The Secure Payroll Priority: Problems, Processes and Potential Partners

Payroll is a tempting target for malicious actors, as the combination of high-value data sets and historically slow IT implementation can make their attacks both lucrative and largely risk-free.

With a new decade underway and new threats emerging, implementing secure payroll policies is priority No. 1. But for organisations looking to balance cost, control and compliance, does it make the most sense to outsource or to stay in-house?

Potential Payroll Problems

Payroll faces a dual detriment: manual processes paired with must-have accessibility. While the goal is error elimination, increasing compensation complexity introduces the real risk of additional mistakes, such as data entry mismatches or secure information being sent over encrypted channels. The increasing need for on-demand accessibility, meanwhile, creates a compliance conundrum, as more than 70% of staff surveyed by the Ponemon Institute said they had access to secure data they didn't need.

The result is a more profitable landscape for payroll profiteers. Some of the most pressing problems include:

• Internal issues — Malicious or accidental insider threats can compromise payroll processes. If employees knowingly alter time sheets or HR personnel accidentally enter the wrong pay rates, organisations could lose thousands.
• Spear phishing — While link-laden phishing attacks remain a secure payroll problem, there is a new version of this classic compromise: emails designed to instill confidence through conversation and convince users to change banking details or redirect payments.
• Ransomware — File-encrypting ransomware attacks are becoming more common as hackers recognise the willingness of business to pay up rather than risk losing payroll data.
• Non-existent employees — Attacks are also leveraging network access to create "ghost" employees who receive regular paychecks. Because they appear legitimate, these ghosts may not activate IT security processes.

Priority Processes 

Senior Director of Cyber Security Marketing at ADP points to three key areas of focus where businesses can improve payroll security:

• Training — organisations first define what they expect from staff in the form of policies and procedures, and then train people appropriately. She puts it simply: "Investing in the people is the No. 1 thing" for businesses, and it's relatively inexpensive.
• Back to basics — Are computers patched? Are firewalls in place? Do you have access controls? It's about "focusing on basic hygiene activities that will help protect your business on a day-to-day basis."
• Resilience planning — "If something goes wrong, what do I do? Who do I call? Where is my data stored?" Having a resilience plan in place helps reduce the impact of potential payroll incidents.

Protective Best Practices

With payroll threats on the rise, what can businesses do to limit the potential impact? Here, three processes take priority:

• Automation — Introducing automation can help streamline labor-intensive and error-prone tasks including data entry, in turn providing payroll teams more time to identify potential payment outliers.
• Authentication — Advanced user verification techniques like two-factor authentication and single sign-on can reduce user friction when users log in to payroll systems and can also reduce total risk simultaneously.
• Adaptation — Security threats are constantly evolving. As a result, organisations need payroll systems capable of keeping pace. This means both regular software updates and regular network assessments are needed to ensure payroll processes are meeting performance and protection expectations.

Secure Payroll: Outsourced vs. In-House

All of this prompts a critical question: Is it better to outsource these processes or to keep payment procedures in-house?

Control remains the most popular reason to keep payroll processes on-site — without the additional layer of a third-party provider, there's theoretically less risk to protected payment data. But this can add a significant burden for business leaders.

"You're responsible 100% of the time for securing the data that you're taking from your employees for processing your payroll," she says. "You're also responsible for the money itself and how it's transferred; how are you getting that money from your bank account to your employees? How are you submitting the taxes for that?"

Put simply, there's a case for in-house payroll if organisations have small staff numbers and streamlined payments processes. Once you introduce elements of large-scale data collection and online access, however, the risks of emerging payroll threats typically outpace the benefits of keeping processes on premises.

Payroll attacks are evolving. To stay safe, enterprises must recognise potential threat vectors, prioritize key processes, implement best practices, and identify the best-fit secure payroll solution for their business.