No more unto the (cyber) breach
The recruitment sector must take the potential for attacks on payroll data seriously and prepare for when their system is attacked, not if...
The security breach on the Ministry of Defence’s (MoD) payroll earlier this year is a wake-up call for all umbrellas or similar companies operating payroll for contractors and freelancers, as well as agencies paying their own people.
Cyber criminals were able to break through cybersecurity defences at the Ministry and target private information about armed service personnel. Defence secretary Grant Shapps said in a statement that the system was operated by a contractor (completely separate to MoD’s core network), adding: “There is evidence of potential failings by them, which may have made it easier for the malign actor to gain entry.”
Shapps reported that the payroll system was immediately taken offline and secured against further similar threats and a full investigation was launched, drawing on Cabinet Office support and specialist external expertise to examine potential failings by the contractor and to minimise the risk of similar incidents in the future.
Initial investigations found no evidence that any data has been removed but, as a precaution, Shapps said those service personnel affected were alerted.
Following the breach, the Global Payroll Association (GPA) published findings that revealed the extent to which cybercriminals are using payroll software as a means of breaking through companies’ cybersecurity and how businesses of all sizes can stop hackers penetrating their systems.
Melanie Pizzey, CEO and founder of the GPA, agrees the attack is a wake-up call for all industries, including umbrellas and recruiters who handle payroll. “These bad actors or criminal organisations are now aware of the important data that payroll holds, making us a key target. Attacks have become so sophisticated that the issue is not that the software is a weak spot but that the value of the data has increased the frequency and intensity of attacks,” she says. “This makes constant reviews of software essential and payroll staff need to be trained to spot potential scam emails or ways that these actors are trying to gain access to the data.”
Julie Lally, MD of payroll at payroll software company Ciphr, agrees that the attack is evidence that cybercriminals are getting smarter. “Cyber-attacks used to be seen as a ‘might happen’ incident. Now they are seen as a ‘when it happens’ incident. Many organisations have stepped up to counter these threats, but sadly, not all,” she says.
“At Ciphr, every decision we make when developing the payroll solution has to go through security rigour as a standard. Testing, and penetration testing [pen testing], are essential processes that we go through continuously. The responsibility sits with everyone involved in developing the solution, from product design through to testing.”
Even though this is a pressing issue, the GPA observes that not all businesses will be as on top of their digital security as others and strongly encourages organisations of all sizes to evaluate their security measures to ensure they have the best possible protection. “This includes taking a very close look at your payroll service provider because, as we have seen, hackers have identified this as a potential weak spot to exploit to devastating effect for businesses and their employees,” says Pizzey. “Payroll providers are caring for important and often sensitive data about your employees, so you should take real care in choosing a provider that can give that data the protection it deserves.”
It is vital that the in-house team operating payroll and the IT department and any external parties involved in payroll work closely together and, crucially, share responsibility for cybersecurity for the payroll system. “While the IT department is typically responsible for implementing and maintaining the technical infrastructure and security measures, the payroll department has a crucial role in safeguarding sensitive employee data and ensuring compliance with the GDPR,” emphasises Lally.
“The payroll department should communicate its specific security requirements and concerns to the IT department, which can then tailor technical solutions to meet those needs. Ultimately, ensuring the security of the payroll system is a shared responsibility that requires coordination and co-operation between the two departments.”
She recommends the following as how responsibilities should typically break down:
The payroll department
- They should be vigilant about protecting sensitive employee information, such as personally identifiable data, National Insurance numbers, bank account details and salary information
- They need to follow internal policies and procedures related to data access, storage and handling
- Regularly review and audit payroll processes to identify and address potential security vulnerabilities
- Train payroll staff on security best practices and protocols to prevent data breaches.
The IT department
- Responsible for implementing robust security measures to protect the payroll system from external threats such as hacking, malware and unauthorised access
- Regularly update software and systems to patch security vulnerabilities
- Monitor network traffic and system logs for signs of suspicious activity
- Implement access controls and encryption to safeguard sensitive data
- Provide technical support and assistance to the payroll department in maintaining system security.
Steve McDermott, business development manager at New Red Planet, which provides PAYE and umbrella payroll solutions and is accredited by the Freelancer & Contractor Services Association (FCSA), agrees that cybersecurity should always be at the forefront of a company’s planning, processes and policies but recognises there is nothing like a major cyberattack to make companies immediately re-evaluate the effectiveness of their existing controls.
“As with all companies dealing with large amounts of data, New Red Planet takes cybersecurity very seriously,” he says. “As an FCSA-accredited member, we have the benefit of receiving advice from partners in the world of cybersecurity. While no protection can ever be guaranteed as 100% effective, there are certain measures that are particularly recommended. Multi-layered defence systems will almost always give better protections, including: multi-factor authentication (MFA); strong and unique passwords; and controlled permissions.”
He adds: “In the recruitment sector, large amounts of data are needed on a weekly basis. In the event of a breach, is that data readily accessible in the form of a back-up? If so, is the back-up separate from main systems, complete and in a readily accessible location?”
There is certainly a greater awareness of the need for intensified cybersecurity, but Pizzey believes more money must be invested because the valuable data payroll holds has to be protected at all costs.
“Like every organisation or sector, the recruitment industry needs to be prepared for when their system is attacked, not if,” she said. “Consider whether you have communications prepared and the steps you will take to manage the fallout once an attack happens.”
If the worst happens
The GPA recommends the following steps if a company or its payroll provider falls victim to a payroll breach.
- Gather as much information about the breach as possible: what happened, how did it happen and what was stolen?
- Assess the impact: consider how the breach impacts the business and its employees.
- Respond: every business must have a planned and well-defined response should a breach occur. This includes communicating with people from HR, IT, legal and finance, ensuring that all departments are aligned.
- Communicate: honest and open communication is a must in the aftermath of a breach. Employees must be informed of what’s happening and given a clear point of contact should they have any questions or concerns.
- Roll out back-up payroll systems: the primary payroll system is breached, a back-up needs to be implemented as soon as possible to ensure employees continue to be paid properly and on time. It might be necessary to bring the process in-house while the external provider is down.
- Legal and Compliance: the business must work to understand their legal standing and obligations in the event of a data breach, including whether the situation needs to be formally reported and to whom.
- Re-evaluate payroll service provider: once the breach has been resolved, it’s important to question whether a new payroll provider should be appointed. Is the current provider still vulnerable, or have they worked to properly improve their security? If there are any doubts whatsoever, look for another, more reliable provider.
Image credit | Shutterstock