By Neil Morgan, Managing Partner at MorganHR and Creator of SimplyMerit
Imagine this… it’s 7 PM on the last day to place online orders with guaranteed delivery by Christmas, and you just came up with a great gift idea for your child. You hop on the Internet to secure your prize, and your router is down. What do you do in the time before hotspots? Most of us will hop in the car and zip down to a Starbucks or Panera with the hopes of finding Internet connectivity. Me… I hopped in the car on a snowy evening and drove through our rural neighborhood with hopes of hopping on someone’s unsecured Internet connection. It took me less than two blocks, and I was online from the front seat of my car! Mission accomplished and toy ordered.
Data security has become a hot topic for companies large and small, especially with so many newly remote workers due to the COVID-19 pandemic. IT departments have their hands full worrying about application security, network security, what data is being emailed back and forth as attachments, etc., etc., etc. Unfortunately, gaps in security often don’t involve IT at all.
HR Departments in 40% of US companies still use Excel to manage their annual merit cycles. Sensitive salary and personal data are often included in these merit spreadsheets that are sent to all managers in the company. In an effort to secure these spreadsheets, HR will often password protect each manager’s file. Despite their best intentions, there are critical security flaws with this approach:
- First, how are the passwords sent? If they are shared via email, it means that they are transmitted in plain text (unencrypted) and will pass through several systems or servers on its way to the manager. Often the password is sent in the same email as the merit spreadsheet or in a follow-up email. Both emails traverse the same path through multiple outside systems and are easily intercepted.
- And what about those unsecured home networks? It took me less than three minutes to find one in our neighborhood. Are your employees’ home networks secure? Are you sure?
- Next, it took about five minutes with Google to find the following options for cracking the Excel file password:
- Finally, what’s to stop the manager from saving a copy without password protection and then sending that copy back to HR? It happens more often than you would think. Employees get annoyed with having to enter the password over and over, and it’s so easy to save a copy without the password while he/she is working on it.
Security is everyone’s responsibility… whether locking your workstation when you leave your desk, using something other than “passw0rd” as your password, or, as in the above example, replacing your merit spreadsheets with secure compensation management application.
Is your company ready for a breach of employee’s confidential information? Are you?