HRMS Security: The BYOD Banana Skin

BYOD or ‘bring your own device’ has become commonplace in many companies as employees often possess sophisticated mobile technology and prefer to use it over traditional desktop computers. For some companies BYOD can lead to significant reduction in hardware costs. It’s a trend that looks to be increasing as a recent Gartner research report suggests that by 2017, approximately 50% of businesses may seek to implement a BYOD policy. But how will this trend affect HRMS security and HR data management?

With the proliferation of mobile devices, employees can easily work remotely on any number of tasks, and the latest generation of self-service HRMS applications only facilitate this further. But shouldn’t we be concerned? Who is watching out for the data, and the banana skin beneath all our feet?

An Additional Layer of Complexity

It’s important to regulate the use of these devices - just as you would for any system accessing internal company data- esepcially when confidential data such as HR data is involved. Effective HRMS security will require the development of standards and training programs around how and where data is accessed. For example, if HR downloads a report of salary data to perform some analysis on their own devices, there should be standards of how long the report is kept on the device (if at all). It’s the modern day equivalent of walking out the door with stacks of private employee details printed on paper and taking it home to work on. We wouldn’t consider such an action, yet most of us do the equivalent on devices without thinking because they are so integrated into our daily lives.

While most HR employees are aware of good data management practices, mobile devices add an additional layer of complexity to the HRMS security landscape. It is no longer enough to have role-based data security. Now you need device-based data security. What happens if the employee needs an IT helpdesk analyst to look at the device? Or even worse, what if a device is lost or stolen? If all HR data files are password protected as a standard working procedure, with the passwords stored separately, this already creates a barrier to block inappropriate use. I’ve seen some companies who do not allow the use of portable or thumb drives for HR employee data files based on the premise that it’s too easy to lose large amounts of data. Similar clarity should be provided in the BYOD space, with clear guidance (based on defined levels of data classification), as to what activities and what data handling procedures should be utilized on devices.