a critical analysis of a specific aspect of information security within an organisational context for the Managing Enterprise Information and Knowledge.-Zarah Zamora-Arroyo
Master of Digital Information Management, University of Technology Sydney
HRIS: Boon or Bane?
The role of Human Resource (HR) in every organisation has become pivotal in recent years. HR is continuously challenged to find ways on how the organisation can thrive in this information era. Considering the bulk of information that HR handles, it is one of the departments that use the management information system. The Human Resource Information System (HRIS) is then created which contains highly sensitive data, like the social security system numbers, payroll information, and even medical information for some highly sophisticated HRIS (Rietsema, 2018). This information assists the management in the pursuit of the organisation’s mission and vision. The HRIS is viewed as a tool in improving HR operations like recruitment, learning and development, performance management, career pathing, succession planning, and even the computation of leave credits and payroll. The HRIS database maintains all these inventories for transaction processing, reporting, and tracking (Chauhan et al., 2011). With all this information, leaks and data breaches of the HRIS can be detrimental to the employees and the organisation. Therefore, it is imperative to take steps to ensure that information is safe, both from internal and external threats. This essay will, therefore, discuss some of the information security issues of the HRIS through a case study which includes the information challenges faced by the HR and information professionals. Also, arising developments in the information security domain to avoid, if not minimise, problems will be explored.
Information, as we all know it, is an essential tool for managers in the recruitment, utilisation, and evaluation of human resources in organisations. Information systems facilitate human resource management which includes employee record keeping, performance management, benefits, and compensation reports which are considered valuable as well as sensitive. That is why this information is tempting for hackers and thieves (Rietsema, 2018). Data breaches happen, and they can be damaging to the organisation’s reputation. Before we look closely at a specific case on information security, it is plausible to know that the first ever HRIS was pioneered by General Electric in the 1950s. It was a conversion of the manual record-keeping system into digital applications. In this day and age, HRIS has evolved of not just being data storage but is more fluid in adopting methods for sorting, filtering, and accessing information that aims optimal management of business operations efficiently (CompareHRIS, 2018). In the study conducted by Beadles, Lowery, and Johns (2005), 80% of the HR directors noted that the HRIS improved levels of the usefulness of information as well as their ability to disseminate information. Also, 90% of the HR managers reported that HRIS added value to the organisation. The HR professionals are considered to add value to organisations because HRIS can free up their time, thereby allowing greater involvement in organisation strategic decisions (Bussler and Davis, 2002; Hussain, Wallace, and Cornelius, 2007). It is noteworthy that HRIS has become an enterprise level solution which attracted vendors like Oracle-PeopleSoft, CheckPointHR and many others.
Case Study on InfoSec Challenges of HRIS
As promising as it may seem, HRIS has its own diverse challenges such as systems consideration in the design suited to a specific organisation’s needs and resources especially the cost, implementation issues like the acceptance of the people, change management, integration and maintenance, technical know-how of the HRIS administrators, and information security and privacy (Kavanagh, et al., 2012). We shall focus on the latter as the data stored electronically and used across the networks make information security management a complex and challenging undertaking. This includes protecting the information in the HRIS from unauthorised access, use, disclosure, disruption, modification and destruction. One very controversial data leak in 2014 was that of Sony Entertainment, which exposed the private information of more than 15,000 current and former employees – including social security numbers, birthdates, and home addresses. This cost the said company US$8 million (A$11 million) in settlements. Hackers had broken into the company’s computers and released thousands of personal information in an attempt to derail the release of the North Korea-themed comedy movie, The Interview (BBC News, 2015). The employees argued that they suffered economic harm from the stolen data. This led to massive amounts of data being wiped out and online distribution of emails of personal and sensitive employee data as well as pirated copies of new movies. Furthermore, Sony was sued by the former employees claiming the company’s negligence caused them economic harm by forcing them to step up credit monitoring to address their increased risk of identity theft. In an article written by Amanda Hess entitled, “Inside the Sony Hack”, the author descriptively presented what it was like to be a rank-and-file Sony employee as the unprecedented cyberattack tore the company apart and was even described by some employees as an “epic nightmare”. Hess mentioned that though the Sony breach was a blip compared to the recorded data breaches of 783 businesses, banks, schools, health care outfits, and government systems reported by the Identity Theft Resource Center. Together they exposed 85 million sensitive records including health histories, bank details and account passwords. In the same article, days after the hack at Sony, the information professionals set up a hotline for employees to call with questions about identity theft. Even when the company provided tech support to get the systems back online, there were suspicions among the employees that maybe it was the old PR guy who left on bad terms or maybe one of the IT had a hand in it. But the FBI publicly pinned the hack on North Korea on December 19.
