Article
12 min read

Protecting Employee Data: 12 Best Practices for Data Security

Meta description Many businesses retain personally identifying data (PII) about employees—data that can be exploited by bad actors. Here's how to keep your systems safe.

Protecting Employee Data: 12 Best Practices for Data Security
Listen to this article
13:47
/
19:15
1x

Your company’s systems are full of personally identifying data (PII) about your team members.

When viewed alone, these bits of information—such as a phone number or an address—may seem innocuous enough. If combined, though, PII can make it easy for cybercriminals to target your company, assume the identities of team members, steal funds, and more.

It’s important that all companies take action to protect their employees’ personal data—and their own corporate operations in turn.

The 12 steps in this guide can help you to begin protecting this data today.

  1. Establish access controls
  2. Encrypt all company data
  3. Use antivirus and anti-malware software
  4. Implement security policies
  5. Appoint a data security officer
  6. Back up all data
  7. Secure mobile devices
  8. Outsource work securely
  9. Conduct security audits
  10. Monitor network activity
  11. Prepare for security incidents
  12. Work with cybersecurity pros

1. Establish access controls

The first step in establishing an employee data privacy program is to take an inventory of the PII that you store and process.

No matter how large your company is, the chances that you keep PII about your team members is high. This is exactly the data that you need to do things like verify employment status, issue paychecks, and create systems logins.

Lotsof data points can fall under the umbrella of PII, including:

  • Social security numbers
  • Taxpayer identification numbers
  • Personal contact information
  • Bank account information
  • Birthdays
  • Drivers license and passport numbers
  • Dates of birth
  • Race
  • Sexual orientation
  • Disabilities and workplace accommodations
  • Work-related physicals, drug test results, and other health information
  • Employment relationship details
  • Employment contracts
  • Trade union membership

You may have job applicants’ PII on your systems, too. Even if you choose not to hire someone for a job, you’re likely still responsible for safeguarding their PII.

Decide who can access sensitive data

Next, establish who truly needs to access this data—and who doesn’t.

Consider passports and drivers’ licenses as an example. You may require that new hires submit this information so you can validate their eligibility to work at your company.

While this is a human resources function, you may not need to give your entire HR team access. Instead, you could designate one or two HR associates who process employee data related to specific tasks.

Similarly, you may determine that your accounting and payroll team needs to access direct deposit details—but not team managers.

Implement permissions for employee data protection

Once you’ve decided who needs to access each type of data you’re storing, you’ll want to implement role-based permissions.

Store the data in such a way that only certain allowed users—determined by a special login or other identification method—can access the files.

You’ll also want to implement similar permissions around the processing of personal data.

The permissions you grant to access and process PII should be revocable at a top level. This way, if someone leaves the company or is found to be mishandling PII, you can quickly remove their access.

In addition, it’s a good idea to employ multi-factor authentication (MFA) on all PII-related systems. MFA adds an extra layer of security and makes it even harder for unauthorized users to gain access.

2. Encrypt all company data

Besides assigning role-based permissions to limit the number of eyes on sensitive data, you’ll also want to use encryption.

Encryption is a form of cryptography, and works a bit like sending secret messages.

When you encrypt a file, its contents are scrambled. They can only be unscrambled or decoded by a person or program that holds the encryption key.

If anyone else intercepts the file and tries to open it, they won’t be able to read the contents.

This doesn’t mean you need to memorize a long numeric passphrase either. Many computer systems and cloud-based storage solutions—including those made by Google and Apple—offer encryption as an option.

As long as you’re logged into your account, you’ll be able to access your encrypted files.

One important thing to note: While any encryption is better than none, you’ll ideally want to look for an end-to-end solution that ensures your data isn’t visible to anyone without the key, not even the makers of any software you use to store it.

A security consultant can help you establish the right encryption for your systems and needs.

3. Use antivirus and anti-malware software

Computer viruses, malware, and other malicious files can hide in innocent-looking downloads, links, and programs. Once these files enter your workplace computer system, your entire company can be at risk for:

  • Phishing attempts that trick you into providing PII or systems access codes
  • Ransomware takeovers that freeze your computer system and request money for its release
  • Transfer of secure files to bad actors’ servers

Antivirus and anti-malware software programs like Avast or Avira are one line of defense against these issues.

However, these tools can only do part of the job. Train your team how to watch for the warning signs of viruses, malware, and phishing attempts. These can include:

  • Links that look very similar to valid URLs, but are slightly off—sometimes by just one letter or number
  • Ads for fake versions of commonly used software programs
  • Email addresses that purport to be coming from a trusted domain, but aren’t
  • Text messages that claim to be from another team member, asking for money or gift cards
  • Spoofed, or faked, phone calls that appear to be from a number you know
  • Free software downloads from unverified sources
  • Emails that seem to be from friends or family sharing a link or meme—but are really from a spoofed email address

4. Implement security policies

It’s not enough to install antivirus software, turn on encryption, and call it a day.

