The security of data systems should be a top priority for
organisations, in particular HR, writes Keith Rodgers. After all, there is a
lot at stake – not least, corporate integrity
When a large financial company decided to roll out an employee portal for
the first time, it expected a certain amount of resistance from its workforce.
Not everyone, after all, immediately takes a shine to the concept of
self-service HR.
What it didn’t anticipate, however, was a blanket refusal from an entire
section of its IT department to participate in the initiative. Fearing the
portal would expose personal data to both internal and external hackers, the
company’s security experts refused to enter information into the portal until
they had put the system through an exhaustive testing programme.
Although their concerns were dealt with well before they were publicised
around the company, the events illustrate the far-reaching implications of HR
system security. The direct impact of breaches can be huge – unauthorised
access by external hackers or disgruntled employees can have major legal,
public relations and regulatory repercussions, as well as undermining the
integrity of data and damaging electronic systems.
But the indirect implications can also be costly. Loss of confidence in IT
security – even when it hasn’t been compromised – can jeopardise major
strategic initiatives like self-service. Fuelled by fears of cyber-terrorism
and ‘denial of service’ attacks that took out high-profile websites, these
kinds of security issues are rapidly climbing the corporate agenda. The growing
adoption of internet-based HR technology, offering wider accessibility to
corporate information, has caused companies to question existing procedures and
re-examine the integrity of their IT infrastructure. And software vendors are
taking note.
At the start of the year, hard on the heels of negative publicity about the
stability of its software and the privacy implications of one of its Net
initiatives, Microsoft chairman Bill Gates told employees security was a top
priority for the firm.
But the problem facing most users is that IT budgets – already under severe
strain – rarely accommodate major expenditure on security measures. Securing HR
data is a business priority, but companies are having to take a pragmatic view
of where and how to invest. As Mark Frear, head of enterprise portals at SAP
UK, says: "Security must be commensurate with the risk."
Building a security strategy encompasses a range of technology, business
process and planning elements. Vendors and consultants alike stress that the
starting point for any initiative should be to draft a corporate policy – an
obvious move in theory, but one that few organisations carry out in practice.
As Simon Owen, partner in Andersen’s technology risk department, points out,
organisations need to build a practical set of procedures and guidelines
spelling out their security policy.
Templates are available on the Web, but it is important to ensure the
documents are usable – not so unwieldy that end-users are put off from opening
them. High on the list of priorities is to establish levels of responsibility
and lines of communication. Andersen argues that overall responsibility for
security should be held at senior level, possibly a board member or the head of
IT, with duties delegated.
Sensitivity test
From HR’s perspective, the main concern is to establish which data is the
most sensitive. "The danger with security is that you take the paranoid
approach – everything must be screwed down," says Owen. "Someone in
HR needs to do that – to work out what they care about – before they write out
a large cheque for expensive security."
Personal payroll data, for example, is clearly highly sensitive, while
information on corporate salary scales is important, but less sensitive given
employees can work out the guidelines by comparing notes.
As well as preventative measures to guard critical data, a company’s action
plan should spell out the procedures when security is breached. That process
can be more complex than organisations first realise and requires input from
departments across the company, including media relations (in case the story
leaks), the legal department (to understand the company’s liability and to
establish what action to take if the intruder is identified) finance, IT,
marketing and, of course, HR.
Organisations that have suffered security breaches testify to the fact that
defining responsibilities prior to the event makes a huge difference. It
ensures that they have the resources at hand to weigh up the damage, prevent a
recurrence and handle the technical and organisational fallout.
Mike Richards, CEO of Snowdrop Systems, argues that security policy
ultimately ends up as a cost/benefit exercise – weighing up the costs of
security, breaches, and data loss. These costs come in numerous forms,
including the direct damage to the business or its reputation (particularly in
security-conscious industries such as banking) and the potential impact on
staff morale.
"To achieve a practical outcome it’s necessary to adopt a basic
principle: that perfect security is not achievable in any environment,"
Richards says. "What is important is to understand the risks and remedies
and to take action appropriate to the situation. Even the Pentagon is hacked
regularly, but the risks are controlled."
Most significantly, organisations need to recognise there is a balancing act
between availability of information – either internally over an intranet or for
external access – and security requirements.
Defensive devices
While operating system and network security are typically the domain of the
IT department, HR should be heavily involved in defining application and
database security procedures. The building blocks for a comprehensive strategy
fall into four core categories – authentication, encryption, firewall defences
and auditing.
Authentication For most organisations, the authentication layer is
relatively straightforward, based around a user ID and recognised password
system. Given that most IDs are easy to work out and passwords often
unimaginative, however, some companies require higher levels of access
security. Challenge Response Mechanisms, for example, generates an eight-digit
number when users log in. The user enters the number into a pre-programmed
‘calculator’, protected by a PIN, which generates a corresponding code that is
keyed back into the system. Other security devices tie users to certain
consoles, only allowing access to named individuals from named machines – a
useful device if specialist access is required for an office-bound employee in
areas such as HR or finance.
