Four Workday security considerations for technology companies
The technology sector is experiencing a significant transformation globally. Industry disruptors like Artificial Intelligence (AI), socio-economic uncertainty, data commodification, and accelerated digital transformation mean companies that leverage Workday must quickly adapt. Despite Workday Security’s reliability, this mix of technological, cultural, and workforce change can have profound implications for data security, privacy and audits if left unchecked.
Here, Patrick Sheridan, Kainos Security & Compliance consultant, explores the impact these industry-wide shifts can have on the Workday security environment, while addressing how consistent Workday governance and compliance isn’t out of reach for the technology sector.
Don’t let downsizing weaken Workday security
In recent months, challenging economic conditions and rising inflation have resulted in many tech giants resorting to staff downsizing in order to reduce overheads. This increasingly prevalent practice can have tangible impacts on a company’s data security.
When Workday security teams are affected by layoffs, loss of expertise equates to burnout by way of doing more with less. This then hinders the adoption of new security configurations during updates, as well as consistent and effective validation of existing security functionality.
Automating tasks, such as with service steps in business processes, can help mitigate these issues by relieving the burden on leaner, stretched teams. For example, the "Remove User-Based Security Groups" service can automatically revoke access when terminating a user, reducing security team workload while offering accuracy and assurance.
Approach flexible working arrangements with data security in mind
Technology companies are front runners when it comes to remote and flexible working. Workday IT and security teams are then challenged with ensuring organisational data is protected, especially when accessed via unsecured public Wi-Fi hotspots like coffee shops and airports. If a breach were to occur, severe legal, financial, and reputational consequences will naturally follow.
To mitigate the exposure of sensitive data in remote working situations, companies can leverage the security mechanisms available within Workday by adjusting the authentication policy to restrict the access of Workday users. This configuration set-up ensures that certain categories of data, such as compensation, personal and financial information, remain inaccessible when users are disconnected from the network. Implementing these modifications plays a pivotal role in guaranteeing that individuals accessing sensitive information are connected to a secure and authorised network range. While this functionality exists, it remains the responsibility of the individual organisation to apply these security measures in accordance with their unique needs.
AI doesn’t have to be a negative “disruptor”
Workday security group permissions are a crucial measure of protection for organisations, dictating the level of access individuals have to sensitive personal and financial data. As such, they need to be closely monitored. In the event that access is granted incorrectly, it is necessary to identify and revoke it immediately to prevent potential security breaches.
When security teams are downsized, it can lead to staff burnout as the increased demand to test security controls surpasses the reduced capacity. Consequently, this can hinder systems, like Workday, from adopting the latest security configurations during bi-annual releases because users lack the necessary time to implement new functionality.
Furthermore, layoffs can result in a loss of expertise as experienced team members leave the company. Managing changes to Workday's configuration requires Subject Matter Experts (SMEs) who possess in-depth knowledge. With potential knowledge gaps, security configurations can be compromised, leading to increased risks.
Regularly reviewing security access levels can be a painstaking manual yet essential process, For example, when a user changes positions, their level of access to Personally Identifiable Information (PII) must be reassessed, and adjusted if necessary. In large enterprises, this could be a constant, overwhelming task.
Automation enhances the efficiency of Workday security
Automation can help you easily navigate the complexities of Workday security. Designed exclusively for Workday, Smart Audit offers always-on Workday security monitoring, ensuring your internal controls are performing as expected. This eliminates the need for security professionals to manually test and validate the effectiveness of controls, alleviating time constraints on resource-limited teams.
Smart Audit detects and alerts on segregation of duty conflicts and system access risks in Workday. This helps mitigate fraud or accidental wrongdoing by proactively identifying potential audit or compliance risks. With Smart Audit, you can quickly pinpoint which individuals can perform specific actions that may pose a risk, such as accessing PII or financial data without a valid reason, allowing you to prevent conflicts before they occur.
Additionally, Smart Audit streamlines the audit process by instantly reporting on the effectiveness of your organisation's internal controls. This simplified approach to evidence-gathering is particularly valuable to publicly traded or IPO-facing companies that must ensure transparency in their reporting processes.
Bonus: Launching an IPO requires full transparency for regulatory compliance
Not every technology company has an IPO on their agenda, but it’s no secret that they dominate the IPO listings – in 2021 the sector raised £6.6 billion through IPO on the London Stock Exchange – its highest in 14 years. For Workday and security teams involved in preparing for an IPO, regulatory compliance should be a key consideration. This is especially true for US-based companies, as they must comply with the Sarbanes-Oxley (SOX) Act. Segregation of duties (SoD) is a crucial control in this respect. It helps prevent fraud like asset misappropriation and intentional financial misstatement by separating responsibilities, ensuring no employee can both commit and conceal errors or fraud.
In a Workday context, it’s critical to ensure that users cannot independently complete a business process or perform a task without involving another user within a specific business cycle. However, implementing segregation of duties and conducting an SoD audit can present challenging obstacles for organisations, despite being vital internal controls for managing risk. For further insights please refer to my previous blog post on how to win at segregation of duties in Workday.