As payroll attacks evolve, organizations should examine their security processes and consider the benefits of outsourcing.
Payroll is a tempting target for malicious actors, as the combination of high-value data sets and historically slow IT implementation can make their attacks both lucrative and largely risk-free.
With a new decade underway and new threats emerging, implementing secure payroll policies is priority No. 1. But for organizations looking to balance cost, control and compliance, does it make the most sense to outsource or to stay in-house?
Potential Payroll Problems
Payroll faces a dual detriment: manual processes paired with must-have accessibility. While the goal is error elimination, increasing compensation complexity introduces the real risk of additional mistakes, such as data entry mismatches or secure information being sent over encrypted channels. The increasing need for on-demand accessibility, meanwhile, creates a compliance conundrum, as more than 70% of staff surveyed by the Ponemon Institute said they had access to secure data they didn't need.
The result is a more profitable landscape for payroll profiteers. Some of the most pressing problems include:
- Internal issues — Malicious or accidental insider threats can compromise payroll processes. If employees knowingly alter time sheets or HR personnel accidentally enter the wrong pay rates, organizations could lose thousands.
- Spear phishing — While link-laden phishing attacks remain a secure payroll problem, there is a new version of this classic compromise: emails designed to instill confidence through conversation and convince users to change banking details or redirect payments.
- Ransomware — File-encrypting ransomware attacks are becoming more common as hackers recognize the willingness of business to pay up rather than risk losing payroll data.
- Nonexistent employees — Attacks are also leveraging network access to create "ghost" employees who receive regular paychecks. Because they appear legitimate, these ghosts may not activate IT security processes.
Priority Processes for Small Businesses
Payroll data is valuable to malicious actors. Enterprises are under threat — but as ADP's Senior Director of Cyber Security Marketing, Kim Albarella, notes, small businesses are also in the crosshairs.
"The majority of cyberattacks are now launched at small businesses — but we don't hear about it in the media," she says.
According to Small Business Trends, 82% of SMBs say they still review their payroll processes manually, which makes these organizations far more susceptible to attacks on their payroll data.
"Most small businesses don't even have an IT department, let alone a security department," she says. "Some may have 'Joe,' who does IT on the side and at lunch, or a company that sets up their computers and connects them to the Internet."
Albarella points to three key areas of focus where businesses of any size (particularly SMBs) can improve payroll security:
- Training — Albarella recommends that organizations first define what they expect from staff in the form of policies and procedures, and then train people appropriately. She puts it simply: "Investing in the people is the No. 1 thing" for businesses, and it's relatively inexpensive.
- Back to basics — Are computers patched? Are firewalls in place? Do you have access controls? For Albarella, it's about "focusing on basic hygiene activities that will help protect your business on a day-to-day basis."
- Resilience planning — "If something goes wrong, what do I do? Who do I call? Where is my data stored?" Having a resilience plan in place helps reduce the impact of potential payroll incidents.
Protective Best Practices
With payroll threats on the rise, what can businesses do to limit the potential impact? Here, three processes take priority:
- Automation — Introducing automation can help streamline labor-intensive and error-prone tasks including data entry, in turn providing payroll teams more time to identify potential payment outliers.
- Authentication — Advanced user verification techniques like two-factor authentication and single sign-on can reduce user friction when users log in to payroll systems and can also reduce total risk simultaneously.
- Adaptation — Security threats are constantly evolving. As a result, organizations need payroll systems capable of keeping pace. This means both regular software updates and regular network assessments are needed to ensure payroll processes are meeting performance and protection expectations.
Secure Payroll: Outsourced vs. In-House
All of this prompts a critical question: Is it better to outsource these processes or to keep payment procedures in-house?
Control remains the most popular reason to keep payroll processes on-site — without the additional layer of a third-party provider, there's theoretically less risk to protected payment data. But Albarella says this can add a significant burden for business leaders.
"You're responsible 100% of the time for securing the data that you're taking from your employees for processing your payroll," she says. "You're also responsible for the money itself and how it's transferred; how are you getting that money from your bank account to your employees? How are you submitting the taxes for that?"
Reputable third-party providers offer a layer of protection along with improved performance. For example, the rise in paycards for newly arrived workers or those who don't open a typical bank account provides a secure way to deliver payment and check balances online. Distributing these cards and deploying the infrastructure to maintain them, meanwhile, isn't something that falls under the scope of most IT staff — especially as they're tasked with managing larger-scale security concerns.
Put simply, there's a case for in-house payroll if organizations have small staff numbers and streamlined payments processes. Once you introduce elements of large-scale data collection and online access, however, the risks of emerging payroll threats typically outpace the benefits of keeping processes on premises.
Payroll attacks are evolving. To stay safe, enterprises must recognize potential threat vectors, prioritize key processes, implement best practices, and identify the best-fit secure payroll solution for their business.
Learn about our committment to payroll and data security by visiting ADP.com/trust.