Once identity is established, most HR software systems provide the
functionality to tie the user to specific access privileges, depending on their
role, function, seniority or geography. Historically, as SAP’s Frear points
out, HR departments relied on e-mailing IT to request changes to privileges as
individuals shifted jobs or left the company. That process, which was prone to
human error and time delays, has now been automated.
The SAP system links security levels to an organisational chart, which
automatically modifies privileges when HR staff enter personnel and contractor
changes. Lawson Software has a similar rules- and role-based system which
allows companies to build employee groups with specific access privileges. If
an employee’s status shifts – for example, they go part-time and lose their
entitlement to certain benefits – they no longer match the group criteria and
are denied access to the appropriate data.
Encryption The second layer of defence, encryption ensures the
confidentiality of data as it passes through the system – an issue that grows
in importance as organisations send more HTML-based data to employee Web
browsers. Application vendors have adopted several encryption technologies,
including Secure Sockets Layer (SSL), a ‘scrambling’ device used in an enhanced
form for credit-card transactions on many consumer websites.
The basic form of SSL – 40-bit encryption – can be cracked by more
experienced hackers, but it still serves a useful purpose for many companies:
organisations need to ask how far hackers will bother to go to find out basic
HR information. Most vendors also offer links to specialist encryption engines
for higher-security environments.
Firewall Built to protect core servers and one of the prime targets
of professional hackers, firewalls have typically been viewed as the domain of
IT, but in reality their construction also requires input from HR. For many
organisations, this is the Achilles heel. Andersen, which carries out ‘ethical
hacking’ to assess the security of clients’ systems, is successful in 90 per
cent of its attempts to penetrate systems – primarily because the firewall has
either not been configured properly to meet the organisation’s needs, or the
configuration was out of date. Built on business rules that determine what
traffic is allowed through, the firewall needs to be constantly adjusted as new
information comes into the public domain about security lapses in specific
products – not least because that information is seized upon by hackers.
"The IT department needs to know how to configure the firewall, and the
business needs to work out what it will allow through," says Owen.
"So HR and IT need a coordinated approach. And you have got to keep
abreast [of new security weaknesses] and react accordingly." Owen suggests
one inexpensive way organisations can test their security is to simply try to
hack into the firewall themselves.
Audit The final major piece of the security puzzle, the audit, is a
monitoring process that tracks access to data and is critical to establishing
ongoing security and the extent of any breach of the system.
Owen says one of the most expensive elements in the security process is the
resource required to find out what went on when unauthorised access took place.
Monitoring tools can also help organisations restore data after the event. SAP,
for example, allows users to configure their auditing software to trigger
specific events seen as critical by the organisation. In military applications,
that process extends as far as monitoring whether information has been viewed,
not merely whether it has been altered. But for most commercial organisations
it is changes to records that will trigger most alarms.
While these technical measures provide the security framework at system
level, the elements are only relevant if they are part of a broader
organisational security policy. Much of that is common sense – ensuring, for
example, that individuals who make changes to payroll systems cannot trigger a
pay run without a managerial check-off. Much, too, is about disaster
preparedness. Del Dehn, technology product marketing manager at Lawson in the
US, argues that data storage and data management strategies are key to
resolving a catastrophic security failure, allowing organisations to revert to
saved data if systems are violated. Again, regular testing is critical – much
of an organisation’s ability to recover from intrusion rests on the actions it
takes in advance to mitigate against damage.
Perceived threats
Just how great the threat is to HR systems is a matter of some debate. Many
vendors concede that the dangers are sometimes blown out of proportion, not
just by the software community but by users themselves. As Richards at Snowdrop
comments: "Organisations are inclined to overstate how interesting their
data is – the average HR database is not of great interest to techie
hackers." For that reason, many observers believe the biggest threats
remain ‘denial of service’ attacks and viruses. Both can be headed off to a
degree by Web tools, and while security breaches in confidential areas such as
payroll may be a worry, the biggest issue most organisations face is the
failure of end-users to roll out virus-screening applications.
While the emergence of employee self-service has raised fears about
security, in many respects they too are overstated. Richards suggests a
Web-based employee portal may well be more secure than a PC-based system, if
only because the obvious threats to data integrity will have forced
organisations to address security issues they might otherwise have ignored.
Likewise, Diana Van Blaricom, international HR product manager at Lawson,
argues that self-service systems are more secure than telephone-based interactive
voice response (IVR) mechanisms, where passers-by can watch numbers being
entered and employees can hear conversations, or an office’s internal mail
system.
That said, Andersen says the percentage of external security breaches,
compared to internal, has risen from 20 per cent five years ago to 40 per cent
today. Meanwhile, Datasec, a UK-based computer forensic investigation firm,
argues that while the greatest perceived threat to companies is cybercrime,
employees remain the highest risk.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
Whatever the real threat today, the dangers are set to increase. As Cate
Quirk, analyst at AMR research, points out, security will become ever more
pressing as organisations seek to collaborate with external partners, gaining
access to their system, partners, suppliers and customers.
In practical terms, companies need to assess for themselves where the
biggest threats are and address them as top priority. "Organisations need
to understand that security should be thought of first, not last," says
Quirk.
