How Secure is Your Payroll?

1st October 2019


Payroll security doesn’t just protect your business. It protects your people, too. Every day, payroll professionals handle the personal data of every single person in your business. In order to run payroll, you need, on average, 14 pieces of data. This includes:

  • Employee name
  • Age
  • PayScale
  • NI number
  • Bank details
  • Address

… and so on.

Getting hold of just one of these pieces of data can be the foothold a cybercriminal needs to defraud your employees.

This is why payroll security is a must. So, we must ask the question: how secure is your payroll?

Security & Risk in Payroll

Cyberattacks on payroll systems are happening all the time. In July 2019, (just 3 weeks ago at the time of writing) Arlington County Government announced that its payroll was hit by a phishing attack.

Assessing payroll risk needs to be just one part of a business-wide assessment of security. HR and Payroll touch every aspect of the business and often have carte blanche to reach out to anyone in the business without raising suspicion.

This is why the payroll department is such a powerful entry point for cybercriminals. Not only do they have access to the business’s financial information, but they can also reach out to individuals for more subtle scams.

In large businesses, staff may not know who their HR personnel are. This leaves them vulnerable to disclosing personal information to someone they shouldn’t.

Payroll departments are also vulnerable to attacks from within. According to a Ponemon Institute report, 71% of staff have access to data they should not see. This makes them potential (or even unwilling) instigators of cybercrime.

How to secure your payroll

Encourage a security culture

The best way to secure your payroll is to instil a security culture in your business. The best way to do this is to invest in training and resources that educate people on the risks of cybersecurity.

Make it part of your culture to be suspicious of emails. Encourage people to challenge requests and make it okay to query issues. If an employee gets an angry email from the CEO demanding they send some money or disclose a password, they are more likely to comply than challenge it. Hackers know this.

That’s why they pretend to be managers and executive staff. They rely on staff compliance to get access to systems. If your people know that it’s okay to even challenge the boss, your business will be more secure.

Share your knowledge

After the impact of GDPR, you probably have security policies and procedures in place. But they have no effect at all if your staff don’t read them, internalise them and understand them.

And it’s clear that not enough businesses are sharing their cybersecurity policies and knowledge. 40% of senior managers in a  BAE Systems survey said they lack understanding of their own company’s cybersecurity protocols.

In order for someone to really know something, they need to be told about 6 times. For larger organisations, 50-minute refresher training every 6 months is not enough to keep staff trained on cybersecurity.

However, training is very important. CEOs and other senior managers are especially in need of training. They are the people who are least likely to have taken training in the past and the most likely to be the targets of cybercrime

Apply updates as soon as possible

According to Bullet Proof’s Annual Security Report 2019, 57% of breach victims are breached due to an unpatched vulnerability.

Yes, it’s a bit of a pain. But applications, operating systems, and tools get updates for a reason. New features and added support are great, but a lot of times updates come with some major vulnerability and security patches too.

Running older versions of software can cause serious issues. If the software is no longer supported, hackers can find vulnerabilities and you’ll have no support. This is why everyone had to update their Windows systems in January. Now that XP isn’t supported, any vulnerabilities will remain unpatched.

If you use payroll software, your updates should happen automatically. This saves you time and gives you peace of mind.

Enforce regular password changes

Here are the 10 most common passwords:

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. sunshine
  9. qwerty
  10. iloveyou

They are all obvious. What’s worse is that most people use the same password across multiple devices, platforms and accounts.

Deploy a policy that not only requires your users to come up with strong passwords but that they change them regularly. Forcing regular updates means your staff will move away from the more common passwords sooner.

Secure your email

Phishing scams use emails. Emails are also an access point. And while secure for the most part, emails are not secure on unsecured networks – like coffee shops and trains.

It’s time to encrypt email data attachments when it comes to payroll. Or better still protect your data by only keeping payroll data inside dedicated applications and software and using Encrypted File Transfer and file sharing, avoiding email altogether.

Instead of emailing a payroll spreadsheet to a user, give them secure access to your software. This gives you tighter control over who has access to your data.

Trust your partners and suppliers

It’s more than likely you’ll outsource the management of your payroll. This can help your payroll security because your data is kept off your system.

Third-parties often have sophisticated security measures in order to stay competitive in a marketplace so obsessed with security. They specialise in security and protecting assets, so they have updated software, premium tools and systems.

But never assume this is the case. Do the research and get to know your partners before entering into an agreement.

Make sure they have the level of security you need. Make sure they have a proper team of professionals to support their products and services. Read testimonials and check-in with other clients and customers to see if they’re satisfied.

Ultimately, you need to trust your providers. If you don’t, go and find a better one.

Payroll Security FAQ

Are timesheets confidential?

Documents that have someone’s name on them and have information about them must be protected under the Data Protection Act. This includes a worker’s contract of employment, their pay records and timesheets.

Why should HR Information be kept confidential?

Cybercriminals love targeting payroll departments because of the amount of sensitive data secured within. This is why all HR information should be kept confidential.

How can I keep my payslips secure?

Using dedicated payroll software, like Payrite and the MyFMP app, you can keep your payslips secure. They are hosted online, which means even if you lose your laptop or phone, your payslips stay secure.

Keep Your Payroll Secure With FMP

We are an award-winning, HMRC approved payroll provider. We are ISO accredited and are dedicated to providing secure and accurate payroll. Speak to us today to find out more.