How to ensure payroll security

With data breaches becoming increasingly common, payroll security should be among the top priorities for organizations of any size, next to making sure employees get paid on time. Businesses have a responsibility towards their staff to keep sensitive data safe. Plus, with data protection regulations becoming more and more demanding and fines getting steeper and steeper, organizations risk major penalties if they don’t protect their payroll data. 

But what security measures are appropriate when processing payroll? And how can you prevent loss of data and payroll information?

Processing payroll means handling vast amounts of employee data, from names to social security numbers to salary information. Since payroll data is highly sensitive, businesses have an obligation towards their employees to protect their data.

There are two main reasons why keeping employee data safe is a top priority for organizations: 

• Legal obligation under data protection regulations such as GDPR

• Increasing risk of data breach through cyber attacks

GDPR is the world’s largest and strictest set of data protection rules and concerns any organization conducting business in the EU or handling personal data from clients, employees or any other person residing there. Businesses failing to comply with the rules imposed by GDPR risk steep fines. 

But the increased importance of payroll security isn’t just due to the obligation to comply with data protection laws. Instead, the need to strengthen the security of payroll information is mainly related to the fact that cyber attacks resulting in data breach are becoming increasingly common in the digital age.

In the UK, for instance, 1,243 security incidents were reported in 2021 (up from 1,120 in 2020), which involved over 5.1 billion breached records. In the U.S., meanwhile, the number of data breaches increased by 68% from 2020 to 2021, according to the Identity Theft Research Center (ITRC). 

While these are general statistics, it doesn’t take much to find cases of payroll-related data breaches that have hit the news. The most prominent example is probably the ransomware attack on U.S. payroll and workforce management giant Kronos in December 2021, which took down payroll systems, compromised payroll data for thousands of employees and exposed Kronos customers to secondary data breaches even months after the initial incidents. 

As stated in an article published on the tech and security news platform HackRead, “[p]ayroll is one of the most appealing targets for cybercriminals, involving as it does the large transfer of money between institutions whilst being susceptible to hacking due to outdated technology and manual practices''. Businesses therefore have no choice but to tighten their payroll system security

There are three different types of risks organizations open themselves up to if they fail to ensure payroll security, namely: 

• Fines and penalties for non-compliance with data protection and security regulations like GDPR

• External data breaches 

• Internal payroll fraud

GDPR fines vary depending on the seriousness of the infringement, with serious infringements being subject to fines equal to up to 4% of the company’s worldwide revenue or 20 million euros - whichever is higher. The record for the steepest GDPR fine was set in a lawsuit against Amazon. In July 2021, the tech giant was issued a 746 million-euro penalty.

Data breaches resulting from cyberattacks can also entail high costs for businesses. According to the 2022 Cost of a Data Breach Report by IBM and the Ponemon Institute, the average cost of a data breach in 2022 is $4.35 million.

While the costs for data breaches by external attackers may be high enough to ruin businesses, one shouldn’t forget that the greatest risk to payroll security often comes from within the organization. Internal payroll security breaches may not always be intentional, but when they are (e.g. timesheet fraud or pay rate alterations), they can also result in significant financial losses for the business.

For instance, UK supermarket chain Morrisons found itself confronted with compensation claims of over 5,000 employees after a disgruntled employee had leaked confidential payroll and salary information. In a second hearing, the supermarket chain was found not to be responsible for the incident; otherwise, the financial consequences would have been tremendous.

Given the financial repercussions payroll-related data breaches can have on businesses, it’s in every organization’s interests to strengthen security measures and take the necessary precautions. The following tips can help businesses improve their payroll security.

1. Keeping payroll software up to date

Payroll software typically comes with various security features; however, without regular updates, systems quickly become outdated, which exposes organizations to new security threats and cyberattacks. To keep payroll data safe, regular checks for updates are crucial. 

The same applies to businesses that opt for payroll outsourcing. The ideal solution is to choose a cloud-based payroll solution like Lano which is always up to date with the latest security upgrades—rather than for software you have to self-host, install and update manually.

