It's the first day of your job and you're filling in the I-9 ID verification form, scanning your passport, and completing a direct deposit sheet. This sounds great until someone realizes the human resources folder is open to the "Authenticated Users" group, meaning every employee and contractor in the company has easy access to your information.
Employees tend to believe their data will remain private because they trust their employer to keep it safe — a faith that is sometimes misplaced. This US tax season, 130 organizations and counting fell victim to W-2 business email compromise scams in which employees were tricked into releasing personal information of other employees, affecting 120,000 tax payers. This lack of privacy negates any trust that employees have in management to keep their personal data safe.
Employee Data Ends Up in the Darndest Places
Employees place trust in their employers as soon as they hand over their personally identifiable information — name, address, Social Security number, bank account information — and agree to background checks. This data should be considered extremely sensitive because in the wrong hands it can be used to harm employees in many ways, including identity theft, taking out credit, or filing false tax returns, as happened in the American Type Culture Collection W-2 leak this year.
Employees trust their employers to store data in a private and secure manner, but new employees typically provide sensitive information without asking, "How long will you hold on to this? Who will have access to it? Who will review that access? Will you know when something goes wrong?"
Just like transactional data, much of this information is stored in databases or corporate HR systems either on-premises or in the cloud. One mistake organizations make is that they fail to realize personal information often finds its way into files and emails — a PDF of a W-4, a driver's license image saved in an email, or, worse, a spreadsheet with many employee records. These files are then stored among the millions of other files in file shares, SharePoint, and Exchange platforms on-premises and in the cloud.
These file and email stores were designed for easy collaboration but lack the security controls to protect sensitive information and meet regulatory compliance needs. Just as a new employee may not question her new employer's security practices, in our eagerness to create and share information quickly, too few have questioned the adequacy of the controls surrounding our information.
Unfortunately, most organizations don't actually know where all their employee data is stored or how it's being used. A recent Forrester Consulting survey commissioned by Varonis found that 41% of security professionals know where employee data is located and 41% classify it based on its sensitivity. Only 45% audit all use of this data and analyze it for abuse, the same results we found in our 2017 RSA booth survey.
It's worth noting that Forrester found only 38% of respondents enforce a least-privilege model against this data. This means that 62% of organizations expose their employee data to more individuals than need access, increasing the risk for misuse.
The Cost of Stolen Employee Data
In addition to the hard dollar costs associated with a breach, including cybersecurity insurance premium hikes, damages, and regulatory fines, there are many other costs that are difficult to quantify: brand damage and reputational damage. One cost that organizations may fail to consider: employee trust. Would you choose to go work for a company that was in the headlines because its W-2s were breached over one that hasn't?
Mitigating the Risks and Attracting Top Talent
Companies that say "We not only say that we take our employee data seriously but here's exactly how we do it" will have an advantage in the labor market to hire and retain the best employees. This is one way that an effective data security strategy can drive revenue and growth.
There are five key areas every organization needs to focus on when it comes to protecting all of its sensitive data.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]