Security in the world of HR with Amy Fallucca

  • Home
  • Podcast
  • Security in the world of HR with Amy Fallucca
Security in the world of HR with Amy Fallucca

Security in the world of HR with Amy Fallucca

Jeremy Cherny Podcast

Host: Jeremy Cherny interviews Amy Fallucca, CEO of Bravent 

“Bravent has been around for about four years. We are an HR consulting and recruiting company. On the HR side, we help with anything from handbooks, to advising on terminations, or employee performance. Then on the recruiting side, we work on a range of positions; professional, technical, and executive. We leverage technology to be really efficient in our process, and by doing that, we’re able to save our clients money. We’re typically about half the cost of contingent placement firms.”

Can you speak a little about security around your process in HR, and why security is important around that?

HR is not typically known as being the most tech-savvy group of people, I would say. Things are advancing and I’m fortunate to have worked for over 10 years within information technology companies so I think I’m a little unique from that standpoint. Security and human resources, it’s so important because it’s our biggest asset within our businesses. As HR professionals or business owners, it’s so critical that we securely store that sensitive information we collect from employees, because, if we don’t do that, we’re really breaching trust. 

How do you stay on top of the security threats and issues that are out there in the HR world?

One major thing that I would advise people is just don’t collect sensitive information you don’t need. Minimize the amount of information that you even have. For example, I saw an application that had a social security number on it- that really doesn’t need to be on the job application. You can collect that at a later point in time. So, number one is don’t collect sensitive information that you don’t need. Number two would be to leverage digital collection. If there is that type of information – social security numbers, dates of birth, medical information – leverage self-service entry as much as possible. So for example, if you’re running a background check, many of the services give the candidate a link where they can go and enter things like their social security number – I recommend that as much as possible. The same thing goes for your employees or the people who are on your team. As much as possible,  have your digital records and an HRIS system that’s secure, versus physical files. Then the third. If you use physical storage, really make sure that it’s secured. This is something that we see frequently when we go and do audits of companies. The employee files might be in a file cabinet, but it’s in an office where the door is open and the cabinet isn’t locked. So really, fundamental physical storage best practices, like keeping it in a locked file cabinet, having designated key holders to prevent any unauthorized access, and then knowing your record retention standards and purging things regularly.

You talk about the storage, the physical versus the digital. Are there rules for how long they have to keep any copies of any of that specific information, either paper or digital?

There are federal and state standards for how long to retain certain types of documents. It depends on the document and where you’re located. I would say typically, it’s between five and seven years. Again, one thing I commonly see is either they haven’t stored it for long enough or they store it forever. So we’ve gone into companies that have been in business for 30 years, and they literally have all their paperwork for employees with social security numbers, going back that whole length of time. I think it’s always great every few years to take a look at what records you have, and purge those old records according to those standards. You can do a quick Google search to find human resources record retention regulations.

Are there any best practices for HRIS systems for protecting important data?

Having proper permissions set up is a major thing. Ensuring that the human resources department vs. the managers vs. the employees all have the proper permissions – that’s one thing that can go wrong. Other than that, making sure that you do good research on the tool and understanding what their approach or level of sophistication related to security is. At this point in the game, there are tons of great HRIS systems out there that are affordable and secure. I think it’s always nice to go that route, especially in a situation like COVID where you can access your data wherever you’re at as opposed to having them look in those physical file folders. So I love digital.

What do you see as the future of HR information security?

As we look at the technology, I think automation of low value, repetitive tasks is really going to continue to increase. We’re seeing it now, but it’s just going to expand as technology advances and becomes more sophisticated. When I first started my career, I remember using a recruiting system that was so basic, it was basically an access database. It was really difficult to search, difficult to track people through a workflow. Now, we have really great recruiting systems that can post jobs automatically. I can remember going on Dice or Milwaukee Jobs and having to manually post in each of those places and now with just the click of a button that can be done. Also with things like workflow automation. If we have 50 applicants for a position, we can do Boolean search strings to find the people that are the closest match. This helps us with reviewing. Maybe in the future that happens in a more automatic way, as opposed to having to build those strings. We also have an AI sourcing tool, which is really neat. It pulls the job descriptions that we have and uses the language to go out on the web on a huge number of different sources to find people that are fit for the job. They also have some indicators in terms of who they think is more active vs. passive. It’s good now, but I think in the future it’s going to be great if it can do some things in terms of automating outreach in a more personalized way rather than just sending out generic emails. I think that’s coming, it’s just only a matter of time until it starts happening.