For your security measures to work, it’s advisable to develop clear policies and train your team on how to follow them.

Consider creating policies around:

  • When and how to request systems access permissions
  • How frequently, and in what way, team members need to create new passwords
  • Which tools and programs are allowed for use in the work environment
  • How to transmit data to other stakeholders inside and outside of the company
  • How team members can securely outsource work
  • When and how to use a VPN
  • How your company will handle data retention, including processes and the length of time data is stored
  • Rules around data deletion and erasure for former employees’ PII

While you can’t control what your team members do in their free time, you may also want to consider creating policies and guidelines about how you expect your teams to protect data outside of the office, too. This might include:

  • Physical device security, such as guidelines to follow when using a laptop in a public space
  • What can and can’t be shared about your organization or office on social media
  • Details around usage of personal and work-assigned mobile devices

5. Appoint a data security officer

If your company must adhere to data privacy laws—like the European Union’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA)—you could be required to appoint a designated data security officer.

Even if you aren’t affected by any data protection acts, it’s still a good idea to have a designated person or people in your organization who assume responsibility for:

  • Creating and reviewing your data security practices and retention policies
  • Ensuring you have the relevant privacy notices in place
  • Organizing training and certification for team members who need to interact with sensitive data or company systems
  • Staying up-to-date on privacy laws and best practices
  • Serving as a point of content for reports about suspected phishing or fraud attempts
  • Developing a plan to handle any security incidents
  • Establishing and monitoring data safeguards

This person may sit within your IT department and have other responsibilities or serve in a standalone role. It all depends on how large your company is and what data protection laws—if any—you’re required to follow.

Data Security Infographic

6. Back up all data

While the steps above should help to reduce the likelihood of a catastrophic data loss or leak happening, no measure is entirely foolproof. That’s why it’s important that you always have a secure copy of your company’s data.

You can do this by implementing regular backups. Typically, a backup creates a complete copy of your computer, server, or mobile device—though you can also set up backups to only copy select files and programs.

A simple example of this is syncing the contents of your phone to iCloud or Google One before migrating to a new device.

You may store these backups locally—such as on another computer or server—or in the cloud. It’s typically a good idea to do both. This way, if anything happens to your physical backup, you can pull from the cloud and vice versa.

It’s important to regularly test these backups, too, and make sure that everything is working correctly. If you find that a backup has become corrupted, a data recovery specialist may be able to help you regain the information that you need.

7. Secure mobile devices

If your team members use phones for work activities, you’ll want to include these devices in your cybersecurity strategy.

Cybersecurity company Cimcor recommends against a “bring your own device” (BYOD) policy at the office.

BYOD refers to an arrangement where team members use their own phones (or computers) to send work emails, call clients, and carry out other work activities. While this can be convenient for team members—and seemingly cost-effective for companies—the practice can open up your organization to cybersecurity risks.

When team members use their own devices for work communications, you can’t control or monitor the flow of information. Sensitive company data may live on these devices alongside questionable app downloads, personal spam emails, and more. It creates another entry point into your organization.

And if something goes wrong, you may not be able to easily pinpoint a personal device as the source or completely wipe the operating system in order to remove malicious files.

Cimcor suggests companies provide mobile devices to their team members, as this allows for:

  • Remote wiping of lost or compromised devices
  • Role-based data access permissions, just like on work computers
  • Data encryption
  • Restricted app downloads
  • Mandatory virtual private network (VPN) usage
  • Enforcement of MFA and single sign-on (SSO) policies, which add a second layer of security to system and app logins
  • Retrieval of company data from the device if a team member leaves the organization

8. Outsource work securely

What if you can’t control the devices a team member or collaborator uses?

If you’re outsourcing work to contractors, consultants, and other independent professionals, you might not be able to provide or require the use of company devices.

This is where careful attention to access controls—as described in step one—comes into play. You can also take steps to ensure that you’re:

  • Hiring professionals through trusted sources like Upwork
  • Conducting background checks on professionals who may access sensitive data
  • Asking the professionals you’re interested in hiring how they make sure their clients’ data is protected
  • Including all collaborators in data security training activities
  • Sharing data through secure portals and VPNs
  • Limiting the type and volume of company data that leaves your controlled environment
  • Using contracts and non-disclosure agreements (NDAs) that outline how third-party vendors will access, use, discuss, and manage sensitive information
  • Providing collaborators with a secure login to portions of your company’s systems, versus sharing files to their personal accounts (such as Google Drive)

Establishing and reviewing guidelines around the way you outsource work can be an important part of your company’s security audits.

