Everyday IT security terms for HR professionals

Roly Walter
2nd June 2018

According to a recent report, the UK is the country most breached by cyberattacks in Europe. The online threat is very real and one that companies ignore at their peril. With so much technology being used now to manage everything from performance and engagement to training and developing, HR professionals need to have a clear idea of what protection is available and what they should look out for. But, do you really know what you’re talking about? Do you have the confidence to make decisions on how to keep your workplace safe? Here we take some of the most common IT security terms and explain them in plain English to help you feel more comfortable when reviewing online protection.

What is single sign on?

Single sign on is often abbreviated to SSO. It means that you can use the same user ID and password to log on to a variety of different systems that have been set up by your organisation.

Why use it?

We all know how difficult it is to remember lots of different logins and passwords, so this is a really helpful function for employees that will help them to embrace any new system that you introduce. It means there’s nothing new to remember and they can get up and running very quickly using details they are already familiar with. It also means your IT help desk won’t be inundated with password reset requests as employees can change their passwords for all systems in one go, quickly and easily. Less administration is always good for everyone in the business. It is also makes your systems more secure, as it reduces the chances that employees may write password details down and leave it lying on their desk.

What is two-factor authentication?

Security these days is all about having multiple layers of security so that if one layer is compromised, there’s another to prevent unauthorised access. Two-factor authentication is also known as 2FA or also MFA (Multi-Factor Authentication) and usually involves you using your phone to log in to a site as well as your password. You may have had a text message containing a 6-digit code to type in – that’s 2FA in action. Even if someone else knows your user name and password they’ll also need your phone to log in as you.

Why use it?

Barely a week goes by without another story about a major breach of online security in some of the world’s largest and, in theory, most secure organisations. Cyber-attacks are here to stay, and businesses need to do all they can to protect their systems and their data. Two-factor authentication provides an extra layer of security the means it’s much harder to give out login details to the wrong person. As almost 90% of cyber breaches are caused by human error, this kind of process will make these mistakes less likely.

What does API stand for?

API stands for Application Programming Interface. In simple terms, it’s a link that allows two applications or systems to talk to each other. Each time you use an app on your phone or you send an instant message you’re using an API – it is the link or messenger that takes your request and tells the system what information that you want and delivers it back to you. In HR, you’ll want to use an API to connect an HR system to another cloud system to save you entering in employee data twice.

Why use APIs?

Using an API with HR systems usually means automating an otherwise tedious manual process, which therefore helps to eliminate human error. An API also allows real-time updates. Let’s say an employee leaves your organisation: as soon as you deactivate them from your HR system the APIs could immediately deactivate that person from all other connected systems too. If this is left to a manual process, it would be easy to forget to do this and could end up being a security issue.

What is ISO27001?

ISO27001 is a global standard that helps organisations to keep information assets, like financial or employee data secure. An ISO27001-certified organisation will have ISMS (information security management system) in place which describes a systematic approach to managing sensitive company data so that it remains secure. The ISMS will encompass people, processes and IT systems. This standard has been developed to help ensure an ISMS is created, maintained, reviewed and improved to the best possible standard. It doesn’t mandate specific controls but provides a checklist for organisations to follow. To be certified, the organisation must prove to an independent certifier that it is carrying out its own requirements under the ISMS.

Why is it important?

Having a certification on ISO27001 shows existing and potential customers that an organisation has defined processes in place to protect sensitive data and follows best practice in this area. It is an auditable international standard that defines the requirements of an ISMS, that shows that you are a business that can be trusted to handle data securely. Note – there are other security standards that also provide reassurance but ISO27001 is probably the best known.

What is a Penetration Test?

A Penetration Test, sometimes known as a Pen Test, is an authorised attack on a system to find its weak and strong points. The test is often carried out by an independent security consulting organisation to ensure unbiased results. The consultants will look for servers left unprotected or simply silly programming errors.

Why do a test?

With cyber-attacks increasing, penetration testing is becoming more important, especially when you’re considering any new systems or updating existing ones. It’s much better to spot vulnerabilities before an attack happens, than to clear up in the wake of security brief and all the problems these bring.

Any cloud provider you use and that contains sensitive data should perform regular penetration tests and should be able to show you some of the results before you use the services. You may not see all the results in detail because giving them to you might compromise their own security, but something should be offered. You could stipulate in your contract that a pen test is carried out at least annually, for instance, or you could ask to perform your own test using your own security personnel.

When looking for an HR tech provider, security has to be a top priority. Explore whether they can explain to you in clear and simple terms how they will protect your data and the security of your organisation. If you get an answer that you don’t understand, think again and look for a provider you trust to keep your business safe.