Your own worst enemy: Payroll data and the insider threat

Global payroll managers have undoubtedly been familiar with concepts such as data protection, information and cyber security for years. But as the array of potential threats continues to mount, it is becoming increasingly apparent that responsibility for safeguarding payroll data lies beyond just the information security team.

While it is right and proper that the security team should remain in control of strategy, policies and processes, the day-to-day activities of the entire workforce also have a significant impact on the organisation’s security profile. Nowhere is this more true than in the payroll function, where information has become a growing target for wrong-doers both inside and outside of the business – and where, when things go wrong, the ramifications can be damaging and protracted.

Take the example of Morrisons, a UK supermarket chain. It experienced a serious data breach in 2014 when an insider with a grudge published payroll and financial information online about the company’s employees. While the former worker has now been jailed for his actions, the rest of the staff were outraged, feeling that not enough had been done to secure their sensitive, personal information and deeming it a “blatant failure”.

A couple of years later, this outrage led to a group action by more than 6,000 Morrisons workers against their employer, a case that is due to be heard later this year. Morrisons is vigorously denying any wrongdoing and may well be vindicated.

For instance, the Information Commissioner’s Office (ICO), which is tasked with enforcing the Data Protection Act (1998) in the UK, did not consider formal regulatory action to be “appropriate” as the retailer appeared to have suitable “technical and organisational measures” in place to prevent such incidents from occurring. The former employee had required access to the compromised data as part of his role and had abused Morrison’s trust, an ICO spokesperson said, adding that it had made some recommendations to the company to help it strengthen existing controls.

But however you look at the situation, it is not a good position for the firm to be in. Being sued by your staff is never going to be positive in terms of employee relations and, when combined with security implications, has the potential to be calamitous.

Insider threats

We already know that one of the hardest threats to deal with is that of highly-motivated insiders - just ask the US National Security Agency if you need any proof of that. Such people can inflict huge amounts of harm, leading not only to financial loss but also causing reputational damage that can hit both the organisation’s bottom line and its employer brand.

But insider threats are something that all organisations face. In the US, for instance, angry employees at Seagate started a class-action lawsuit against the data storage vendor in September last year after an HR colleague clicked on a phishing email, leading to sensitive staff data being exposed. To make matters worse, the HR professional also handed over W-2 wage and tax statements as well as other personal information belonging to both previous and existing employees.

Another important issue to explore, meanwhile, is motivation. In many cases, the incentive for launching cyber-attacks is clear: that is, to make money or get hold of sensitive data to make money.

But sometimes the motivation is not quite as straightforward. The Morrisons incident, for example, included elements of revenge as the individual concerned was in the middle of a disciplinary process due to some very serious allegations that had been made against him.

In other words, making assumptions about motivation can actually hamper our ability to come up with a rounded strategy, which in Morrison’s case could have included pastoral care to help mitigate the risks.

With this in mind, it is important to note that risk mitigation is not simply about technical controls. It requires thought and the development of a suitable risk management strategy, particularly in areas such as outsourcing and off-shoring. While such activities can offer significant cost savings and efficiency gains, they must also fit in with the organisation’s risk appetite.

Being prepared

As a result, it is vital to undertake due diligence and include stipulations in your service level agreements as to where your data should be stored and how it should be sanitised if moved.

If the data is stored off-site, it is also important to have the right to audit it as and when you wish to reassure key stakeholders that it is being adequately protected.

Such issues will become even more important when the European Union’s General Data Protection Regulation comes into force in 2018, not least because a serious data breach will attract fines of up to 4% of global turnover.

Therefore, it is important to ensure that payroll and HR staff are adequately trained in existing and forthcoming data protection legislation. This means ensuring information is delivered in language that they can understand: using examples that mean something to them.

But it is also important to bear in mind that, while people can be your most effective ally in information security terms, they can also be your worst nightmare. Training will help to guard against unpredictable behaviour such as clicking on a phishing email, but technical controls are also useful to spot and neutralise any rogue actions that may occur.


 Segregating information is likewise vital, but while many organisations do already separate and protect their payroll and HR data, it may be sensible to ensure access is on a read-only basis. By segregating tasks, roles and information, only the appropriate people will have access to the information they need, when they need it and how they need it. They will likewise be made responsible for ensuring that the information is correct, accurate and protected.

System lockdown

Disabling USB ports or CD burners on machines with access to the most sensitive data might also be worth thinking about, however, as they are the most common means by which people steal information. An alternative approach is to issue appropriate users with encrypted USB sticks and give them sole network access rights so they can transfer data when they need to. If network monitoring tools are deployed to back up this policy, payroll managers can be made aware at all times of who has been doing what, when and why.

It should be noted though that introducing network monitoring tools with no plan in place for how to analyse or act on the information they produce will render your purchase an expensive waste of time. If you are going to deploy them, set up a response team, train them in what they need to do and practice it.

Failing to do so has the potential to lead to massive data breaches such as the one that hit US retail chain Target in 2013. The company was warned several times of suspicious activity on its network but failed to do anything, which led to criminals having access to its network for two weeks.

So the moral of the story is that payroll applications need to be locked down tight. Allowing no one but authorised administrators to download software, for instance, will help prevent web-surfing employees from infecting the system inadvertently. Success will vary depending on your commitment to getting it right and how well you educate your teams on the risks. But, given the potential consequences, it has to be worth a shot. 

Mike Gillespie, co-founder and managing director of information and physical security consultancy, Advent IM, is an experienced information security practitioner of many years’ standing. An active member of the Security Institute since 2008, Mike was voted onto its board of directors in 2013 and given special responsibility for cyber-research and strategy. Having been a member of the Centre for Strategic Cyberspace and Security Science’s Global Cyber Security Select Committee for some time, he has now taken on the role of vice president of its C3i Group, which focuses on reducing the vulnerability of national infrastructure. Mike is called upon regularly to speak at events and contribute editorial to numerous media outlets, including the BBC and The Sunday Times.