• Chris Priebe

The impact of employee operations (HR, IT) on data security and ISO 27001

Updated: 4 days ago


As a controller of your Personally identifiable information (PII) of your employees and customers, companies have the responsibility protect that data with due care, subject to requirements such as GDPR and the ICO.


But keeping data safe is easier said than done. 88% of UK companies have suffered breaches in the last 12 months and with an average damage of £16k per breach for SMEs in the UK, they don't come cheap.


ISO 27001 is a good way to signal to customers and investors that you are taking this seriously and to make sure you are acting responsibly to keep their data safe.


And to protect yourself from potential damages and fines as a result of not acting with due care.


Is my company at risk?


Most likely, yes. You may not be aware but most companies are at risk and data breaches can have serious consequences causing financial harm to you company, your employees and your customers.


According to Varonis, most companies are targeted by phishing attacks and are at risk for example due to improper use of email used as a medium to exchange PII. Let's admit it, we are all doing it, some of us to a lesser and some of us higher extent.

  • 95% of cybersecurity breaches are caused by human error

  • 90% of data breaches are caused via email

  • 88% of organisations worldwide experienced spear phishing attempts in 2019

  • 37% (top) malicious email attachment types are .doc and .dot which appear harmless

We all know we should do better as it makes us vulnerable and a small mistake as simple as losing an unprotected laptop could expose all sensitive information a company possesses to people that will do everything for a financial gain.


What are the consequences?


Research from Sophos shows that phishing and ransomware attacks have doubled in the last 2 years only. In the last year 66% of companies were attacked by ransomware compared to up 37% in 2020.


Most companies do not have insurance that covers the damages and with an average damage of £16k for a UK SME per breach, the cost is meaningful.


Additionally, if you are found to not have acted with due care, the UK's regulatory body for data protection ICO can issue a fine of up to the higher of £17.5 million and 4% of your total annual revenue.


What can I do to keep PII data safe and protect myself from breaches?


To be ready for an ISO 27001 or SOC2 audit or want to improve the way you handle and protect sensitive information in your company, you can do so by using modern software that embeds security right into your existing employee operations processes.


This includes HR software, payroll and software used to manage your IT, such as device management and access control. Modern employee platforms are digitising and automating employee operations to a high degree which significantly reduces the largest risk factor in your organisation: human error.


The following section give an overview of how you can handle PII with due care and reduce the risk of data breaches resulting from incidents including


Accidental data breach

For examples caused by exporting data and sharing it with someone you should not have unintentionally (e.g typo in email recipient).


Malicious internal data breach

For examples someone you fired downloaded leads or code and took them to a competitor or sold them online.


Phishing

Phishers have become very professional and can easily impersonate an employee, your accountant or even your CEO to get someone in your company to share or change sensitive information, such as

  • change someones bank account information to reroute salary to own account

  • send tampered wire instructions to your finance team, incl. wires to their own account

  • get a list of employee data to sell it to scammers (used for identify fraud, wire fraud, etc.)


Handling of employee data (PII)


Why it is important

  • You are the controller of your employees’ PII which gives you responsibilities (GDPR, ICO, ISO, etc.)

  • PII includes data like address, bank account information, compensation, national insurance numbers, passport copies, date of birth, emergency contact details and more - it is one of or even the highest risk data you control in your company

  • PII can cause harm to employees if it gets in the wrong hands. Especially in the case of phishing it is highly likely the phisher will attack your employees with scams like identity fraud or wire fraud

  • Data beaches that can cause harm need to be reported to the ICO and you may be fined if it concludes you did not act with due care

What you need to do

  • Never share PII via email and particularly not with external parties such as accountants unprotected. This carries high risk of accidental data breach (small typo in recipient + google autocomplete happens often) and phishing. 90% of all data breaches are via email

  • To handle data with due care you need to either let employees input data themselves where you need it, or make sure the data is password protected or encrypted before sharing via email or use an access-restricted cloud drive

How Zelt solves it

Zelt is the single interface for all employee data. Personal data is provided and kept up to date by employees themselves and it never leaves the platform. Any external parties such as accountants can be given access and you can determine precisely what they can see or not see, and you can easily take away access again. This removes the use of emails for PII exchange and significantly reduces risk.



Employee access to company systems


Why it is important

  • Company systems contain sensitive and valuable data, that many different types of people would like to get access to for different reasons, usually financial ones

  • If a data breach occurs because you did not act with due care you can be made liable for the damages caused by them (I received £3,000 from BA for their last data breach).

  • The more people have access rights they should not have, the higher is the risk of a breach, especially for users not aware of the risks. Risks include

What you need to do

  • Have a system in place that allows you to oversee what access an individual has to all company systems at a given time and at what permission level (Google, Github, AWS, Hubspot, Intercom, Quickbooks, Slack, etc.)

  • Ensure and monitor continuously that people have access on a needs basis (zero trust) and in particular that no-one has access that they should not have (e.g. former employees or someone who needed access briefly but not anymore)

  • Keep an eye on high risk access, e.g. a consultants to your AWS or accountants to your employee data, and adjust access to the minimum needed at a given time

  • Be able to shut off access to all company systems for a person quickly when needed (e.g. if you fire someone or they lost their laptop)

How Zelt solves it

Zelt lets you connect software used within your company, such as Google Workspace, Github, Hubspot or Slack, so that you can see who has access to what and to what extent, make changes with the click of a button. Not only can employees request access via Zelt themselves, but Zelt keeps a log of who granted access and automatically reminds you to remove all access when you off-board an employee.



Security of employee company devices


Why it is important

  • Laptops that do not have a password can be used to gain access to sensitive company systems by unauthorised users (e.g. if stolen) and result in a data breach and cause harm to the company e.g. if person deletes your Hubspot account or your AWS environment, or sells your leads and customer lists to a competitor

  • Every lost or stolen device that is not password protected and encrypted is likely to be a data breach because data on the device may include sensitive information including PII stored on it locally

What you need to do

  • Maintain real-time asset register with all company devices, its details, who has access to it and how they are secured

  • Endpoint secure all company devices, including forcing password rules, device encryption, installation of anti-virus software, monitoring status of updates and forcing updates

  • Be able to remotely lock or wipe a device at risk, e.g. if lost or stolen or if employee is fired

  • Use zero touch deployment to ensure that every device is adhering to your company policies from the moment of activation

How Zelt solves it

Zelt lets you connect your company and BYOB devices used by employees to the platform which allows you to maintain a real-time asset register and see who has access to which device. Zelt's MDM functionality lets you enforce security settings including password protection, encryption and OS updates, and perform remote actions such as wiping or locking a device when you off-board an employee or a device gets lost.



Use Zelt to handle data with due care and be compliant


If you are preparing for an ISO 27001 or SOC2 audit or just like to improve the way you handle and protect sensitive information in your company, the best way to do it is using modern software that embeds security right into your existing employee operations processes.


Zelt is a next-generation employee platform that enables you to do just that without changing the way you work or adding any friction to your team.

Related Posts

See All