Cyber threats are continuously becoming more sophisticated and diverse in their methods of attack, and HR service providers (all types of companies, in fact) need to stay vigilant in implementing security measures at their organization.
In addition, your “chain of trust” extends to the providers you rely on to support your business, including your HR software partner. But when every software company preaches excellent security, it can be difficult to know the right questions to ask to get a clear picture of what reliability really looks like.
PrismHR security maintains a multifaceted approach to safeguard your clients’ data, combining strict compliance standards with the latest cybersecurity solutions designed to mitigate today’s threats.
We’ve outlined six cybersecurity categories you should have clarity on for your own organization as well as your HR software provider.
Information Security Compliance
There are independent certifications that can tell you a lot about how your technology partner has implemented infrastructure and processes to safeguard data.
One of the most recognized—and rigorous—is a System and Organization Controls Type 2 (“SOC 2”) certification following an independent audit by the American Institute for CPAs (AICPA). This examination observes the controls a service organization has in place related to security, availability, and the processing integrity of systems used to process customer data.
Unlike a Type 1 certification which is based on a snapshot of how a company’s controls are designed, a Type 2 certification assesses effectiveness over a six month period. In short, a Type 2 validates that the provider can “walk the walk.”
PrismHR has maintained SOC 2 Type 2 compliance since 2018.
Zero Trust Strategy / Application Security
Zero Trust is a security concept that requires all users—even those inside the organization’s enterprise network—to be authenticated, authorized, and continuously validating security configuration and posture, before being granted or keeping access to applications and data. This approach leverages technologies such as multifactor authentication, identity and access management (IAM), and next-generation endpoint security technology to verify the user’s identity and maintain system security.
Strengthening the perimeter of the network is critical to preventing unauthorized users from getting in, but with zero trust, security doesn’t end at the entrance. Zero trust incorporates what users—including authorized ones—are doing inside the system and authenticates users as they move through the system based on access level and behavior patterns.
Under a zero trust approach:
- Users have only the level of access they need to do their jobs (i.e., least-privilege access)
- Requests for additional privileges will trigger a process to authenticate the user’s identity and/or validate the need for access
- Access to certain areas of the system may only be turned on temporarily for a user
- Validating a user’s identity may use a combination of login credentials, multi-factor authentication, IP verification, and behavior
Make sure to ask your technology partners about application security and whether they have implemented a zero trust strategy.
At PrismHR, zero trust is a critical component to our approach to platform security. We also employ multiple features to prevent unauthorized access to the system and your data, including multi-factor authentication, strict password rules, IP address control, and role-based security.
Endpoint Monitoring and Response (EDR)
Every device that connects to your network—or your partner’s network—is a potential vulnerability that could allow a bad actor to enter the system. That’s like a bank vault with thousands of windows. Just one open sash could lead to disaster.
Endpoint Monitoring and Response (EDR) solutions detect and investigate suspicious activity across all endpoints (i.e., all those devices that connect to a network such as laptops, desktops, or servers). Its software actively roams your network hunting for irregular behavior that may signal a compromised device or user credential.
The EDR solution becomes even stronger when paired with a “managed” component, which means a team of human specialists with year of experience detecting and remediating cyber threats is continuously monitoring the system and responding instantly to suspicious activity.
PrismHR uses a managed EDR solution which leverages artificial intelligence (AI) to look for irregular behavior in the system and quickly locks down any suspicious activity. It also includes 24/7 response by a team of cyber defense experts.
Data Center Security & Encryption
In all the places your data resides, it’s critical data is encrypted both in transit (e.g., email, system-to-system transmission) and at rest (e.g., stored on a server or hard drive).
Ensure your partner is hosting their systems in a private cloud at a leading cloud provider, such as AWS, Microsoft Azure, and Rackspace. These large cloud providers adhere to the latest security, control and performance standards, such as ISO 27002 and 27001, PCI-DSS, SSAE16, SOC 1, 2, and 3 compliance, and Privacy Shield and Content Protection and Security Standard requirements.
All data in the PrismHR system is encrypted before being sent to or stored in the cloud to prevent it from being captured while in transit or at rest. PrismHR is hosted in a private cloud at a leading enterprise cloud provider which adheres to the latest standards and is subject to regular third-party audits.
Disaster Recovery (Environmental & Cybersecurity)
Having a business continuity plan and the infrastructure to get your operations back online from a disaster is essential to mitigating disruption revenue loss. But many companies prepare only for an environmental disaster (e.g., tornado, earthquake, space invasion).
Cyber disaster recovery helps ensure your organization (or your partner’s) can restore operations quickly from a cybersecurity incident. And the fact is, the frequency of cyber incidents makes this type of planning even more essential.
PrismHR maintains and regularly tests business continuity, incident response, and disaster recovery plans for both environmental and cybersecurity incidents.
Email Security & Awareness Training
After all this tech talk, it’s important to remember that people are your #1 vulnerability. Cyber criminals prey on unsuspecting employees through social engineering techniques, including phishing attacks.
Email security describes procedures and techniques for protecting email accounts, content, and communication against unauthorized access, loss or compromise.
Because email-based attacks rely on the (unintentional) cooperation of an unsuspecting user, many vendors bundle security awareness training for employees with their email security solution.
PrismHR uses an advanced email security solution designed to stop email threats, including credential phishing, malware, and business email compromise (BEC).
In addition to the security awareness training PrismHR employees already complete annually, we are implementing a more comprehensive program for our teams. The additional training will include phishing simulations and education on tactics used in email attacks so our employees can better identify threats targeting our people.