The leak of information threatened personal financial futures, and the destruction of property threatened livelihoods (Hess, 2015). Although most of these threats were felt by the executives and not much by the employees who were in the low totem pole, they do not have much fear of having their emails sensationally posted in tabloids as no one will have any interest on them. This data breach, however, was a wakeup call not just to the organisation but to the employees as well. On a more personal level, some were more careful in the tone and what they say on professional emails. It has also made employees engage in face to face conversation than have ping-pong tasks endlessly between one another that they can talk it out faster than they can type. However, more than these realisations, this data leak caused Sony a great deal of money. Sony paid up US$2.5 million, or US$10,000 per person to reimburse employees for identity theft losses and up to US$1000 per person, to compensate them for protective measures they took after the cyberattack. It has also agreed to pay up to US$3.49 million to cover legal fees and costs, according to court papers. US District Judge Gary Klausner rejected Sony’s bid to dismiss the lawsuit, saying that the employees could pursue their claims that Sony was negligent and violated a California confidentiality law. Outsiders may have feasted on the hack, but HR and IT departments had to render extra working hours on their job and a lot of hard work.
The Cost of Data Breach
Looking at the situation of the Sony Hack, we have witnessed that data breach happens and is treated as negligence on the part of the HR and IT departments. HRIS technology has to build up and fiercely guard firewalls to protect the organisation’s employees’ rights, records and privacy (compareHRIS.com). Although, we can see that Sony is a big company was hacked taking enough employees’ data which reminded us of the risks incur having personal information and made us doubt absolute information security. It is also especially enticing for data thieves to find a goldmine in the employees’ information thru HRIS, outnumbering credit card information hack. Balancing data security with the need for access and analysis is daunting which includes routine business processes often including passing sensitive information in unprotected spreadsheets causing data breach that stemmed from mishandling of data in motion (Lambert, 2019). We can look at some pain points that HR and IT professionals handling HRIS have to deal with in the light of the Sony hack. One lesson which is hardest to accept is that we may be doing all sorts of ways to protect ourselves online, but the employer may be laissez-faire about the whole thing (Tsotsis, 2015). There were two employees who then in 2015, filed a case in the federal court against Sony on this ground, alleging that the company did not take enough precautions to keep employee and employee family data safe. Tech blog reporting noted that Sony was aware of the insecurity on its network and took the risk. It took Sony to task for using DDOS attacks to protect its leaked films and not its employee data (Tsotsis, 2015). Kashmir Hill reported that there were only 11 people on the Sony information security team at the time of the hack and that sensitive files of the network were not encrypted internally or password-protected. In an interview in 2007, Sony Director of Information Security Jason Spaltro mentioned that “it’s a valid business decision to accept the risk “of a security breach. He will not invest on US$10 million to avoid a possible US$1 million loss. This decision has done a whole lot of damages estimating a total cost of US$100 million after all has been said and done. This is absolutely a manifestation of poor data management policies in place, or it can be poor enforcement as well. Sophisticated attackers can inflict serious harm if organisations are not proactively vigilant with information security (Steinberg, 2014).
On Point with Data Security of HRIS
When database and information are used online, chances are, they can either be misused or security issues arise. Organisations are to frame policies for the use of online data which may comply with the international and national standards of information system usage (Krishnan & Singh, 2006). HR policies on monitoring of data by employers, terms and condition of usage of the data and HRIS features and data sharing should be explicitly stated. The privacy concerns, how to use the HRIS, password protection procedures and standards, access rights settings as well as the purpose for and the amount of data collected should be addressed (Hubbard and Forcht, 1998). All these can be done through proper orientation and training by the HR and IT departments. But even when policies are clear, employees may still fail to comply with them. Lambert (2019) presented a study on data privacy that 87 per cent of companies have employees that don’t notify anyone when a USB drive is lost, 70 per cent have employees carry confidential business information when travelling, 65 per cent who leave their computers unattended and 69 per cent of companies do not mandate a device password or key lock on personal devices. Therefore, one of the most effective ways to protect data is to restrict access to it and ensure that it cannot be stored on an employees’ device. It goes down to the point that managing end-user data privileges should be given high importance as well.
As an HR and information professional, one must be aware of the potential downside associated with failing to meet information security challenges. That is why creating an HRIS which practically follows the three main principles of confidentiality, integrity, and availability is essential (Kavanagh et al., 2012). They further discussed the HRIS components which include the hardware, software, and communications. In the case of Novartis as presented by Brenna Erickson (2014), its HRIS initiated in 2001 identified those components in their plan which also includes HR priorities and strategies. Although there were technological difficulties, organisational challenges and management roles issues, Novartis was able to see these challenges as lessons learned and a way forward to create buy-in for an improved HRIS.
In recent years, vendors of HRIS have taken lessons on the stories of data breaches which happened in the past that created a high impact on the integrity of an organisation. Employees are keen to know their rights on the storage, access, and use of their personal information. HRIS providers are pretty confident of their products and are constantly on top of their technology to prevent leaks and other system issues. Some even provide education and training on information security. However, choosing the most appropriate HRIS depends on the organisation’s goals and needs and not to deny the fact that this system is costly but may be worth the price. As we learned from Sony, an ounce of prevention is better than a pound (millions worth) of cure.#zam
Beadles, N.A., Lowery, C. & Johns, K., 2005, The Impact of Human Resource Information Systems: An Exploratory Study in the Public Sector, Communications of the IIMA: Vol. 5: Iss. 4, Article 6., <https://scholarworks.lib.csusb.edu/ciima/vol5/iss4/6>.
