Somehow, in recruiting, not only do we somehow think we’re marketers, salesmen and strategists simultaneously, it seems that of late, we also fancy ourselves as “hackers.”
There is absolutely nothing that runs more contrary to the ethos of hacking than anything having to do with HR, of course, but that doesn’t stop us from commoditizing and misappropriating a buzzword.
The funny thing is, whether it’s a blog post on “Hiring Hacks” or a how to on “hacking sourcing,” these conversations are asinine and speechless given the corruption of the word and the context in which it’s being applied, there are few conversations that are more topical in talent today than that of “hacking.”
But since that word’s been ruined (like so many others) by the other sort of hacks – and by that, I mean content marketers and B2B copywriters – I’m going to use the term “data privacy” instead, because ultimately, that’s what the issue of information security in HR Technology comes down to.
And, increasingly, ensuring that data stays private should quickly become one of our industry’s primary responsibilities.
Compliance: The New Frontier.
Hacking has taken over headlines recently, thrusting what was a relatively marginal tech topic firmly into mainstream consciousness. The impetus for this, of course, was the purported breach and subsequent leak of DNC emails, purportedly carried out under the auspices of the Kremlin.
That a state actor would deliberately target an enterprise email instance for the express purpose of finding and disseminating incriminating employee communications should give everyone using enterprise software at least some pause.
Proprietary information is obviously one of the most important assets at any company. The fact is, it’s imminently susceptible to a wide range of threats, from North Korean state actors set on making a statement and extracting vengeance (Sony Pictures) to breaches by direct competitors stealing trade secrets (ThyssenKrupp, Boeing, US Steel).
Your HR and recruiting data, of course, is no exception. And if you think your employees’ personal information is truly personal, and that your system of record is secure, think again.
Every HCM instance represents a treasure trove for the kind of data most in demand on the dark web – personally identifiable information that can be leveraged by identity thieves, whose trade depends on exactly the sort of stuff that’s stored in your system of record.
Names, dates of birth, social security numbers, employment and salary histories, names of family members, and even bank account numbers stored for direct deposit make today’s increasingly integrated talent management systems an attractive target.
Given the current information security capabilities of most HR technologies, many of these are sitting ducks, too. It’s really not a matter of if there will be some sort of breach, but when. The sooner HR and recruiting realizes this reality, the sooner they can take the steps required to always have the peace of mind that your employees’ personal data and private information are safe enough to stay that way.
Not every incident, of course, is caused by state actors or international espionage. While state sponsored hacks have rightfully dominated the headlines (unless, of course, you live anywhere in Russia), the fact is that when focusing on your own network security, fully 53% of all enterprise breaches come from “internal actors,” not outside threats.
Breaking this down further, a recent report on the state of data security from Intel found that 43% of all enterprise breaches, information leaks and data loss can be attributed directly to an organization’s employees, themselves.
These numbers suggest that not only is information security an IT initiative, but it’s an HR imperative, too. That means the biggest data threat employers face today are their own employees.
Edward Snowden was a contractor, after all, and didn’t hack into anything at all. He simply shared the information he already had permission to access. That’s said, contractors were actually the least likely job level to ignore data privacy policies.
They were also among the least likely to violate those policies – only 14% of enterprise incidents were caused by contractors, a recent survey on information security from think tank The Ponemon Group seems to suggest (see below).
This pales in comparison to the 33% of incidents caused by executives and senior leaders, and the 39% of breaches attributed to internal individual contributors.
The good news is, the biggest liability to enterprise data privacy can be mitigated – and, with the right training, processes and policies, essentially eliminated. Your tech team does whatever it takes to preempt, and prevent, any external threats to your enterprise servers and systems.
And considering the state of cybersecurity, and the obvious vulnerability of ERP systems, it’s imperative for HR and recruiting organizations to adopt a similarly proactive approach to internal data privacy before it’s too late.
Why Data Privacy Is The New Diversity for HR & Recruiting.
For as much attention as we pay OFCCP, EOE/AA and all those other acronyms, the statistical likelihood of actually getting audited is incredibly low. The Department of Labor is chronically understaffed, and even the few audits they do perform over the course of a given year end up with penalties that cost a pittance compared to the costs of ensuring compliance.
In 2015, the last full year for which the OFCCP has released statistics, federal contractors were forced to pay $11.3 million to settle various violations. That’s not $11.3 million a company. That’s the entire amount every federal contractor (which is to say, most enterprise employers and NGOs) had to pay in penalties for OFCCP violations during an entire calendar year.
Of course, these puny penalties represent the outcome of only a fraction of most OFCCP investigations, the clear majority of which end in dropped charges, which investigators are forced to abandon in all but the most slam dunk of cases.
Sure, the audits can be a pain in the butt, but you’ve got a better chance of winning the lottery than you do of getting fined by the OFCCP (by far, in fact). So for all the resources and attention most employers dedicate to ensuring compliance with a fairly restrictive set of government regulations, they ignore the bigger threat – and significantly more obvious, and infinitely more ominous, compliance concern around data privacy and security.
Forget diversity. Data privacy is the new inclusion initiative: no protected class is totally protected.
Compliance audits, the biggest fear of many HR leaders and employers alike, is by any means, an irregular occurrence at best. According to the Department of Labor, the OFCCP has a staff of about two dozen full time field agents, responsible for closing between 60-80 compliance investigations every year.
