MOBILE ENABLEMENT WITHOUT INCREASING HR DATA SECURITY RISKS – SOMETHING TO THINK ABOUT.
With so much information in the news recently about cyber security and data security breaches, I thought it would be a good idea to start off the New Year with a discussion about how HR leaders can ensure HR data security, even as the propensity for employees to use their own mobile devices for work continues to grow. The debate over security risks posed by mobile devices in the workplace, including laptops, personal smartphones, tablets, and now the newly-defined “phablets” (cell phones large enough to also serve as a tablet), has been waging for a few years now, with IT largely controlling the discussion in most companies. However, as human resource management software (HRMS) providers rush to develop HRIS mobile apps to accommodate a workforce that demands access to the information they need around the clock, HR managers are moving front and center into the discussion.
Confronted with security concerns related specifically to the personnel data they collect and manage, including national IDs (e.g. social security number-SSN or social insurance number-SIN), driver’s license numbers, compensation rates, birth dates, and ethnicity information, human resource managers are realizing the importance of developing and implementing HR data protection policies and procedures that incorporate the use of mobile devices. In early 2014, Coca-Cola had to notify approximately 70,000 current and former employees that stolen laptops resulted in the exposure of their social security numbers, driver’s license numbers, and other personal information collected as part of the employment process. As reported by Kristin Cifolelli for the Small Business Association of Michigan, the security breach, which occurred because data encryption policies and other security procedures were not followed, is expected to cost the company millions to rectify. Bringing the problem even further into the HR camp is the fact that most data security breaches are caused by a company’s own employees.
MOBILE HR SOLUTIONS ON THE INCREASE
HR and payroll software vendors are focusing on developing for mobile technologies first, as they build new products and add features to existing systems. This includes offering hundreds of HRIS mobile apps for learning, performance management, scheduling, employee directories, employee and manager self-service, talent acquisition, and even succession management. The good news is that mobile apps provided by HR system vendors typically have built-in safeguards and are considered “enterprise-ready,” thereby causing fewer HR data security concerns. As opposed to mobile apps such as Dropbox, Google Drive and Trello, which are popular productivity-enhancing tools, but which still bring security risk concerns. As industry vendors feed the mobile trend with new technology, IT and HR teams are scrambling to set rules and guidelines that attempt to embrace the benefits of mobile devices while controlling the risks. And according to an article by SHRM online editor/manager Aliah D. Wright, the trend toward employees using their own personal mobile devices for work “is unlikely to lose steam.” Studies cite multiple benefits when arguing that mobile devices should be welcomed as a permanent workplace tool:
- Increased efficiencies
- Increased productivity
- Easier collaboration
- Real-time decision making opportunities
- Increased workforce satisfaction
- Support for the needs of mobile, telecommuting employees
The longevity of the trend seems even more apparent as more companies stop providing employees with laptops or other mobile devices and, instead, require that employees bring their own device to work (BYOD). This saves the company money on hardware and enables employees to maintain their work and personal information on their preferred device. HR leaders are also seeing increased adoption of new programs that can be delivered on mobile devices. The increased adoption is credited to the employee’s comfort level with the device. Even the Federal government is making a huge investment in mobile technologies. According to a study by the Mobile Work Exchange, $1.6 billion has been spent on Federal workforce mobilization. Federal HR managers predict a savings of $15.1 billion just on reduced real estate costs, since a mobile, telecommuting workforce doesn’t require as many office buildings. Hundreds of millions in additional productivity gains is also predicted, as mobile-empowered employees will be able to continue operating even in the face of a “natural or man-made event.” The ability to attract top talent by offering better teleworking options is yet another anticipated benefit. But security concerns is still cited as the number one obstacle to greater progress, and encryption and security training are cited as major priorities going forward.
MOBILE DATA SECURITY IS A SHARED RESPONSIBILITY
Despite these growing trends, many employers still place the bulk of the responsibility for device security on the employee, asking them to sign policy documents agreeing to use complex passwords, avoid use of public Wi-Fi, and even agree to have their devices wiped remotely in the event they are lost, stolen, or the employee leaves the company. But it is important for company executives to take responsibility, as well. Here are a few areas on which to focus:
1) Employee education and training
2) Encryption implementation
3) Taking advantage of available mobile-device management products
4) Forcing multi-factor authentication and password cycling
5) Providing a set of approved and secure “enterprise-ready” apps
6) Limiting the use of employee personal data as identifiers or authenticators
7) Limiting employee access to only the systems and data they require to do their job
The last topic is especially important to keep in mind when implementing a new HR system. Be sure to discuss best practices for security role setup and assignments with your software vendor or implementation consultant. A successful HRIS Implementation will include an in-depth review of your holsitic HR data access requirements and related system security capabilities. Your consultant should be able to help you assess risks while also identifying gaps in employee needs. By reviewing your current offerings and discussing desired improvements with your implementation consultant, you gain a knowledgeable partner to help plan mobile enablement without increasing HR data security risks.