mitigating the Risks and Attracting Top Talent
Companies that say "We not only say that we take our employee data seriously but here's exactly how we do it" will have an advantage in the labor market to hire and retain the best employees. This is one way that an effective data security strategy can drive revenue and growth. 

There are five key areas every organization needs to focus on when it comes to protecting all of its sensitive data.

  • Classification: It's imperative that you know where your employee data resides so you can begin to restrict access and monitor for abuse. Most organizations find that manual tagging or classification efforts are insufficient. An automated classification system will look for potential sensitive data, including employee information found in HR documents.
  • Least privilege: Limit access using the principle of least privilege or "need-to-know" — who has a legitimate need to access that data today? To enforce a least-privilege model means to continually make sure that the list of people who have access need access. People's roles change.
  • Monitor your data: Use of sensitive data must be monitored. It's impossible to detect abuse and figure out who should have access if the asset isn't being monitored. If I have access to employee data I never touch because it doesn't apply to my job anymore, that's relatively easy to identify based on my access behavior. Otherwise, you're relying on someone to notice and mention that I don't need that access, and I usually have other things to do. Monitoring data usage is also key to analyzing and alerting on abuse. Sophisticated user behavior analytics can discern when access is suspicious.
  • Retention policies: Data you don't need any more is at risk for being stolen or misused. Almost every organization I've worked with has policies for retaining employee data and a system for enforcing those policies, including automatic reviews of stale data.
  • Employee training: No matter what controls and technologies you use, make sure that your employees understand the value of the assets they use. Any employee who comes into contact with potentially sensitive information must get training on the systems and controls that protect that data, how to make sure they're enforced, and the risks associated with mishandling that data. Make it clear that you respect your employees' data and your employees will know you respect them.]

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

Brian Vecci is a 19-year veteran of information technology and data security, including holding a CISSP certification. He has served in applications development, system architecture, project management, and business analyst roles in financial services, legal technology, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/5/2017 | 3:38:52 PM
Re: Staffing firms
@BrianV: It's really quite a tradeoff to compare either side of the pond, isn't it?  On the one hand, as an American, I can see the benefits of the "right to be forgotten" in this increasingly digital age.  On the other hand, as an American, I am VERY grateful for the speech freedoms and other freedoms that we so often take for granted yet are -- quite frankly -- unavailable in even more democratic EU members like Germany and France.
User Rank: Apprentice
4/4/2017 | 1:21:38 PM
Re: Staffing firms
Too true. This kind of thing is one of the protections GDPR hopes to afford EU citizens ("the right to be forgotten"). I think eventually we will see similar protections everywhere, and enforcement aside, those orgs that can ID and get rid of PII that they don't need will have a clear advantage over those that can't.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/4/2017 | 8:00:35 AM
Staffing firms
The worst part is if you've ever worked with a staffing firm.  A lot of those jerks hold onto your data in perpetuity.  No.  Matter.  What.

I know a number of people in my professional circle who were pretty peeved at and had brusquely severed their relationships with a particular large staffing firm that shall rename nameless -- and, MANY years later, found their data compromised in a data breach, despite requesting (demanding?) that their information be deleted.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...