Is your payroll passable?

With October being National Cyber Security Awareness Month, companies need to think about how employees’ personal information could be used to carry out identity theft. They should also consider how the organisation’s accounts might be hacked and emptied, says Sandra Crous, managing director of PaySpace, a leader in payroll and HR software.

“Either way, incidents of this nature could quickly become public relations nightmares,” Crous says. Payroll in every organisation has the most sensitive information and making sure it does not fall in the wrong hands is critical. “Cyber-attacks are growing, both in terms of frequency and sophistication. One major contributing factor is the move to remote workforces ushered in by Covid-19.”

Cyber criminals are cunning and known to attack when experts are on leave and the business is vulnerable, such as over long weekends or public holidays. “There is always a rise in attack attempts during these times, and organisations need to be aware of this, particularly smaller businesses that do not have the resources for dedicated security teams and the latest technologies. Many companies don’t employ two-factor authentication and rely on passwords alone. Alarmingly, many do not even use passwords,” says Crous.

Moreover, she adds, remote work also facilitates successful phishing attacks, not necessarily through work email alone, but through personal accounts accessed via work laptops. “People tend to feel more comfortable at home and let their guard down to a certain extent. In addition, they often use multiple personal devices, such as mobile phones, laptops and tablets to access the company network and applications. Without two-factor authentication, compromising these devices becomes child’s play for attackers.”

Organisations need to counter these threats by cyber proofing all the apps they use, particularly when it comes to payroll.

This is why it is critical for businesses to periodically review and reassess their payroll providers. “Make sure the provider has all the top security certifications, such as ISO 27001 and compliance with the NIST framework. While many companies use hosted applications, this is no guarantee that the provider has passed a formal security certification or sticks to best practices. If a provider does not have these certifications, look elsewhere.”

According to Crous, although many businesses relook their providers at the start of a new tax year, when it comes to cyber security, there’s no time like the present. “The best time to improve your security was a year ago; the second-best time is now. Don’t fall into the trap of waiting for the new tax year to review your payroll provider and security. Ransomware attacks happen every day.”

So, what should companies look for when choosing a new payroll and HR provider? “Firstly, ensure your provider suits your business. If you have a cloud-first strategy, never compromise on hosted solutions, and ensure you have a long-term view. Secondly, make sure the solution is scalable in both directions, as this will enable the flexibility needed to adapt to changing business needs.”

Then ensure your provider’s technology stack has a long-term “shelf life”. “Although legacy solutions might have a mature product, they will never offer the benefits of cloud solutions, because legacy technology simply does not allow for it. Also, look for an agile implementation approach, and one with tools that can clean up your data to maximise the full benefits.”

Employee and manager self-service should be non-negotiable, enabling staff members to be more efficient and managers to have the ability to simplify and streamline what would normally be mundane and repetitive tasks.

Moreover, after-care support should be available from the service provider, bearing in mind the required legislative, payroll and HR experience. “Look out for costing models that are truly consumption-based, not feature-based.”

Crous advises businesses to carry out a thorough investigation of multiple service providers before choosing one. “Consult reference sites to ensure the size and complexity of your business can be adequately catered for. Ease-of-use and maintenance should never be underestimated. Don’t invest in software with expensive maintenance costs where changes and updates depend on the service provider. Make sure the roll-out and success of the product are in your hands.”