Making the Connection Between Data, the Cloud, and Cybersecurity
How many of these situations are familiar?
- You write down a password so you won’t forget it
- You wonder where your documents really go when you back them up to the cloud
- You receive an unexpected email from your supervisor or CEO asking for personal information
- You share your login with a coworker because one of you is in too much of a hurry to look up the info
These are common scenarios at work, and given how “connected” we’ve become thanks to smartphones, cloud computing, and remote document access, to name just a few, the risk of data loss or theft is rising all the time. Here’s a primer on what you need to know to stay safe.
What, exactly, is data?
Even though the term “data” brings to mind columns of numbers and computer coding languages, data is pretty much anything we create, send, or store online. Every email, text, photo, document, Google search string, social media post, database record, and more counts as data.
Data is generally divided into two large categories: structured data (i.e. spreadsheets, relational databases, and other machine-readable formats) or unstructured data (i.e. everything else, as mentioned above). It is estimated that 80 percent of all data is unstructured.
Think about all the data you create each day at work and in your personal life each day, then multiply that by each person with an internet connection and/or a smartphone, you’ll quickly see just how much data is out there. In fact, the International Data Corporation (IDC) predicts that the “Global Datasphere” will grow from 33 Zettabytes (ZB) in 2018 to 175 ZB by 2025 (for context, 1 ZB = 1x1012 GB).
Much of the data used in the workplace is stored in the cloud. But what does that really mean? The cloud and cloud computing refer to groups of linked, high-capacity computers that collectively store information at a remote, physically secure location. Instead of saving customer or employee data to a server in your office, data is encrypted and stored offsite. When you need to work with it, it’s retrieved by internet access. For example, a cloud-based database for managing personnel files might include software to enter employee information and create lists and reports from your desktop computer. The actual software and all of the employee data are stored at the remote cloud server, so when you want to update records or create reports, you access the database through the web and retrieve the data with the internet. The same principle applies to email, messaging apps, online photo storage and social media platforms.
Realize there isn’t just one big cloud that holds all data. Big and small companies use cloud computing to store, access, and process data. You can pay for private cloud storage with one of many companies, but some software tools for the workplace come with their own cloud storage as a package deal (online scheduling or HR record and onboarding software are just a few examples).
HR’s Role in Data Protection
Responsibility for data security doesn’t just rest with your IT department. HR has an important role to play too. Because HR is responsible for collecting and storing sensitive employee information, including updates, compliance with reporting laws, and disposal of information on a retention schedule, everyone in the department must be aware of risks and good cyber hygiene practices.
There could be legal liability and reporting requirements for lost or stolen employee data. As the Society for Human Resource Management notes, “virtually all of the states have data breach notification laws at this point … employers should make sure they know what is required under relevant state laws.”
You’ll need to emphasize data security practices with HR staff “during new-hire orientations, while gathering personal information during onboarding, and while working with sensitive information such as payroll, benefits, and performance and health data,” notes IT security specialist Rob Chavez. And employees in all departments and at all levels need ongoing training to recognize and deal appropriately with situations such as data breaches, virus and malware attacks, and social engineering attempts.
Employee information falls into two large groups, both of which should be protected. Personally identifiable information (PII) includes data that is unique to a single individual like a Social Security Number, date of birth, full name, or driver license number. They are the most critical to protect because they easily and directly verify identity. Non-PII, such as an email address, phone number, or employer name, can change over the course of a person’s lifetime, so it is less valuable for confirming or stealing identity. Clever data thieves, however, can combine bits and pieces of non-PII to make an educated guess at a person’s identity.
Are You the Strongest Link in Data Security, or the Weakest?
“It’s easier to manipulate people rather than technology,” says hacker-turned-security advocate Kevin Mitnick. In fact, according to research by Willis Towers Watson, 58% of breaches are due to employee negligence or malicious behavior. This means for all the advanced computing power, security protections, anti-virus software, and cyber hygiene policies companies put in place, the weakest link in data security is consistently human beings. Verizon’s 2018 Data Breach Investigations Report says that while the majority of attacks are financially motivated, other reasons include stealing trade or proprietary secrets, credentials, and medical information.
Here are some steps you can take to keep data safe:
- Create strong passwords that are unique to each platform you’re using (i.e. don’t use the same password for all of your logins at work), change passwords often, and always reset default or initial passwords that come with new software or accounts
- Don’t share passwords with coworkers or others who request them, and avoid letting your browser store them – it only takes a single stolen password for an attacker to infiltrate a network
- Don’t assign high levels of access rights than necessary for each employee
- Be wary of social engineering and phishing tactics, never follow links in suspicious emails (and report them to your IT department), and verify the identity of anyone who asks for sensitive information in person or over the phone (including but not limited to passwords, codes, and procedural information)
- Provide detailed, ongoing training for all employees in correct security procedures and policies regarding personal devices, reporting suspicious email, etc.
- Whenever possible, use encryption tools for email and other web-based programs
- Consider developing bring-your-own-device (BYOD) and remote access policies - as mobile devices, non-work-issued computers, and open wi-fi networks cannot be guaranteed secure or could be stolen
If all of this sounds scary, remember that in the world of data security, the flip side of fear is awareness and vigilance. Knowing the vulnerabilities and what you can to do protect yourself gives you power. Secure cloud-based HR solutions and a knowledgeable partner are first steps toward both compliance and data security. Contact us to learn more.
Learn more about Lifelock. Horizon Payroll Solutions is proud to partner with LifeLock Benefit Solutions to offer our clients and their employees proactive identity theft protection. Help safeguard your finances, credit and good name. In today’s always-connected world, that’s more important than ever.