Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


12:00 PM
Brian Vecci
Brian Vecci
Connect Directly
E-Mail vvv

To Attract and Retain Better Employees, Respect Their Data

A lack of privacy erodes trust that employees should have in management.

It's the first day of your job and you're filling in the I-9 ID verification form, scanning your passport, and completing a direct deposit sheet. This sounds great until someone realizes the human resources folder is open to the "Authenticated Users" group, meaning every employee and contractor in the company has easy access to your information.

Employees tend to believe their data will remain private because they trust their employer to keep it safe — a faith that is sometimes misplaced. This US tax season, 130 organizations and counting fell victim to W-2 business email compromise scams in which employees were tricked into releasing personal information of other employees, affecting 120,000 tax payers. This lack of privacy negates any trust that employees have in management to keep their personal data safe.

Employee Data Ends Up in the Darndest Places
Employees place trust in their employers as soon as they hand over their personally identifiable information — name, address, Social Security number, bank account information — and agree to background checks. This data should be considered extremely sensitive because in the wrong hands it can be used to harm employees in many ways, including identity theft, taking out credit, or filing false tax returns, as happened in the American Type Culture Collection W-2 leak this year.

Employees trust their employers to store data in a private and secure manner, but new employees typically provide sensitive information without asking, "How long will you hold on to this? Who will have access to it? Who will review that access? Will you know when something goes wrong?"

Just like transactional data, much of this information is stored in databases or corporate HR systems either on-premises or in the cloud. One mistake organizations make is that they fail to realize personal information often finds its way into files and emails — a PDF of a W-4, a driver's license image saved in an email, or, worse, a spreadsheet with many employee records. These files are then stored among the millions of other files in file shares, SharePoint, and Exchange platforms on-premises and in the cloud.

These file and email stores were designed for easy collaboration but lack the security controls to protect sensitive information and meet regulatory compliance needs. Just as a new employee may not question her new employer's security practices, in our eagerness to create and share information quickly, too few have questioned the adequacy of the controls surrounding our information.

Unfortunately, most organizations don't actually know where all their employee data is stored or how it's being used. A recent Forrester Consulting survey commissioned by Varonis found that 41% of security professionals know where employee data is located and 41% classify it based on its sensitivity. Only 45% audit all use of this data and analyze it for abuse, the same results we found in our 2017 RSA booth survey.

It's worth noting that Forrester found only 38% of respondents enforce a least-privilege model against this data. This means that 62% of organizations expose their employee data to more individuals than need access, increasing the risk for misuse.

The Cost of Stolen Employee Data
In addition to the hard dollar costs associated with a breach, including cybersecurity insurance premium hikes, damages, and regulatory fines, there are many other costs that are difficult to quantify: brand damage and reputational damage. One cost that organizations may fail to consider: employee trust. Would you choose to go work for a company that was in the headlines because its W-2s were breached over one that hasn't? 

Mitigating the Risks and Attracting Top Talent
Companies that say "We not only say that we take our employee data seriously but here's exactly how we do it" will have an advantage in the labor market to hire and retain the best employees. This is one way that an effective data security strategy can drive revenue and growth. 

There are five key areas every organization needs to focus on when it comes to protecting all of its sensitive data.

  • Classification: It's imperative that you know where your employee data resides so you can begin to restrict access and monitor for abuse. Most organizations find that manual tagging or classification efforts are insufficient. An automated classification system will look for potential sensitive data, including employee information found in HR documents.
  • Least privilege: Limit access using the principle of least privilege or "need-to-know" — who has a legitimate need to access that data today? To enforce a least-privilege model means to continually make sure that the list of people who have access need access. People's roles change.
  • Monitor your data: Use of sensitive data must be monitored. It's impossible to detect abuse and figure out who should have access if the asset isn't being monitored. If I have access to employee data I never touch because it doesn't apply to my job anymore, that's relatively easy to identify based on my access behavior. Otherwise, you're relying on someone to notice and mention that I don't need that access, and I usually have other things to do. Monitoring data usage is also key to analyzing and alerting on abuse. Sophisticated user behavior analytics can discern when access is suspicious.
  • Retention policies: Data you don't need any more is at risk for being stolen or misused. Almost every organization I've worked with has policies for retaining employee data and a system for enforcing those policies, including automatic reviews of stale data.
  • Employee training: No matter what controls and technologies you use, make sure that your employees understand the value of the assets they use. Any employee who comes into contact with potentially sensitive information must get training on the systems and controls that protect that data, how to make sure they're enforced, and the risks associated with mishandling that data. Make it clear that you respect your employees' data and your employees will know you respect them.]

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

Brian Vecci is a 19-year veteran of information technology and data security, including holding a CISSP certification. He has served in applications development, system architecture, project management, and business analyst roles in financial services, legal technology, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/4/2017 | 8:00:35 AM
Staffing firms
The worst part is if you've ever worked with a staffing firm.  A lot of those jerks hold onto your data in perpetuity.  No.  Matter.  What.

I know a number of people in my professional circle who were pretty peeved at and had brusquely severed their relationships with a particular large staffing firm that shall rename nameless -- and, MANY years later, found their data compromised in a data breach, despite requesting (demanding?) that their information be deleted.
User Rank: Apprentice
4/4/2017 | 1:21:38 PM
Re: Staffing firms
Too true. This kind of thing is one of the protections GDPR hopes to afford EU citizens ("the right to be forgotten"). I think eventually we will see similar protections everywhere, and enforcement aside, those orgs that can ID and get rid of PII that they don't need will have a clear advantage over those that can't.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/5/2017 | 3:38:52 PM
Re: Staffing firms
@BrianV: It's really quite a tradeoff to compare either side of the pond, isn't it?  On the one hand, as an American, I can see the benefits of the "right to be forgotten" in this increasingly digital age.  On the other hand, as an American, I am VERY grateful for the speech freedoms and other freedoms that we so often take for granted yet are -- quite frankly -- unavailable in even more democratic EU members like Germany and France.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be map...
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs....
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, o...
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes...
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM g...