Payroll data is highly coveted by cyber criminals today. Should it fall into their hands, the consequences will be horrific. The information will either be quickly sold to third parties or used to commit identity or digital theft. Companies which fail to secure their employee’s time and labor data and other salary information could find themselves hit with multiple lawsuits and crippling fines. As a consequence, many HR departments have looked for new ways to secure data, with cloud computing being one of the most popular. Below are some tips for effectively securing cloud payroll.
What Employers Need To Know
Payroll data is usually accessed via third parties which provide services through cloud computing. It is critical that employers understand this arrangement and its level of data security. Specifically, employers should inquire about how these third parties segregate the data so that secured access is guaranteed. Encryption protocols should be used, and employers should know where and how the data is stored.
Identity authentication is extremely important, which ensures that only authorized parties are able to gain access. Another mechanism which is desirable is multifactor authorization, and vendors should be able to present documents regarding their cyber security policies, and should be able to explain what will be done should they fall victim to either a data breach or some other cyber-attack. After reviewing these documents employers should inquire about revision dates, and how often the policies are updated.
Specific Measures That Third Parties Should Take
Any company that relies on a third party to secure their payroll data is taking a great risk, because if something goes wrong, it is the employer rather than the vendor who will be held liable. As such, employers are justified in scrutinizing every aspect of a vendor’s security measures to ensure that the payroll data is protected. It is not merely enough to have the right documentation, it must also be updated and maintained, otherwise security exploits could emerge.
There are specific auditing standards that vendors should meet, such as those provided by the American CPA Institute. They should be able to show the SSASE-16 report of compliance, which was processed by an auditor who is independent. This report is responsible for showcasing and rating the controls and systems that a vendor uses for data processing. Whenever data is compromised, procedures must exist which are able to quickly determine the severity of the damage, what data was affected, and all information pertinent to the incident should be quickly compiled.
One thing that many employers have found helpful is filling out a self-audit, based on the understanding that cybercriminals are determined. Employees should be regularly tested and trained to ascertain their level of knowledge. Cyber security is not a task that should be left up to a single person; instead it must be practiced company wide. This will allow companies to effectively protect themselves.