10 December 2018

It seems like every time we turn on our phones or power up our laptops, our newsfeeds are topped once again with yet another big data breach. Most recently, Marriott revealed that one of its guest reservation systems had been hacked… since 2014! And if you’re a part-time road warrior by trade like myself, there’s a good chance you are one of the 500 million guests whose personal information has been exposed. As you begin to investigate for yourself whether you may be a victim, you will be led to “free” services to check whether your information has been compromised, which will likely lead you to a “free for now” service to continue to protect your identity… and now you’re deep in the rabbit hole.

Interestingly, as you go to various sites to verify whether you’re a victim, they inevitably ask you for the very information you were trying to protect in the first place. But who can you trust? It’s a seemingly endless game of roulette where we are always betting on the inside.

These days, we can’t seem to function anymore without being on someone’s database somewhere. Our information is floating out in the cloud in various forms tied to different unique identifiers that we’ve been given over time. In HR in the US, most of us abandoned the idea of tracking employees using their Social Security Number a while ago, only to replace it with our own Employee IDs. But how common is it that we send our information by email on a scanned form that we’ve filled out by hand? Or we enter our information on a website to make a purchase? Or we let our computers save as much information as it will let us so we don’t have to keep entering the information on other similar forms? We’ve all grown accustomed to our shortcut lives. Maybe we’ve opted to “sign in using” information from another site so as to not to have yet another password to remember. And we’ve adapted to the numerous types of identity verification that don’t require an actual password… all in the name of making our lives more convenient. But with that convenience comes a price.

As we go into our compensation planning season, we will undoubtedly be accessing and sharing employee data throughout the coming months. So how do we in Compensation ensure that the data of our employees that we serve remains secure?

Ensure your passwords are secure.

If you are not using single-sign-on, and you have a separate password for your Compensation Planning System or your HRIS, ensure your passwords are unique. Consider not using the same password you use for your laptop or other devices. And don’t save passwords in an unsecured place or send passwords to anyone via email, etc. Take advantage of encrypted password banks if necessary to keep up with all of your different passwords.

Send data only through secured file transfer.

If you have to send data or reports containing data to colleagues or vendors in preparation for your compensation planning cycles, only send it via secured file transfer protocols. Avoid using email to send employee data. Reports generated from your systems containing employee data should also only be transmitted securely.

For the actual compensation planning process, this is where compensation planning software can help you to ensure that data is stored securely and shared safely where appropriate.

Lock computers and devices.

We all get sidetracked as we are working on those important reports or researching compensation planning issues. We likely spend much of our days logged into our compensation planning systems or our HRIS. Or we’ve downloaded data from these systems to analyze it, and may have these files open on our laptops as we walk away to grab a much-needed cup of coffee. Always remember to take the extra steps to lock your computer before you walk away from it. As a safety measure, ensure that your screen locks after a period of inactivity.

Also make sure that any systems you administer have an inactivity timeout set as well, to ensure that any other users of those systems will be logged out after a period of time of no activity.

Secure portable media including mobile phones and laptops.

Make sure that all devices you use to potentially access employee data are secured with a passcode or other identity verification methods available on your device.

Avoid using portable drives to store or transfer data or ensure they are encrypted.

If possible, avoid using portable drives such as USB drives or external portable hard drives to store or transfer employee data. Rely on secure storage and file transfers instead. If it is necessary to do so, ensure that the data is password protected and encrypted.

Although most of us in Compensation aren’t necessarily involved directly in setting up the data security protocols, in light of all of the recent incidences of compromising data privacy, we can do our part to ensure that we don’t become the source of the problem.

Posted by Glizcel Ditto

LinkedIn