Cybersecurity and Digital Ethics in Human Resource Information Systems (HRIS)
Cybersecurity has become of paramount importance across all industry sectors including HR departments. Cyber security is fast impacting our online economy too. In recent years the number of cyber threats has increased, the 2015 Cyberthreat Defense Report, points out that in 2014, 71% of organizations experienced a successful cyber attack. We are also seeing more sophisticated and far reaching threats, especially against personal identifying information (PII) as evidenced by the attacks on the U.S. Office of Personnel Management (OPM) where 22 million employee files were stolen, and in Europe, where a major French telephony operator was breached on two separate occasions losing the personal data of over 1 million customers.
Data theft on this magnitude impacts the online economy severely. Not only does it cause financial losses but it also causes reputational damage too, with customers fearful of using affected companies.
The situation has meant that Cybersecurity has become the primary concern of IT departments across all industry sectors. The speed at which digital transformations are occurring has increased the risk of a cyber-attack. As we move towards more connected, web-facing solutions, we build systems that are a mix of heterogeneous, hybrid, and global architectures with highly dispersed data. The interchange between these often-fragmented services creates an attack surface, perfect for the hacker. For these and other ethical reasons, IT departments, vendors and service providers are leading the way by offering a sensible risk management strategy for establishing digital trust.
Security risks factors are changing
Never before in human history have we had so much data, so widely dispersed and so heavily shared. Data is across public, hybrid and private clouds. It goes through local, worldwide, wireless, social, private and professional networks. It is exchanged between applications, services, connected devices and objects. It is accumulated in Big Data deposits. And data is valuable; cybercriminals regularly sell stolen data records on the dark web – the average price per breached record is around $154 USD according to the Ponemon 2015 report on the Cost of Data Breaches and increases to $363 for medical records.
Cybercriminals and their impact on cyber security policies
To cope with this increased level of cyber threats against personal and professional data, cyber security policies have had to adapt. Cyber security policies now have to be highly flexible to cover the regulatory framework. RSSI (Security Officers for Information Systems) have to handle cybersecurity with a fresh perspective. Their role requires them to cover the three core principle of modern cyber security threat control:
- Detection / reaction
In terms of prevention, strategies and governance are evolving to better understand risks and adapt responses. Audit and compliance requirements have reinforced safety standards dictated by ISO 27001 or PSSI (Information Systems Security Policy) standards.
In France, data privacy regulations are controlled by the CNIL (French National Commission for computing and liberties). The regulation has evolved laws that favour the privacy rights of the individual; these laws set out the accountability of digital operators. Technology is also keeping pace with the changes in the application of cyber security policy. New security tools have been developed which offer secure identity management. Several trends are emerging including a more user-centric approach to identity and one which utilizes more usable and secure methods of authentication – organizations like the Kantara Initiative and EU projects like Horizon 2020 are working across global borders to explore new ways of protecting individual’s privacy and identity. Work from the CNIL and others have identified new ways of using identity attributes and authentication to manage access to resources, whilst retaining privacy and security of the user’s personal data.
Research and in-practise use of modern identity and privacy shows that security measures need to be risk-based to more closely mitigate security threats. SDS (Software-Defined Security) or SDE (Software-Defined Encryption) robots were identified in 2014 by Gartner as being one of the top ten technologies for information security – since then these methodologies are being used in mature platforms to help in the fight against cybercrime and identity fraud. Online identity systems have similarly taken on board this new approach to information security, identity federation being handled through card management systems (CMS) or IDAAS (Identity as a Service) in the cloud. The evolution of online identity has also had to look at applying authentication measures that are more usable, less prone to security issues, and that can work in web-enabled environments, across multiple device types. To this effect, biometric sensors and key and certification management, OAuth based federation and electronic signatures, etc. are being incorporated. With the advent of more sophisticated cyber-attacks, that work under the normal security tool radar, new approaches that use state-of-the-art detection and reaction mechanisms are being implemented. Cyber-monitoring is increasingly being adopted in organizations and in multi-stakeholder advocacy networks (IT services companies, industries, research laboratories, universities) to counter more and more sophisticated threats.
A self-secure HRIS
The HR department is in a unique position in the midst of the modern landscape of security threats and mitigation. The HR department is an issuer and consumer of personal data, that handles financial transactions and that manages highly confidential personal and company data. Data transactions are managed directly across HR application layers; users, their profiles and their rights, including the access permissions to data in the company, are accessed using Single Sign On (SSO) internally, and externally this is handled for example using an electronic signature via a trusted third party.
HRIS also has to ensure the traceability of management events and user actions, through the use of extensive weblogs and audit logging.
A responsible HRIS
HR’s responsibility is to employees and the CNIL. This responsibility is never more important at a time when personal and company data is becoming increasingly sensitive and dispersed through for example, data from the Internet of Things, e.g. geolocation devices, biometrics and wearable devices, from external social applications, e.g. Facebook and Twitter and circulating in social business networks, e.g. LinkedIn. Because HR is at the heart of the organization and visible by all of the company’s expanded workforce (internal and external), HRIS has the opportunity to actively contribute to the educational process, awareness and accountability on security issues.
Because HR has employee details at its fingertips through the HR repository of all employees, the HRIS can target groups of users, teams, projects, jobs, profiles, and so on, or even individuals and send them alerts and security focussed documentation. The HR department has the use of a dynamic repository of employee identities, created from organizational knowledge. This identity repository offers a powerful and reliable source for creating user groups and will can used by the IT department for the allocation of hardware and software, as well as security management. This gives HRIS an opportunity to truly impact I a positive way, the security of the company and their employees.