The cyber threat against payroll is growing in sophistication and frequency, according to the latest FBI cybercrime report. Many of these attacks exploit fixable vulnerabilities in the payroll process to steal money or to gain access to important information such as bank accounts or personal identification.
With huge amounts of money changing hands at least once a month, payroll will always be an attractive target for cyber criminals. What makes payroll even more appealing is how far behind the field is in advanced technology. Most payroll today is handled manually, and much of the information used to calculate and deliver the money is often sent through channels that have their own vulnerabilities.
That combination creates a process with a string of holes that skilled criminals can slide through and get away with data, cause countless problems for innocent people. As the list of payroll security breaches continues to grow, companies should consider ways to mend the holes in their process.
1. Using email to transfer sensitive data
Email has been one of the greatest tools in the history of personal computing but it may be the very worst way to send important private data. What makes it so useful in everyday communication also makes it dangerous for privacy and security. We use it so much, in fact, we hardly notice when thieves are using it against us.
Business Email Compromise (BEC) is a common form of attack directed at payroll managers. Thieves send emails that appear to come from senior company officials with directions to transfer funds. The thieves then get away with the money.
At tax time, finance people and accountants are constantly exchanging sensitive information, usually through a back-and-forth by email. Thieves have learned to spoof email pages to appear like they are coming from legitimate sources. These often contain links to viruses.
The solution to this type of crime is simple – never use email to send any sensitive data. Ever. If email is never used, the phishing attempts will never work. Finding better, safer means of data transfer can make all the difference.
2. Relying on third party vendors with poor data protection
You might have high standards for data security and privacy, but you are only as secure as the weakest link in the payroll chain. If you outsource any part of your global payroll, you are relying on that company’s standard to be as high as yours, and unfortunately, that is not always the case.
Take, for example, the Tallahassee municipality, which sustained what might have been the worst payroll breach in 2019. Cybercriminals managed to steal have a million dollars in city payroll by hacking the third-party vendor that handled the payroll for the city.
In the case of Tallahassee, the vulnerability was apparently in the human resource management software used by the outsourced company. The hack succeeded in diverting the direct deposit checks sent to many employees.
The lesson is clear: make sure the companies you work with have the highest security standards. The people who lose out could be your own workforce.
3. Storing data in vulnerable places
Another major case of payroll data theft in 2019 took place offline, in the most mundane way possible. An employee at Facebook saved sensitive information on an external hard drive, which was then stolen out of the employee’s car. Although there was no money lost in the theft, the private information of thousands of employees was compromised, making them vulnerable to identity theft.
The situation underscores the fact that the biggest threat to data security is the human factor. The more companies do to automate their payroll process, the less chance people have to make mistakes. While automation saves time in payroll processing and lowers costs by removing much of the labor in the process, it also has a hidden benefit to security by limiting opportunities for human error.
Ideally, the automation software would also be a cloud-based SaaS system so that companies do not need to worry about security updates for the software itself. At the same time, companies do need to be certain that the software security standards are at the highest levels.
4. Giving too many people access to payroll data
In addition to automation, it is essential to limit access to sensitive data to reduce the human factor even more. There is no reason for anyone not directly involved in collecting or processing the data or making the payments to have permission to view the data or handle it in any way. The fewer people that have access to the data, the less chance their will be for an accidental breach.
Make sure your company has strict rules for data access across the entire gamut of proprietary information. Marketing and sales people, for example, do not need access to payroll data, just as finance people do not need access to important IT information.
Rules on their own, however, are not sufficient. Make sure that whatever computer system your company uses includes apps that provide – and limit – access to data. Preventing a breach could be as simple as ensuring that the smallest number of people have any change of unlocking the data.
5. Failing to keep computer software updated
The interplay between cybercriminals and the people trying to stop them can often be described as a cat-and-mouse game. The hackers are trying to get into areas they are not allowed to go and the security people try to keep them out. When a breach occurs, it can often be through a new vulnerability no one knew about. At that point, security experts find a way to seal the hole and pass a patch to all the vulnerable computers through an update.
Unfortunately, the payroll department is often a bare-bones operation that does not have a dedicated IT team to ensure that the patch is installed as quickly as possible. As a result, a payroll department could be slow to close a hole that the hacker community has discovered. That leaves the payroll susceptible to hacks that could be avoided.
That’s why it essential that companies have a policy of installing updates as soon as they appear. It could be the one thing that saves a payroll from an attack in an otherwise safe and sound payroll process.