One of the best ways to protect the safety of your personal information is by reducing your attack surface. This means limiting the amount of information you share – or the private details that are exposed to possible attacks – and paying close attention to how your personal details are managed.
However, websites and online services aren’t the only ones collecting and using your information. According to recent studies, employers are among the primary targets for cyberattacks for one specific reason: employers store a lot of information about their employees.
Understanding the Risks
There have been many cases where employee data and personal details were leaked, the most famous one being WeWork’s recent data breach. The company stores thousands of user and employee data sets, and those data sets ended up in the wrong hands because of an information security mishandling.
Regus, a direct competitor of WeWork, suffered from the same fate. The company that owns Regus, IWG, recently also leaked its employee data. Over 900 employees had their personal details published online as a result of a mistake during an internal sales review.
IWG’s case was even more alarming because the data was not stolen by attackers. Instead, a survey company conducting the sales review accidentally made the Trello board on which sales employee details were collected public. Google and other search engines indexed the public board.
The rest is history from there. Once the data is out in the open, it is virtually impossible to make those details private again. Reposting of personal data on online forums, use of those personal details for various purposes, and even search engine cache and history make maintaining privacy impossible.
There are countless other cases that ended with employee data being made public online. To avoid falling victim to a similar data breach and mishandling, you have to first understand the risks you face when your employer collects your data.
- Data mishandling is not uncommon, especially when there are no standardized procedures in place. When data is mishandled, the risk of that data reaching a public space online becomes significantly higher.
- Employers tend to collect more data than they need, especially when employees are not fully aware of the data being collected. You have to take a more active stance in understanding what personal details are being stored by your employer.
- Data collection and processing methods vary from employer to employer. Some utilize a secure network for managing employee data. Others simply rely on a public Google Sheet document, which causes more harm than good.
If you think data breaches can only happen in specific situations, think again. Everyone, from small businesses to large companies like Facebook, are targets and can make mistakes in handling employee data; Facebook, in particular, has made mistakes a couple of times in the past.
So, what does this mean to you as an employee? Instead of relying on your employer to protect your data, you have to be more proactive in ensuring your privacy and data security. As a matter of fact, you have every right to take a more active stance in this matter. Employers must respect data privacy regulations even more than web service providers.
In some countries, regulations governing specific industries are even stricter, giving you more bargaining power in managing data security and privacy. You have the right to ask for sufficient data protection if your employer is collecting and storing data about you.
Sufficient data protection comes in different forms. Proper access control management is the most basic one. You have the right to decide who gets to access your personal details. Anyone outside the HR or accounting departments must only have limited access on a case-by-case basis; unless it is absolutely necessary, you can ask your data to be kept private.
The same is true with data storage and transmissions. Having details about where you live and how much you make stored in a Google Sheet document is a big no. You want sensitive files such as employee details to be sufficiently encrypted, hashed and stored on a secure server. Even backup routines must be maintained with utmost care.
Lastly, make sure you have the ability to audit the information being stored, especially information that relates to your status as an employee. At the end of the day, the way to limit your attack surface is by making sure that your personal details are not being misused and mishandled by your current employer.
It is true that employers pose a huge data privacy risk, almost as big as social networks and web services. There is no such thing as being too careful when it comes to maintaining the security of your personal data.