Keeping Your PEO Data Secure: PrismHR at the Security Seminar

By PrismHR

This post details highlights of the “Cyber Security & Your PEO’s Operations & Finance” session at the NAPEO 2015 CFO/COO Seminar in Salt Lake City. Britt Landrum III from Landrum HR moderated the discussion and Gail Holmberg, CIO/COO of Tandem HR and Keith Knowles, VP Product Management and Marketing, PrismHR highlighted ways to keep your data safe.  You can learn more about PrismHR Security.

The Threat

When cyber thieves break into a computer system and access or steal data, it tends to make headlines these days.  Whether is the estimated $35 Million IT cost to fix the Sony hack, the 8.8 million BCBS members that were affected by the Anthem attack, or the recent Office of Personnel Management breach that exposed every single federal employee, cyber thieves are more active and bold than ever.

But you may be wondering what really happens in an attack like this and what the thieves are looking for.  Usually they are looking for email addresses, credit cards, social security numbers, addresses and health information that can either be sold to other cyber-criminals or used by the perpetrators in a phishing attack.  By using real data and having an unknowing suspect provide additional details, the cyber thieves can get access to finances, create fake identities, even issue false medical bills. And the more information the thieves can pilfer, the better.

In fact, Reuters notes that “Your medical information is worth 10 times more than your credit card number on the black market.   Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number.”   The key point here for PEOs is that it’s not just access to a credit card number or an email address that thieves are looking for.  With information about benefits plans, a criminal can get access to health information in a way that could be even more profitable for him or her than ever before.

Current state: What do you need to protect?

There are a range of laws and regulations on the state, local and industry level, along with requirements from your business that will steer you towards the right approach here and that data ranges from personally identifiable information, to proprietary information about your business.

For example, 46 states have data privacy laws that cover personally identifiable information including social security numbers, driver’s license, financial accounts and more.  Many of these laws require third party reviews, response plans and outline the implications of a breach, including communications and possible fines.

Proving it out and mitigating risk

If you are like most PEOs, you are using or planning to use a cloud-based human resources software solution to run your PEO.  But how do you know that the system your are using is secure?  There are a range of certifications and standards that help ensure the both the system and the people and company behind it are following proper procedures to minimize the likelihood of a security breach.  These include the following that you should look for when evaluating technologies:

  • SSAE16 (SOC 1, 2, 3) – These are audits delivered by  members of the American Institute of CPAs that verify that both systems and processes are detailed and that consistently followed.
  • ISO 27001 and 27002 provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS), and include hundreds of potential controls and control mechanisms.

It’s Not Just Your Data Center

You also need to be aware of and ensuring the security of a range of touchpoints, not just your work computers and your data center.   You need to make sure that you are protecting your data in the wild including email, file transfers, reports, user interfaces, and of course, the myriad of devices that access your system.

Protect and Monitor

When choosing a cloud based system, be sure to look for one that includes Web Application Firewalls, hardware that learns about your traffic, and stops things that don’t resemble your traffic.  Also be sure that the provider monitors ports, and constantly scans externally facing systems to make sure nothing is open that shouldn’t be.  Lastly, make sure that your provider has experts on staff that constantly monitor the system for possible intrusions, and can provide guidance and assistance on how to address them.

This is not something you should leave to chance. Doing it on your own, requiring your IT team to do places added burden and cost on your team, and frequently is outside their area of expertise.   You need to protect and monitor to secure your perimeter and constantly monitor for attacks.

Public vs. Private

You need to be aware of not only how you access your system from your office, but also how data is transferred within your datacenter, as well as how your cloud provider setups your data.

Consider a private network, as public networks allow others to listen for traffic and find exposed data.  By using a private network between your facilities and even within your datacenter, you can cordon off your data, and make it harder for thieves.   And you most likely will want to explore a private cloud vs. a public one.

A public cloud allows greater access to your data, whereas a private cloud, with private data separation reduces your overall risk.

Safe Application Code

If the code that powers the system you are using has issues, there could a security hole that allows thieves to get access to your data.   Make sure that you or your vendor is both penetration testing and application scanning.

Be sure to look for 3rd party, unbiased testing as well.   Put simply, continuously looking for deprecated, at risk code, at both the system and user level is critical to fend off attacks.

Physical Security

It’s not just your systems that you need to be worried about.  Keeping the data center facility secure is crucial too.  Be sure that you taking advantage of the following:

  • Keycard protocols, biometric scanning protocols, and around-the-clock interior and exterior surveillance
  • Access limited to authorized datacenter personnel—no one can enter the production area without prior clearance and appropriate escort
  • Background security checks for all with access to data center

User Security

How your users access the system, and the data they have access is also extremely important.   Look for a system that allows single-sign on, as this will be easier to control and maintained.  Additionally, having a system that allows you use both predefined and custom roles that govern who can see what data will be helpful.  This should cover access at the user level to fields, reports, menus and forms.

Lastly, in the future more advanced systems will make use of two factor authentication, moving beyond just a user id and password, and adding in a continuously changing code that is only available on something the user has in their possession, like a smartphone.   This combination of both something the user knows AND something the user has is currently one of the most effective ways to reduce unauthorized access to systems.


Encryption is making information unreadable to anyone except those possessing special knowledge, usually referred to as a key (Wikipedia).  There are two main types of encryption to make sure you have in place:

  1. Encryption at rest – Refers to data storage — either in a database, on a disk, or on some other form of media.
  2. Encryption In transit – Data which is encrypted as it traverses a network — including via web applications, smart phone apps, chats, etc.

The presentation included a number of additional topics, including the need for a detailed disaster recovery plan and the supporting systems in place for disaster recovery, which we will discuss in a future blog post.

Clearly, there is a lot to think about to keep your business safe and most importantly to protect your customers.  Does your current PEO take care of all of this? Do you have the right expertise in place to ensure security?   If you aren’t sure about that or if you answered no, then it’s definitely time to get a demo of PrismHR.

PrismHR takes security seriously. Contact us today to learn more.