Keeping payroll data safe

Security threats of one kind or another continue to pose risks to companies around the world, whether in financial or reputational terms and everything else in between.

High-profile data breaches, for one, seem to be in the news almost daily, often with disastrous consequences. Facebook, for example, now faces a potential US $1.6 billion fine following an incident that led to the data of about 30 million users around the world being stolen.

But considering how much valuable information, ranging from employee bank account details, home addresses, social security numbers and pay rates, is involved in the payroll process, professionals have a particular responsibility to follow best practice here too.

To use a cliché, data is increasingly becoming the ‘new currency’ and its high value means that it can be hugely damaging for both individuals and their employers if it ends up in the wrong hands.

Although workers have the right to expect their employer to hold such information securely and responsibly, our Workforce View 2018 report revealed that 31% of European staff are not convinced this is the case. In fact, 16% feel that their company’s systems could be vulnerable to either an attack or data breach.

So what can be done to ensure this situation does not come to pass?

While most companies are aware that they need to keep their anti-virus software up to date, the same is not necessarily true of their employees – even though each and every staff member is responsible for keeping the organisation’s information safe, and that includes payroll.

As a result, the first step is to develop robust data policies. It is also important to spend further time and resources on training payroll professionals both in how to follow these procedures and how to safely handle the data held in their systems.

Such training should consist of more than just a few presentations though. It should also include scenario-based learning, in which employees are made aware of the various situations they could face.

Behaving responsibly

For example, phishing and social engineering are becoming increasingly popular modes of attack, with cybercriminals employing a number of techniques to coerce employees into clicking problematic links. Possible approaches here include a criminal posing as a colleague from another department in order to obtain access to information.

In this instance, employees are encouraged to undertake a series of agreed checks prior to disclosing any data at all. But undertaking run-throughs of these situations by sending staff suspicious emails to see how they respond should help to keep everyone alert and less susceptible to attack.

Because it is vital to remember that cybersecurity practices are not something that can be done once and forgotten about. In the same way that your front door must be locked and the burglar alarm set each day to keep your house secure, undertaking regular cybersecurity checks is part of an ongoing process.

For example, it is important to work with the IT department to ensure your operating systems and anti-virus software are consistently patched and updated. Running old versions of software can potentially open up holes in your systems’ defences.

It is also imperative that you treat your computer password in the same way you would your bank personal identification number. Payroll professionals often have admin rights that can afford wrong-doers a broad spectrum of system access if they are not careful. This means it is critical to ensure passwords are neither easy to guess nor written down.

But one of the most insidious aspects of a cyber-attack situation is that it can take time to realise what has happened. Although the attacks themselves may take place rapidly, statistics show that 68% of the security incidents that took place in 2017 took ‘months or longer’ to be identified.

The problem here is that this extra time provides hackers with even more opportunity to steal and use confidential data. Therefore, it is important to conduct regular and thorough data reviews in order to spot any issues or irregularities.

Cyber-attacks represent a serious threat to the business and can be extremely difficult to recover from, leading to legal, financial and reputational damage. This makes it vital that payroll professionals are vigilant about the data they handle in order to ensure that neither their employer’s nor their colleagues’ trust is breached.

David Woodward  

David Woodward is ADP’s senior vice president of product development for Europe, the Middle East and Africa, Latin America and Asia Pacific. Prior to his current role, he worked for a number of international organisations within the human capital management space, most recently as chief product officer for SD Worx UK.