Avoid an OPM Nightmare – Protect the Security of Employee Information

Avoid an OPM Nightmare – Protect the Security of Employee Information

So, the Federal government’s HR department was hacked.  You’ve probably heard – 22 million former and current federal employees had their personal information stolen (including yours truly).  Chances are you know someone who is affected, and chances are they are NOT happy.  Some are suing.

Aren’t you glad it wasn’t your HR department that was compromised? But, you likely have a lot of sensitive information on file for your employees, including Social Security numbers, dates of birth, addresses, and even health care information.  Is it secure?

The Federal government’s Office of Personnel Management may be a juicy target for hackers given the sheer volume of personal information it has on file, but as we’ve discussed in a previous blog, small and medium-sized businesses are also attractive targets for hackers, often because of lackluster security measures.  Small companies – those with fewer than 100 employees – were the target of 71% of cyberattacks in 2011; and in 2012, the largest growth in targeted cyberattacks involved small companies with less than 250 employees.

What can you do to protect your business’s sensitive information and that of your employees?  Some suggestions for securing your networks are:

  • Physically lock away your server and other technical equipment to eliminate unauthorized access.
  • Password protect computers and other network equipment.
  • Train your staff to recognize malicious attempts to gain information that might allow network access.
  • Ensure that you are shredding all sensitive documents that contain access information.
  • Use proper networking equipment, such as firewalls, to impede network access.
  • Delete all unused email accounts or other types of accounts when employees leave or services change.
  • Enforce strict password guidelines and enforce restrictions on personal devices (a BYOD policy).
  • Perform “penetration tests” on a regular basis.  This is where you, or your advisor, attempts to penetrate your network to test your defenses.
  • Be sure to have up-to-date software, malware and spam filtering services on all computers and servers.
  • Use external monitoring to identify potential network breaches.
  • Have a verifiable backup and disaster recovery plan and practice it consistently.
  • Plan for an independent security review at least once a year, depending on the size and scope of your technology.

Additionally, consider these best practices for keeping employees’ information safe:

  • Store personnel records in a secure, locked area and limit access.
  • Develop and enforce a policy about who may access employee information.
  • Avoid using Social Security numbers on documents – instead assign an employee number.
  • Consider encrypting Social Security numbers and use encrypted servers to store personal information electronically.
  • Make sure access to sensitive information is password protected.
  • Destroy or shred personal information that’s no longer needed, including usernames and passwords.
  • Verify that any vendors who have access to your employees’ information have secure methods for storing and transmitting it.