The importance of HR data protection for employers

Navigate the world of information security for employers, and learn more on the importance of HR data protection and how this relates to HR technology.

How often do you access the internet? Whether you’re checking client details or processing a sale from your desktop computer, or reading company news from your mobile device, you’re probably logging on more than once or twice a day! 

In fact, according to Sensis, 87% of Australians are spending more than 10 hours a day online. With over 3.7 billion people around the world using the internet and thousands of new apps being created each week, it makes sense to use technology to improve efficiency and visibility both in our personal and professional lives.

But with the advantages come risks, and the more comfortable we become sharing and transacting online, the more important – and challenging – it is to keep information safe and secure.

Few people are aware of the mammoth task of making a product secure, so I thought it’d be great to sit down with Adam Altounyan, our Head of Information Security, to find out more about working with clients to address their most pressing security needs.

human resources data security

Joy Adan (JA): Hi Adam! Tell us a bit about your role as Head of
Information Security. Given that RG is focussed on improving employee engagement, why is security so important to the services we offer?

Adam Altounyan (AA): At Reward Gateway, we offer a platform for businesses to improve their employee engagement, and in order to do this, our clients have to trust us with their employee data.

So security is not a chore or something that we have to do for compliance reasons, rather, it’s one of the reasons we exist and why companies can confidently partner with us.

With that in mind, I get involved with almost every aspect of the organisation. This includes working with our product teams to ensure we bake privacy and security into everything, or working with my team to ensure our network and infrastructure is designed and maintained in the best way possible. We also build and run awareness campaigns throughout the year to develop staff security knowledge, and make sure our Information Security Management System (ISMS) is up to date.

JA: Wow, so not that much on, then?! You sound pretty busy, which makes sense given the current climate. Security is a top priority for our clients. How do you live up to expectations?

AA: Along with all the ongoing responsibilities I mentioned above, I spend lots of time ensuring we are handling customer data properly, and making sure we’re able to communicate how we do this to our customers and existing and prospective clients.

JA: Does privacy fall under this remit?

AA: Absolutely. Security is more than just keeping things secure. Privacy is a fundamental human right, and today this right is seriously under pressure from advertisers, social media, governments and others.

We have to ensure the products we create do not erode our customers’ privacy and do not facilitate surveillance and monitoring. It’s one reason why we don’t share the detail of our members' spending activities with their employers. This is also key for engagement. A member is much less likely to use our platform if they believe their employer is going to get a report on what they’ve bought last weekend!

human resources data security

It takes a village to make everyone’s information secure

JA: I know that we use an "onion" layered approach to security here. Can you break that down for me?

AA: Yes, so we have a multilayered approach to keeping company data safe and sound. This is known as “defence in depth,” which is best explained as an onion!

The concept is that we’re protecting our critical assets in the middle of the onion: Our customer data. We then add layers upon layers around our assets to protect them.

JA: Why is all of that necessary?

AA: Rather than relying on one control (or layer) such as a firewall, we implement multiple layers of controls using different technology, processes and vendors. This approach comes from the assumption that eventually, a control is going to fail – your firewall may get compromised and if you relied just on that, it's game over.

Making security relevant for employees

JA: Can you suggest a way to make staff more engaged with security?

AA: Yes! Security and privacy are key to all our lives. Whether it’s learning what settings are available on Facebook to protecting your home network to keep your kids safe or monitoring your personal banking, it all matters. I find if you offer development which applies to people's personal lives, they quickly learn and start applying these principles to work automatically.

JA: Any other suggestions?

AA: All companies should make sure they make a big push of “security awareness.” This is usually teaching your employees to be careful around common areas like web browsing and email. We try to go even further than this and develop our staff as privacy and security experts.

JA: That makes sense, but I find lots of information about security and privacy practices are really complex, technical and full of jargon. How can a company eliminate this from the way it explains its own policies?

AA: Great question. I started my career when I was a teenager, doing over the counter support and sales in a local computer shop. One of my proudest memories is teaching a 104-year-old how to use a computer and browse the internet! As such, I think it’s so important to know your audience. A weekly blog, with zero jargon, for all of your teams, loaded onto a company's internal communications platform or other employee-facing communications can be extremely useful. Here's one I did earlier this year:

human resources data security

When addressing a whole company, it’s not “dumbing down” content, it’s realising what content they need to know and what they don’t. I will often draft out my blogs and then run them by both a technical and a non-technical colleague and get their feedback before anything goes live, and would definitely recommend this.

If our clients aren’t comfortable with the topic or simply need a hand educating other employees in their organisation, we help them by setting up security briefings so that everyone is informed and understands how we keep data secure.  

human resources data security

Five ways to improve security on employee engagement technology

JA: Can you take me through some of common things clients are doing to improve security on their end?

AA: Due diligence is one thing that we’ve seen a large increase of focus on. Many of our clients want to ensure we meet their rigorous security standards and prove this to them. This usually comes in the format of questionnaires, on-site audits and penetration tests.

JA: What could another company do if they’re asked to complete something similar?

AA: Compile all of their resources that best answer most commonly asked questions around the topic and make it available in one download. We did that here rg.co/security.

Getting certified can also help customers be confident that you will handle their data appropriately. We are ISO27001 certified and have been since 2010.

JA: What about everything that has happened with GDPR this year?

AA: The Data Protection Act 2018 (GDPR) is high on everyone’s radar this year! This is a topic that comes up in every conversation with every prospect, and rightfully so. We’ve designed our platform and products with privacy in mind and we’ve built tools to help as well.

JA: Could other companies implement these same tools?

AA: Absolutely, or similar! Our members can exercise their rights from within our platform with no hassle. We have self-service tools for a “Download My Data” (Right of access) and “Delete My Account” (Right to erasure).

JA: Okay, and one more security issue and solution for good luck?

AA: The issue: Accessing platforms securely. The solution: Support "single sign-on." We use this system and it means employees can login to Reward Gateway without remembering a separate password, just using their existing company credentials.

By promoting single sign-on, customers are in more control of how their employees login to our platform – they can manage things like Multi-Factor Authentication and their own password policies. We recommend everyone use single sign-on if they have an existing provider (we actually offer it for no additional cost). 

JA: Finally, what is your first priority when it comes to security?

AA: Our customers and their members need to be confident that when they use our platform, their data and activity is kept secure and private.

That’s my biggest mission and what drives me to keep improving.