It's the first day of your job and you're filling in the I-9 ID verification form, scanning your passport, and completing a direct deposit sheet. This sounds great until someone realizes the human resources folder is open to the "Authenticated Users" group, meaning every employee and contractor in the company has easy access to your information.
Employees tend to believe their data will remain private because they trust their employer to keep it safe — a faith that is sometimes misplaced. This US tax season, 130 organizations and counting fell victim to W-2 business email compromise scams in which employees were tricked into releasing personal information of other employees, affecting 120,000 tax payers. This lack of privacy negates any trust that employees have in management to keep their personal data safe.
Employee Data Ends Up in the Darndest Places
Employees place trust in their employers as soon as they hand over their personally identifiable information — name, address, Social Security number, bank account information — and agree to background checks. This data should be considered extremely sensitive because in the wrong hands it can be used to harm employees in many ways, including identity theft, taking out credit, or filing false tax returns, as happened in the American Type Culture Collection W-2 leak this year.
Employees trust their employers to store data in a private and secure manner, but new employees typically provide sensitive information without asking, "How long will you hold on to this? Who will have access to it? Who will review that access? Will you know when something goes wrong?"
Just like transactional data, much of this information is stored in databases or corporate HR systems either on-premises or in the cloud. One mistake organizations make is that they fail to realize personal information often finds its way into files and emails — a PDF of a W-4, a driver's license image saved in an email, or, worse, a spreadsheet with many employee records. These files are then stored among the millions of other files in file shares, SharePoint, and Exchange platforms on-premises and in the cloud.
These file and email stores were designed for easy collaboration but lack the security controls to protect sensitive information and meet regulatory compliance needs. Just as a new employee may not question her new employer's security practices, in our eagerness to create and share information quickly, too few have questioned the adequacy of the controls surrounding our information.
Unfortunately, most organizations don't actually know where all their employee data is stored or how it's being used. A recent Forrester Consulting survey commissioned by Varonis found that 41% of security professionals know where employee data is located and 41% classify it based on its sensitivity. Only 45% audit all use of this data and analyze it for abuse, the same results we found in our 2017 RSA booth survey.
It's worth noting that Forrester found only 38% of respondents enforce a least-privilege model against this data. This means that 62% of organizations expose their employee data to more individuals than need access, increasing the risk for misuse.
The Cost of Stolen Employee Data
In addition to the hard dollar costs associated with a breach, including cybersecurity insurance premium hikes, damages, and regulatory fines, there are many other costs that are difficult to quantify: brand damage and reputational damage. One cost that organizations may fail to consider: employee trust. Would you choose to go work for a company that was in the headlines because its W-2s were breached over one that hasn't?
Mitigating the Risks and Attracting Top Talent
Companies that say "We not only say that we take our employee data seriously but here's exactly how we do it" will have an advantage in the labor market to hire and retain the best employees. This is one way that an effective data security strategy can drive revenue and growth.
There are five key areas every organization needs to focus on when it comes to protecting all of its sensitive data.
- Classification: It's imperative that you know where your employee data resides so you can begin to restrict access and monitor for abuse. Most organizations find that manual tagging or classification efforts are insufficient. An automated classification system will look for potential sensitive data, including employee information found in HR documents.
- Least privilege: Limit access using the principle of least privilege or "need-to-know" — who has a legitimate need to access that data today? To enforce a least-privilege model means to continually make sure that the list of people who have access need access. People's roles change.
- Monitor your data: Use of sensitive data must be monitored. It's impossible to detect abuse and figure out who should have access if the asset isn't being monitored. If I have access to employee data I never touch because it doesn't apply to my job anymore, that's relatively easy to identify based on my access behavior. Otherwise, you're relying on someone to notice and mention that I don't need that access, and I usually have other things to do. Monitoring data usage is also key to analyzing and alerting on abuse. Sophisticated user behavior analytics can discern when access is suspicious.
- Retention policies: Data you don't need any more is at risk for being stolen or misused. Almost every organization I've worked with has policies for retaining employee data and a system for enforcing those policies, including automatic reviews of stale data.
- Employee training: No matter what controls and technologies you use, make sure that your employees understand the value of the assets they use. Any employee who comes into contact with potentially sensitive information must get training on the systems and controls that protect that data, how to make sure they're enforced, and the risks associated with mishandling that data. Make it clear that you respect your employees' data and your employees will know you respect them.]
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]