It’s no secret that Human Resources is a pivotal part of any well-run organization. HR holds the crucial responsibility of ensuring that employees are immersed in a healthy, productive work environment, while also managing an immense amount of sensitive employee personally identifiable information (PII). In the digital age, HR’s role is becoming even more critical.
The imperative for Secure HR
Nowhere is this responsibility more clear than in the HR information systems, a treasure trove of sensitive PII such as social security numbers, bank account information, health insurance data, dates and places of birth, addresses, information on spouses and children, and more. All of this information can be used for identity theft, phishing, fraud, and blackmail. This threat is perhaps best exemplified by last year’s breach of the US Office of Personnel Management, essentially the HR department of the US federal government, in which over 20 million government employee records were stolen. Indeed, a recent survey of HR professionals states that cyberattacks are their biggest concern, ahead of workplace violence, natural disasters, and other threats.
Adapting a security posture
Given these threats to PII, Human Resources needs to be more cybersecurity-oriented and adapt its activities accordingly. The good news? HR doesn’t have have to fix security on its own; the IT team can help since they have plenty of experience in securing other types of company data. One way IT can assist is to setup application access controls; these ensure that the right people have the right access only to the apps they need to do their job. For instance, a web developer shouldn’t have access to a payroll website. Additionally, access permissions should match the job: a financial analyst may need to view the company’s bank account website, but only the controller and CFO should have the ability to withdraw funds from it.
A key ingredient for success with setting up application access controls is to work with a company providing Identity-as-a-Service (IDaaS), like OneLogin. OneLogin can ensure that employees only use strong passwords and multi-factor authentication (when you get a one-time code sent to your phone) — and it can apply these policies to thousands of web-based applications such as Namely, Google Apps (recently rebranded as G Suite), Office 365, Box, and more.
Without an integration between an HRIS and IDaaS, IT has to manually set up all user accounts. Since a typical organization can use dozens or even hundreds of web applications, an IT analyst onboarding new employees will eventually make mistakes, providing employees with access to websites that they shouldn’t have, or with a higher level of access permissions than they actually need.
Given this, we’re excited to announce today an integration between Namely’s employee directory and OneLogin’s Cloud Directory. When someone in HR enters a new employee into Namely, that information is automatically synced into OneLogin. Then, we can apply rules to set up that employee with access to the appropriate company applications. Perhaps employees in the finance department only get access to the bank account website, but only if they have “controller” or “CFO” in their title do they get the ability to manage funds. We can apply these rules on practically any information in Namely. We call this HR-driven Identity (HDI), and it means that only the right people get access to the right applications, with the right permission levels.
When employees leave a company, it’s critical to ensure that they no longer have access to company web applications and the data they contain. And yet, an average 10% or more former employees can still access systems of their former companies. Our new Namely integration helps here, as well: when an HR team member marks an employee as “departed” or “inactive”, they are also automatically suspended in OneLogin, ensuring they can no longer access company web apps. This happens automatically, saving time for IT and reducing the chances of mistakes. And since OneLogin tracks all employee access to web apps, HR and IT can easily audit app access records to verify that no former employees still have access.
The road ahead
OneLogin is the only IDaaS provider that provides a pre-configured integration with Namely to secure sensitive employee PII.
To learn more about why it’s critical to secure PII and how to do so, check out this on-demand webinar, featuring Namely Chief People Officer (CPO), Nick Sanchez, and OneLogin VP of Product, David Meyer.