2. Adhering to recommended payroll security standards

There are several technical and operational measures which are recommended to ensure payroll data security and GDPR compliance. In addition to basic security measures like firewalls and strong password protection, organizations that want to take their payroll software security to the next level should look into:

• ISO 27001 certification: international ISMS (information security management system) standard for an organization’s IT risk management

• Cloud infrastructure: more secure than exchanging data via email and storing it on local hard drives

• Data encryption: payroll data and any payroll-related documents should be encrypted so that they are unreadable should they be stolen from servers by third parties

3. Raising awareness among employees

Investing tons of money in the security of payroll systems and servers will be worthless if employees aren’t aware of the risks and dangers. Human error remains a major risk to payroll security; therefore, providing proper training for employees on how to use the payroll software and systems in a secure way is vital. If they are familiar with the system’s safety features, unintentional security breaches are less likely.

Preventing employees from being the victims of phishing emails and other scams and disclosing confidential payroll information in the process is equally important. To achieve this, payroll security should be included in the internal cyber security protocols.  

4. Keeping access limited

Ensuring payroll data and systems are secure isn’t just about taking protective measures against external risks. Very often, the real risks come from within the organization, i.e. from employees seeking to harm the business by leaking sensitive data. 

The less people have access to the payroll system and data, the lower the risk for internal data breaches and manipulation. Only very few people in the organization should be able to access the payroll system, and those who are should be no other than key stakeholders and the members of the payroll department. 

5. Making payroll security part of on- and offboarding 

In addition to limiting access to payroll systems and data, internal security risks can be mitigated by a thorough onboarding and offboarding process. New employees should be screened thoroughly to see if they’re trustworthy before being granted access to systems and processes. Similarly, logins and credentials from leavers should be recovered on their last day of work and changed immediately to prevent any unauthorized access.  

6. Monitoring access logs and suspicious activity

Payroll systems should record who accesses which data at what time and why. These access logs should be monitored on a regular basis to see if there is any suspicious login and access activity. If anything appears off (e.g. unauthorized access), measures should be taken to investigate the incident and payroll security should be tightened to prevent unauthorized access in the future. 

7. Segregating payroll duties 

To add an additional security layer, payroll duties should be separated so that there isn’t a single person who is in charge of the whole payroll process. Instead, everyone’s work should be reviewed and checked by someone else following an internal control and prevention mechanism. If employees know their actions don’t go unnoticed, they’re less likely to try and manipulate timesheets or pay rates. 

8. Creating strict protocols for data access requests

External requests to access payroll information don’t happen every day, but they still happen. Every time such a request is made, it exposes the business to potential data breaches. To limit risks, organizations should establish clear access request protocols that detail how to handle such requests. For instance, it could be mandatory that all payroll-related information requests must be made in writing. 

9. Properly disposing of old data

Payroll-related data should only be kept for as long as legally required. Less data and fewer documents mean there’s less risk for a payroll security breach. As soon as the period for which records must be kept is over, any documents and data that isn’t needed anymore should be disposed of in a way that makes it impossible to restore them.

10. Assessing potential risks by analyzing the whole process

Data security doesn’t just extend to keeping data safe that is stored somewhere on the company cloud, but it also involves data handling and data exchanges between integrated systems. Especially for organizations with global payroll processes that involve multiple payroll service providers, mapping out the different processes and data access points is crucial for identifying potential payroll security gaps. Questions to ask during the risk assessment process include: 

• How is data transferred between systems? 

• Are all environments and systems where data is stored secure? 

• Is it possible to track data access across the whole system?

11. Establishing a strategy to respond to data breaches

Not even the strongest payroll software security measures can’t guarantee that there won't be a data breach at some point. In case of a payroll security issue, it’s crucial to act fast and decisive. Instead of hoping that there will never be a data breach incident, it’s better to prepare for the worst and put a clear response strategy in place so that everyone knows what to do.

12. Outsourcing payroll to a certified service provider 

Taking appropriate measures to make payroll systems and processes secure requires a lot of time; therefore, businesses often find it more convenient to outsource payroll. Outsourcing payroll to an external service provider takes the security burden off organizations and allows them to focus on their core business, safe in the knowledge that their payroll data is in good hands. All it takes is to make sure to choose the right payroll service provider who has strong security measures in place and takes payroll security seriously.