Today, cloud technology is used across many aspects of business, which makes it easier for companies to maintain processes as they scale.
“The reality is that every organization today is using the cloud,” says Adam Meyers, senior vice president of counter-adversary operations at CrowdStrike. “They’re doing it for cost savings or for efficiency, and they’re doing it because it’s the only way to actually scale things.”
But as he points out, there are also risks of doing so. New cloud intrusions increased 25% in 2024 compared to 2023, according to a recent report from CrowdStrike, which means more threat actors are looking to exploit cloud services. They can do this by sourcing valid credentials like employee ID and password to log into a cloud provider and then navigating the system to either locate critical information or deploy malware, Meyers notes.
This means companies today must consider what kind of data is put in the cloud, and this includes what kind of employee information HR leaders share with their cloud vendors.
While many organizations spend a tremendous amount of time thinking about how to protect their customer data, as there are many regulations around it, they don’t spend enough time thinking about how to protect employee data, Kim Seals, senior partner at West Monroe, a business technology consulting firm, tells Fortune.
“HR teams may have a third-party vendor that they’re sharing people-related data with that they have not put as much scrutiny on as they would have any third-party application that had their customer data,” she says. “And sometimes that’s due to HR not getting as much enterprise tech support as the business side.”
This leads many companies to make mistakes when it comes to sharing employee information with their vendors, including sharing more than necessary. That’s because companies often rely on a single internal census of employee data that they send out to all vendors, like a giant spreadsheet, for instance, and will send over the entire thing for vendors to peruse. While this strategy is certainly easier, it’s not the right one, Seals notes.
“HR teams will often create one sort of generic interface file that has everything on it and every vendor gets that same file,” she says. “But what they really should be doing is going to each vendor and ask ‘What do you really need?’”
While it may take more time, HR leaders should look harder at exactly what each vendor requires and only share the “minimum amount of information about people required to get them to provide their service.” For example, a vendor that manages paid-time off and vacation days may not need specific personal data around employee ages or location.
That data should also come into consideration when vendor contracts are up for renewal, she says. Companies should be regularly looking into the reputation of their cloud vendors, and if they’ve had to report any leaks publicly or had any security issues that have come up in the last year. They should also look into whether the data is being encrypted (both when it’s in transit and at rest) and whether the vendors have the right access controls and identity management systems to ensure only certain people are accessing it, she adds. That should be the “standard practice,” if too daunting, may require some assistance.
“HR has become and will continue to become more tech savvy, but they still need the support of enterprise tech to do some of these audits and to make sure these vendors are compliant, at the bare minimum.”