9. Conduct security audits

In their 2022 M-Trends report, threat intelligence company Mandiant said that the top 10 industries most likely to be targeted by bad actors are:

  1. Government
  2. Business and professional services
  3. Financial
  4. High tech
  5. Healthcare
  6. Retail and hospitality
  7. Entertainment and media
  8. Construction and engineering
  9. Telecommunications
  10. Transportation and logistics

However, every industry and company can be at risk—so it’s essential to audit your systems and networks for potential vulnerabilities.

The Information Systems Audit and Control Association (ISACA) recommends that cybersecurity audits include:

  • Conducting IT infrastructure risk assessments
  • Reviewing cybersecurity policies and controls for data management, payment processing, GDPR compliance, and more
  • Updating contingency plans for security incidents
  • Training and testing personnel on essential cybersecurity skills
  • Assessing risk levels

An independent information security auditor can help you get this process started.

10. Monitor network activity

Mandiant’s M-Trends report also notes that bad actors are working faster than ever to find and compromise vulnerable systems. Attackers tend to spend 16 days in a system before they’re detected and removed—but this is more than enough time for damage to be done.

As a result, you’ll want to monitor network activity in and out of your company’s systems.

Parallels, a remote application service provider, suggests that network security monitoring activities include:

  • Logging client-to-server communications
  • Watching traffic patterns for unusual activity
  • Reviewing encrypted traffic sessions
  • Monitoring overall traffic flow

You’ll want to establish a threshold for what makes for unusual activity; when activity passes that point, take action to explore it further.

11. Prepare for security incidents

Another part of securing your team’s sensitive data is preparing for the worst. This doesn’t mean that you should operate in a state of fear every day—rather, you’ll want to have an action plan for what you’ll do if something goes wrong.

This plan can include:

  • Detailed steps for how you’ll react to a potential security breach or threat—including who’s responsible for specific actions and decision-making after an incident
  • Information on the legal responsibilities your company has in the event of a data incident
  • Internal and external communications strategies to share information about an incident and the steps you’re taking

It may also be helpful to run a data breach and attack simulation in order to practice your company’s responses and make sure that everyone is ready to handle their responsibilities.

12. Work with cybersecurity pros

Developing a cybersecurity plan can be daunting—especially if you’ve never worked in the field before. If you don’t have any cybersecurity professionals on your team, you may want to bring in some third-party help.

And the best part? You can easily work with remote cybersecurity advisors.

Through Upwork, you can connect with cybersecurity companies, IT security analysts, and other pros who can help you develop a strong security plan, protect your team’s personally identifying information, and keep your company safe from hackers and other malicious actors.

Build a top-rated team of professionals with Upwork

Above all else, don’t wait until after a problem happens to begin shoring up your cybersecurity strategy. If you haven’t had any issues yet, breathe a sigh of relief—and then get to work finding a pro who can help you:

  • Establish, create, and monitor access controls that restrict who can see sensitive data
  • Set up the right level of encryption for your company’s needs
  • Find reliable antivirus and anti-malware software to create another line of defense against bad actors
  • Develop security policies—and make sure your team knows how to follow them
  • Act as, or appoint, a data security officer
  • Regularly back up all sensitive data to secure on- and off-site storage
  • Make sure your team’s mobile devices are secure and safe to use for work
  • Come up with a plan to outsource work safely and securely
  • Audit your systems and look for any weaknesses
  • Keep an eye on network activity
  • Prepare for unexpected security incidents

Luckily, some of the world’s best cybersecurity professionals are only a click away on Upwork.

No matter how large your company is, or where you are in the preparation and auditing process, you can find the right person to help on Upwork.

Browse all available cybersecurity and data protection services in Project Catalog™ or create a job post to connect with certified information systems security professionals and other IT security pros.

All you need is an Upwork account—create one or log in today to get started.

This article is intended for educational purposes and should not be viewed as legal advice. Please consult a professional to find the solution that best fits your situation.

Heading
asdassdsad
Projects related to this article:
No items found.

Author spotlight

Protecting Employee Data: 12 Best Practices for Data Security
Emily Gertenbach
B2B SEO content writer & consultant

Emily Gertenbach is a B2B writer who creates SEO content for humans, not just algorithms. As a former news correspondent, she loves digging into research and breaking down technical topics. She specialises in helping independent marketing professionals and martech SaaS companies connect with their ideal business clients through organic search.

Latest articles

Popular articles

X Icon
Hide