The HR function collects and stores personal data of employees throughout their tenure in the organisation and beyond. This data can include PII, health information, credit scores, criminal records and so on. In the absence of security strategy and training, employee data is at risk of breaches.

In the new reality of cyber-attacks and where data can be a high-value commodity, it is therefore imperative that HR and IT come together to support a 'risk-based approach' to protect employees. There are some initial footwork that needs to be done to understand what needs to be protected:

Step1. HR together with IT to identify and catalog data that needs to be protected

Step2. What is the type of data that needs to be protected and from whom?

Step3. Inventory the systems that store, process or access this data, within the organisation and with partners, vendors and customers

Step4. Understand which of these systems may hold protected data or data that is governed by law, regulation or contractual requirements

Step5. Map the journey of the data so that at each stage appropriate security controls can be applied

Step6. Establish controls for data storage- to avoid sensitive data being stored in unsecured systems

Today, an organisation may have up to 200 applications that are used internally to manage employee data. This mushrooming of systems and applications have given rise to "Dark Data". This is data that exists across various enterprise systems that may not be properly managed. This definition is comprehensive of file shares, SharePoint, social systems and other collaboration systems and networks. To set appropriate levels of data protection, organisations need a clear view of this dark data - where it lies and how to classify it.

At the very least there are four basic tenets of security that can be followed to secure employee data.

I. Role-based Access Control

Under RBAC, employees have least access or privilege needed to allow them to do their job. Identity and Access Management (IAM) is a necessary complement to data loss protection (DLP) tools. Data centric audit and protection or DCAP are a set of holistic security processes that apply an organisation's data privacy measures to specific pieces of data.

II. Data Access Monitoring

Employees may have access to data to do their job. However, when the employee changes his role or leaves the organisation, he must no longer have access to such data. To actively monitor data access, it is suggested that (i) HR enforces policy that when employee exits role, his access be reviewed and removed before final settlement. (ii) once employee has made his intentions to exit clear, his access to systems be limited and supervised. A case in point is that of FDIC, where an employee accidentally exposed data of 44,000 customers.

III. Sensible Controls

"Shadow-IT" emerged because corporate systems were difficult to use. So employees started to have their own offline data storage. Therefore to overcome shadow-IT and dark-data, organisations need to make corporate systems easy to use. All corporate data need to be scanned, tagged and classified.

IV. Data Security Education

At the end of the day, security is everyone's job. Effective data protection is present when people understand the data they are accessing, determine appropriate containers and use security as a layer of protection.