We are all OPM: Securing Sensitive HR Data

The Office of Personnel Management (OPM) “manages the civil service of the federal government, coordinates recruiting of new government employees, and manages their health insurance and retirement benefits programs.” They are effectively the world’s largest Human Resources department looking after some of the most sensitive personnel data.

In June 2015, the OPM discovered the first of two data breaches resulting in the personal and sensitive information of over 25 million individuals being stolen. Last Friday, the OPM data breach was once again in the news, as the Federal Bureau of Investigation arrested Chinese national Yu Pingan. Pingan is the alleged author of the Sakula Remote Access Trojan (RAT) malware used in the attack on the OPM.

It’s a safe bet that the OPM has made major improvements in its ability to secure HR data since the breaches were discovered two years ago. Has your organization made similar progress?

Answer these simple questions to find out if your HR data is as secure as it should be:

  1. Do you know how much it would cost if your organization experienced a HR data breach?
  2. Do you know where all the HR data resides (because it’s not just in one place)?
  3. Is all the HR data encrypted?
  4. Are IT and HRIS administrator accounts able to decrypt and viewsensitive HR data?

Here are some helpful resources if you answered “no” to any of these questions:

  1. A quick and easy risk calculation for HR data and Personally Identifiable Information (PII)
  2. A data discovery tool to find HR data in file servers, SharePoint and Office 365
  3. Transparent data encryption for HR data in SharePoint or any other web service
  4. Privileged user access control to help prevent data theft that results from compromised administrator accounts

Every business has HR data that needs to be secured. We are all OPM. We might not all have to defend data against Advanced Persistent Threats (APTs) but we need to protect it against malicious or mistaken insiders and IT administrators. ‘Locking down’ HR data with native permissions is simply not enough to protect sensitive data.

By Covata, 6 September 2017