Cyber Security and Payroll

The Cyber Incident suffered by Optus and Medibank has resulted in some of the biggest leaks of personal data specifically affecting Australians.

It is not the first that we have seen, but what should Payroll be thinking about when these things happen?

In addition to ensuring that your teams have regular training around cyber security these are a few things that we feel should be front of mind for Payroll professionals.

1. Make sure that you have robust controls in place.

• How do Employees change their personal information?

• Do they use an ESS with MFA?

• Do you still accept email or even paper forms for changes to things like phone numbers, email addresses and even bank accounts?

While most payroll teams have been tightening controls on changing bank account details after a huge increase in the rate of SPAM and Phishing emails, there are often less controls and checks around other personal information changes.

MFA enabled self-service helps to protect employee data, but what if mobile phone numbers are hacked? Do you have similar controls for people wanting to update a mobile number or email that is used for their MFA validation?

If you haven’t reviewed your protective data controls recently, it would be a really good time to think about what you can do to help protect your employees from falling victim to such scams, especially in the wake of the recent breaches.

2. Think about the personal data you hold for your employees, and how that is protected.

As mentioned, these are not the first data breach. It has been less than 12 months since a cyber attack on Frontier Software released personal and payroll information for a large number of individuals, in particular government employees in South Australia.

In addition to only storing the information you need to hold for your employees, you should have strong controls and security for all your systems, including test (or non-live) instances of your software.

With so many companies moving to hosted (ie cloud) based solutions, you should work very closely with your IT specialists to make sure all points are properly protected.

Also consider where you may store reports and downloads, and make sure that they are kept secure. If your solution downloads reports and files to your local ‘downloads’ folder by default, an increase in remote work (or work from home) and a more common BYOD (bring your own device) scenarios, you should ensure that there is sufficient security on all devices that are accessing your cloud HR or Payroll solution and consider whether this ‘default’ scenario can be changed to provide more security to the data and documents being accessed.

3. Data Retention Strategy

Did you know that under the GDPR European Citizens have a global right to be forgotten? If you received a request, would you be able to sufficiently delete the personal data you hold for them that you would be required to?

We know that there are a number of documents that need to be provided for payroll and HR purposes when someone starts with an organisation and throughout their employment, but do you know the rules that apply to retaining that information and the documents that they are held on?

If you store your documents within your HRIS or Payroll Solution, is a document retention policy built into the solution to assist you with managing them correctly?

Data Protection is not a small task. Processes and approaches that have worked for us in the past, may just no longer be fit for purpose, and we need to be prepared to change.

Payroll don’t just push the buttons anymore (did they ever?) and this is just another ‘hat’ that we have to wear in a modern payroll environment, so before you file this information away into the too hard basket, or the I don’t have time filing cabinet, reach out to your organisations specialists to ask for some support and guidance, or you can reach out to us, and we can help develop a strategy to get you the support you need to protect your employee data.