The consequences of poor cloud HRMS security protocols

Cloud HRMS security protocols and emergency plans are often delayed when a project is short on resources or time. They are sometimes seen as a nice-to-have feature rather than an essential operational item. Their importance becomes crystal clear when they are needed but not there. Here are some possible outcomes if you fail to establish solid cloud HRMS security protocols and associated emergency plans.

1. Data breaches and identity theft

A lack of robust security processes and protocols is a disaster waiting to happen. At best, a curious employee may find out the salaries for top management and cause some gossip around the water cooler. At worst you may have to handle damage control if an employee’s personal details such as social security number, date of birth, address, etc. are used for malicious reasons, such as establishing a line of credit or worse.

Recommended reading: find cloud HRMS with strong security features using our comprehensive HRMS vendor directory

The frustration from those of us who work in the industry is that a large part of these negative activities are often preventable if you have the right foundation of plans and protocols. When you do not have strong cloud security processes in place, access to data becomes an open door and it’s only a question of ‘when’ not ‘if’ a data breach or identity theft will occur.  

2. “Poor planning on your part does not constitute an emergency on my part”

Except, of course when an emergency strikes and it is all hands on deck. Disaster recovery planning is like a trip to the dentist, no one wants to go but everyone appreciates the outcome of improved health once it’s over. Does your company have a disaster recovery plan for each of your cloud HRMS? What happens in the event of a local emergency or an on-site disaster at your vendor’s location?

I recall many years ago on September 11th, I had previously consulted for a company with a large employee population in the Towers. I was living on the other side of the world but a former HR colleague contacted me, their analytics team was unavailable and they desperately needed help generating an employee list with emergency contacts.

While a catastrophe of this magnitude will hopefully never happen again, the planning and preparation to deal with it should be reviewed at least on a quarterly basis to ensure readiness and your role versus a vendor’s activities.

3. A dangerous internal security structure 

As an auditor of HR systems I am always surprised by the number of companies who do not bother to perform user audits under the assumption that the upfront access request process should be sufficient. Employees and jobs do not remain static. Is each of your SaaS HRMS databases automatically inactivating terminated users or do you depend on a manual process? What happens when an HR user changes a role within the company - does the data access remain intact? Cloud HRMS solutions can sometimes seem distant as they are hosted by a third party  but your user access reviews should be at the same level of scrutiny as any internally-hosted HRMS, if not higher due to an outsourced provider.

author image
Heather Batyski

About the author…

Heather is an experienced HRMS analyst, consultant and manager. Having worked for companies such as Deloitte, Franklin Templeton and Oracle, Heather has first-hand experience of many HRMS solutions including Peoplesoft and Workday.

author image
Heather Batyski