Cloud HRMS Security: The Unbiased Truth

If you’re asking around about cloud HRMS deployments then the” anti-clouders” will tell you that what you gain from the lower price tag, you lose in poor security. Now this isn’t entirely true (nothing is ever that black and white and the balance will be tipped in one direction or another by your particular organisational requirements) but it’s fair to say that if you’re seriously considering cloud HRMS, then there are some specific security questions to be asking.

The main additional risk to on-premises systems comes from just having all your employee data elsewhere; it’s literally out of your (electronic) hands. When the system isn’t managed by your own IT department there’s always a possibility of unauthorized and/or accidental modification of systems or data and unauthorized deletion of data (to be fair, that same risk applies to in-house systems, it’s just that it’s easier to prevent and manage). So, it becomes paramount to look into the security-related practices that your potential cloud provider has in place.

The Due Diligence Process

This due diligence process should include putting them on the spot about the following issues:

their information security plan (especially concerning data privacy), their data governance structure, the strength of their business/disaster recovery planning, their uptime performance records, their compliance history, and their performance when it comes to successful data recovery from backup. One reassuring sign would be the existence of a current ISO27001 or SSAE 16 certification (if they talk about SAS 70 Type II audits, be aware that they were superseded by SSAE 16 a while back).

Put simply, security concerns should not put you off purchasing a cloud HRMS; however, they should guide your selection process with some specific questioning

Global consultancy Ernst & Young conduct an annual information security survey; in a recent report, they noted that even without realizing it, in their eagerness for cloud solutions many organizations are trading security for surface convenience. The reliance on the third party cloud service provider brings compliance, contracting and legal risks.

Luckily, if you choose to ‘go cloud’ there are a number of measures that can be taken to balance these risks; including add security as a regular heading for reporting (in other words, keep your senior people in the loop), build additional HRMS security awareness into user training, offer reassurance to employees that the security and privacy of their data is taken seriously, manage your encryption and SSL certificates appropriately, conduct penetration testing to the HRMS and any associated mobile apps to check their level of vulnerability.

Put simply, security concerns should not put you off purchasing a cloud HRMS; however, they should guide your selection process with some specific questioning.