Protecting payroll

With GDPR high on the agenda and recent data breaches at TSB, originated by an IT meltdown, and Morrisons supermarket making headlines, businesses need to be more careful than ever before when handling payroll data

Data security was the theme for a round table at Reward Strategy’s Payroll & Reward Conference, which ran in partnership with The Learn Centre in June.

The roundtable, which brought together leaders from payroll bureaus, software providers and umbrella companies, was held in association with business payments platform Modulr, which were on hand to provide insights as to how payroll businesses could ensure data security and protect businesses’ reputation.

Modulr, which provides automated payment solutions for payroll providers, invited Mark Harrison from Pen Test Partners to speak on the issue. Pen Test Partners are cybersecurity and penetration testing specialists. Harrison explained how some of the most popular smart devices are riskier than initially thought - using data for anything other than their primary purpose.

Examples ranged from Amazon Echoes purchasing products mentioned in conversations overheard, hackers using smart kettles’ IP addresses to access personal financial details and an interactive children’s doll being used as a bugging device.

Roundtable participants spoke about the technical blunders and mishaps they faced in the world of payroll and beyond, focusing on the Internet of Things and malware, and the idea that the average home has five connected devices. Things like: ‘How good is the network your home or remote worker on?’ were discussed.

When it came to payroll specifically, many of the attendees thought the biggest risk was human error – both intentional and unintentional.

They referenced the case of Morrisons supermarket in 2014 where a former employee leaked payroll data, including salary and bank details, of thousands of employees. Employees were exposed to the risk of identity theft and potential financial loss.

Other personal examples included a worker who got themselves and colleagues infected by a virus from malware from an airport hotspot.

“Payroll professionals need to take steps to prevent personal data being misused or ending up in ‘the wrong hands’,” said Myles Stephenson, chief executive of Modulr. “In addition to the direct risks to your clients, it can irrevocably damage your business reputation.”

"Action planning is critical in the new world of GDPR compliance, where timeliness to do the right thing is key"

Gone phishing

However, some believe the greatest risk to payroll is phishing, which is the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.

In May 2016, Snapchat fell foul of one of these attacks and revealed some payroll information about their employees. Although its servers were not breached and users’ data was unaffected, a number of employees had their identity compromised.

One way round this, says Harrison, is to ensure companies are being as smart as possible when it comes to being safe online, whether it is using a password manager, two-factor authentication, or taking part in phishing training.

Although once companies begin phishing training, there can be high levels of failure - with up to half of employees failing initial tests, adds Harrison.

Executives discussed how regular testing should be accompanied by a culture of reporting incidents and encouraging transparency.

War stories of phishing experiences, from both a work and personal perspective, were shared. These included how HR and finance departments are often the most targeted and incidents where access to payroll systems had led to hackers making off with employee’s pay cheques.

Dave Mold, chief security officer of MHR, a specialist provider of software and outsourcing services for HR, payroll and business intelligence, said: “Not knowing where your next pay cheque is coming from is a reality check for virtually everyone.”

Yet the dangers of email, are not just limited to having your password stolen. Sensitive information can also be misdirected.

Moving away

Attendees’ thoughts turned to promoting the need to move away from back-end tasks manipulating data in Excel. Stephenson added: “We know from a piece of research we did with more than 90 payroll professionals that more than 40 percent of companies still rely on Excel to receive, submit and process payroll data. This means that files containing highly sensitive information are often being exported from one system, sent via email between colleagues and partners, and then imported into another system – specifically payment files into banking portals. This poses a real risk of interception and misuse.”

Mold agreed: “This [Excel] is something the sector needs to move away from as the world
turns to automation.”

Going forward, he said companies should gather everyone around a table and walk through a range of security scenarios, asking what needs to be done in the event of a cyber attack. “This table topic and action planning is critical in the new world of GDPR compliance, where timeliness to do the right thing is key.”