Trying to properly police the estimated half a million active federal contractors out there is a Quixotical task, to say the least, and even these half-hearted efforts are likely to wane, considering that the incoming administration is unlikely to put the same emphasis (and resources) behind fair hiring practices and equal pay enforcement as the outgoing Obama administration.
As they say, “no harm, no foul,” right? And the risks aren’t really all that high even if lightening strikes and you actually get caught. If not, keep calm, carry on and realize you’ve got way bigger problems to solve than making sure you can abide by the Rooney Rule when slating exempt candidates for an open req.
Conversely, the increase of getting hacked spiked some 40% in 2016, with a record 1,093 reported enterprise data breaches reported last year alone, per a recent study from the Identity Theft Resource Center. Private businesses made up an estimated 48% of all breaches.
Compare this to the government/military (8%) and financial services/banking industries (5%), and it becomes clear that enterprise organizations and global employers lag far behind more secure industries, a capability gap that’s already being exploited – a trend that’s likely to continue.
As if that’s not enough cause for concern, consider the data that hackers targeted in these reported incidences. In 37% of cases where personally identifiable data (PID) was breached, physical addresses were compromised, topping the incident list along with social security numbers (32%) and checking account numbers (27%).
This data, of course, is exactly the type of record stored in your system of record.
While identity theft impacts around 3 million consumers a year, costing them an excess of $15 billion dollars according to recent estimates from Javelin Strategy’s 2016 Identity Fraud Study.
This number makes the 11 million compliance violations cost over the same time frame seem like chump change, comparatively speaking, but for employers, the potential cost of compromised data is actually far greater.
In 2016, the average enterprise breach resulted in a whopping 1.2 million individual records compromised, each ultimately costing organizations around $170 dollars in related recovery and restitution costs.
This means that the average enterprise breach costs organizations somewhere around $200 million (although this number is almost certainly inflated by a handful of outliers).
That’s one opportunity cost no business can afford to ignore – and one that HR can’t afford to pass up.
This is because data privacy represents, at long last, the best chance this function has for finally getting that seat at the table. As mentioned before, it’s IT’s primary job to prevent external breaches, and while they’ve traditionally included employee data and internal actors in their scope of responsibilities, it is by no means the focus of most of their efforts or information security investments.
The Age of Information.
HR needs to step up and assume accountability for constantly monitoring and proactively preventing internal actors from compromising information, essentially serving as an inward facing extension of enterprise security efforts. Which department is responsible for what data has not been commonly codified.
If HR stakes out this critical competency, they will not only be addressing a real capability gap, but also, solving an issue that the C Suite actually cares about (unlike pretty much anything having to do with HR, as a rule).
I understand that data privacy is not a discipline most people in HR know the first thing about, but then again, there’s a good chance no one in your organization does, either. In fact, only about 46% of organizations even have basic employee training on information security, much less a formal policy and codified processes in place.
Similarly, while building a culture of security is essential, fewer than 1/3 of all Fortune 500 organizations have a formal process in place for employees to even report suspected incidents; less than 25% offer some sort of associated incentive program for reporting these incidents, two obvious areas of opportunity that even the most rudimentary HR function can probably start figuring out fairly immediately without a ton of work or time.
Preventing employee or internal actors from compromising personal data, however, seems like an obvious fit for HR today, and an essential core competency every talent pro will need to know in tomorrow’s world of work.
Seat at the Table.
While CEOs themselves are responsible for a higher percentage of data breaches than any other cohort, this doesn’t mean that this critical business issue isn’t top of mind for the senior leaders at the top of omst organizations.
In fact, a recent survey by Gartner concluded that a whopping 63% of CEOs cite a “breach of confidential or proprietary personal information” as their top concern in 2017, a number that outpaces even “finding and retaining the right talent,” which has slid from its historical perch to a distant #2 on that proverbial list of what’s keeping senior leaders up at night.
Consider it a warning sign of the times.
Increasingly, executive leadership is understanding the real outcome of the seismic shift from service to the information economies over the past decade or so. Their categorical prioritization of personal data instead of people management underscores one of the emerging truths of talent management today:
People are no longer your greatest assets. The information about those people is.
Relatively few of these CEOs who seem so concerned about PID (or PII, if you’re a Brit) getting compromised, however, feel overly concerned about more traditional system threats; only 24% felt that theft of trade secrets or competitive information represented an “urgent risk,” compared with a scant 9% who consider shutdown of business software and systems (and subsequent continuity and data recovery issues) a particularly pressing issue.
When the same Gartner survey asked CEOs what the biggest obstacles they faced in reducing the associated risks of internal data breaches, 70% ranked “lack of in house expertise” as the most significant challenge; a further 55% cited “lack of internal accountability or ownership” as being one of the biggest barriers to reducing the threat of data theft.
That so many C Level Executives are so concerned about personally identifiable data in general, and confidential employee information in particular, represents an ideal opportunity to finally get that elusive seat at the table so many HR practitioners have been pushing for (or more accurately, pining about) for so long.
Just probably don’t refer to it as that if you want to get executive buy in, by the way. Otherwise, that part should be pretty easy.
Since this data has historically been owned by the HR organization, if HR can successfully safeguard against this critical threat, then we become an indispensable – and invaluable – part of any organization’s operational strategies and long term plans.
This move from administrative cost center to strategic information security function may take time, there’s no better time than today to start preparing for the threats of tomorrow. Because this is what the future of HR is going to be all about – which is good news, since information security is way more interesting than employee relations, total rewards or benefits administration.
Trust me on this one.