Bussier, L. & Davis, E., 2002, Information Systems: The Quiet Revolution in Human Resource Management, Journal of Computer Information Systems, Vol. 42:2,17-20, DOI: 10.1080/08874417.2002.11647482.
Chauhan, A., Sharma, S. K., & Tyagi, T., 2011, Role of HRIS in Improving Modern HR Operations. Review of Management, 58-70.
Erickson, B., 2014, Novartis Case Study, viewed 09 May 2019, < https://prezi.com/8-qvm3t43g1z/novartis-case-study/>.
Fischer, E., 2016, Cybersecurity Issues and Challenges: In Brief, Congressional Research Service Report, <firstname.lastname@example.org,7-7071.
Hess, A., 2015, Inside the Sony Hack, What it was like to be a rank-and-file Sony employee as the unprecedented cyberattack tore the company apart, SlateGroup, viewed 09 May 2019, <http://www.slate.com/articles/technology/users/2015/11/sony_employees_on_the_hack_one_year_later.html>
HRIS Security Awareness – Do you share the burden? , 2015, compareHRIS.com, viewed 09 May 2019,<https://www.comparehris.com/blog/hris-security-awareness-share-burden/>.
Hubbard, J., & Forcht, K., 1998, Computer Viruses: How companies can protect their Systems, Industrial Management and Data Systems, Vol. 98, Issue: 1, pp. 12-16, <https://doi.org/10.1108/02635579810199>.
Hussain, Z., Wallace, J. &, Cornelius, N., 2007, The Use and Impact of Human Resource Information Systems on human Resource Management Professionals, Information and Management, Vol. 44 (1): 74-89, DOI: 10.1016/j.jm.2006.10.006.
Identity Theft Center, viewed 09 May 2019, <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=2ahUKEwjkgtezmI_iAhVj73MBHfxYCcsQFjAAegQIDRAC&url=https%3A%2F%2Fwww.idtheftcenter.org%2F&usg=AOvVaw1LPHUq0glgXlmO9bn3wP1m>
Jahan, S., 2014, Human Resource Information System (HRIS): A Theoretical Perspective, Journal of Human Resource and Sustainability Studies, 2014, 2, 33-39, published online June 2014 in Scientific Research, <http://dx.doi.org/10.4236/jhrss.2014.22004>.
Kavanagh, M., Thite, M., 2009, Human Resource Information Systems: Basics, Applications, and Future Directions (1 ed), Sage Publications, Inc.
Krishnan, S., Singh, M., 2006, Issues and Concerns in the Implementation and Maintenance of HRIS, Indian Institute of Management, Ahmedabad-380 015, India, WP No. 2006-07-01.
Lambert, N., 2019, The HR dilemma: Balancing data access and analysis with security, Sapho Inc., Citrix, viewed 09 May 2019, <https://www.sapho.com/blog/the-hr-dilemma-balancing-data-access-and-analysis-with-security/#>.
Moon, M., 2015, Sony settles with employees affected by massive data breach, Engadget, viewed 09 May 2019, <https://www.engadget.com/2015/09/03/sony-employee-settlement/>
Rietsema, D., 2018, How Can You Make Sure the Information in Your HRIS is Secure?, HRIS Payroll Software, viewed 09 May 2019, <https://www.hrispayrollsoftware.com/make-sure-your-hris-information-is-secure/>
Sokol, C., 2018, Privacy in the Workplace – Use an HRIS, compareHRIS.com, viewed 09 May 2019, <https://www.comparehris.com/privacy-in-the-workplace/>.
Sony pays $11m to settle with staff over hack, 2015, IT News, viewed 09 May 2019, <https://www.itnews.com.au/news/sony-pays-11m-to-settle-with-staff-over-hack-410814>.
Sony Pays up $8m over employees’ hacked data, 2015, BBC News, viewed 09 May 2019, <https://www.bbc.com/news/business-34589710>.
Steinberg, J., 2014, Massive Security Breach at Sony—Here’s What You Need to Know, Forbes.com, viewed 09 May 2019, <https://www.forbes.com/sites/josephsteinberg/2014/12/11/massive-security-breach-at-sony-heres-what-you-need-to-know/#dc99fe844d85>.
Tsotsis, A., 2015, Employee Data Breach The Worst Part of Sony Hack, techcrunch.com, viewed 09 May 2019, <https://techcrunch.com/2014/12/16/hack-sony-twice-shame-on-sony/>.
Zafar, H., 2012, Human Resource Information Systems: Information Security Concerns for Organizations, Human Resource Management Review 23 (2013) 105-113, Elsevier Inc. <http://modir3-3.ir/article-english/article245.pdf>.