If you have employees, then by default you’re the keeper of some pretty sensitive information—full names, addresses, Social Security numbers, dates of birth and bank accounts, basically everything needed to steal an identity. You don’t need much of an imagination to realize that a security breach to your Human Resources Information System (HRIS) could be devastating, not just to your employees, but to your company’s reputation.

Recent statistics show that hackers don’t necessarily discriminate based on industry or size of business. In fact, they might actually be counting on smaller businesses being weaker in the security department, says Brenda Rowan, director of operations and payroll at XMI.

“Last year really saw an uptick in security threats at all levels,” she says. “We saw a lot of different industries be more vulnerable and it became clear that you don’t have to be a big, well-known company to be at risk.”

Everyday security precautions such as using strong passwords and not accessing your HRIS over public WiFi can go a long way toward keeping cybersecurity threats at bay. But when it comes to protecting sensitive employee data, employers should consider additional security measures, like multi-factor authentication for HRIS.

What Is Multi-Factor Authentication?

Multi-factor authentication, or MFA, adds a layer of protection to the account verification process. It requires users to prove themselves in two different ways before gaining access to their account.

When the gas pump prompts you for your billing zip code, that’s MFA in action. Same with accessing your account from an ATM. In both cases, the first factor is the card itself; the second is a piece of information that only the authorized user of the card should know. Other options include security questions and one-time unique verification codes sent to either SMS, email or served up on authenticator apps (such as with Google Authenticator). Here’s a great primer of MFA options from the Electronic Frontier Foundation.

Making the Case for Multi-Factor Authentication for HRIS

Billions of people were affected by data breaches in 2018. Weak or stolen user credentials are hackers’ weapon of choice, used in 95 percent of all web application attacks. Unfortunately, “123456” and “password” are the two most common passwords leaked by hackers, according to an annual list compiled by SplashData. Add to that the fact that password theft is constantly evolving as hackers employ methods like keyloggingphishing and pharming, and you can see how important MFA becomes.

What’s more, cyber criminals do more than merely steal data. Often, they destroy data, change programs or services, or use servers to transmit propaganda, spam or malicious code. MFA protects your sensitive data and information from malicious activities, and it ensures that a password alone is not enough for an attacker or intruder to compromise your sensitive employee data.

XMI Adding Multi-Factor Authentication to HR Manager Portal

In response to this increased threat, XMI is rolling out MFA to all of its HR manager-level users in the coming weeks.

“We know our software has the highest level of security available, but we decided that MFA provided an added layer of protection so that our clients know that their data is always in the right hands,” Rowan says.

Users will have to confirm their identities via email or SMS-based text messages via their mobile device.

For the employee portals, XMI is working with clients one-on-one to determine how much additional security their employees can bear.

“We know employers will want to balance employee accessibility with security, weighed against the riskiness of the data,” she says. “We have to be mindful that any additional security measures implemented will benefit employees and not hinder their access.”