It seems like every day a new data breach is in the news. In fact, therehave been 1,140 data breaches in the United States so far this year(that's 3.75 incidents per day), according to the Identity Theft Research Center. With this pace, it'shard not to think about cybersecurity and what we can do to protectourselves and our data. For HR professionals, who are responsiblefor a tremendous amount of employee data, keeping data secure mustseem daunting, if not overwhelming.

As a cybersecurity professional for more than two decades, Iunderstand the challenge. The good news is that a simple change inmindset can go a long way toward keeping HR data secure,particularly when it comes to health benefits data. To do this effectively,cybersecurity must become more than a checklist of best practicesand industry standards —  it must include an ongoingconversation about risk management.

Today, HR and benefits managers have countless digital tools attheir fingertips, making it easier than ever to purchase, deploy,integrate, administer, and measure a wide range of employee benefitsolutions. Many of these are digital health solutions that have greatpotential to deliver healthcare navigation and change the employerand employee healthcare value equation. But, with all of these newapps, programs, and services come additional concerns aboutemployee data privacy and security.

Employers are responsible for ensuring their employees' personaldata and health information remain safe throughout their employeebenefits and health programs. That means HR and benefits managersnot only help their company and employees get the most value fromall of these innovative HR and digital health solutions, but alsoactively manage cyber risk and protect employee information.

The good news is that the threats we see today are not that muchdifferent from threats 25 years ago when I began my career. Theonly difference is the scale — the number of endpoints hasmultiplied because each employee has a laptop, smartphone, andother devices, like fitness trackers. That's why it's important topractice good cyber hygiene. And HR leaders — who manage acompany's administrative systems, hold large amounts of employeedata, and handle onboarding of new employees — should play a bigrole in this.

Good cyber hygiene may start with a checklist to ensurecompliance with best practices and industry standards, but it can'tend there.

To actively manage risk, HR leaders and health benefitsprofessionals should keep three principles top of mind:

1. All data is not equal.

Many organizations provide the same amount of protection fortheir public information as they do for their private information — such as, financial reporting data, intellectual property,and especially personal health information or other personallyidentifiable information. Treating these types of information inthe same way is not cost effective and does not manage the risk oflosing that data.

Instead, organizations should know the types of data they holdand define the associated levels of protection around each. Inaddition, knowing where and how this data is stored and how itmoves across the enterprise is crucial. The mobility of data todayis a blind spot for many organizations making it very difficult toprotect. It is this reason we need to include in our dataprotection models the ability for protection to travel with thedata itself so that it is not solely dependent on existing accesscontrol systems. 

2. Patching, patching, patching.

If a tree falls in the forest, and no one is there to hear it,does it make a sound? Evidence signals that too often organizationsare not even aware of the vulnerabilities that lead to securitybreaches. The Verizon Data Breach Report of 2016 revealed that outof all detected exploits, most came from vulnerabilities dating asfar back as 2007.

In fact, vulnerabilities dating to 2003 still account for asignificant portion of hacks of software. The top 10 knownvulnerabilities, from all years, accounted for 85 percent ofsuccessful exploits. We're not talking about being a little latewith patching. We're talking about persistent neglect.

3.  Something you have and something you know.

Identity is the only security control that has ever mattered incomputer security defense —  physical controls, firewalls,security domains, realms, and virtual networks. A singlecompromised login password that can access one or multipleenvironments is the most accessible path to bypassing all othersecurity controls. Passwords are a single point of failure and aconsiderable risk to our ecosystems.

We have been poking around the edges of the proverbial keystonein our security architectures by first adding complexity topasswords, and then adding in single-sign-on to the mix. Toimplement real security that reduces risk, organizations canimplement two-factor, or multi-factor authentication.