Feature insight - cyber security
former staff members could be continuing to access confidential information. Preventative measures The good news is that employers can take preventative steps to keep their data secure. “An organisation needs to understand the key risks within their business and build a ‘defence in depth’ security strategy,” explains Collins. “This can be adopted gradually and iteratively to limit both cost and disruption to the business. Often organisations will prioritise operational efficiency over security.” In terms of payroll processing, Rains suggests employers do the following: l Keep any hardware (workstations/laptops/ mobile devices/printers) and operating software up to date. l Ensure all payroll/human resources (HR) data for processing is ideally continuously backed up so that it can be restored back to the point of failure or, if that is too costly, ensure it is backed up at least daily. l Keep virus software up to date. l Regularly review who is and is not let through internal firewalls. l Consider which web browsers to let employees use. Some are better for protection than others; however, they may also conflict with some self-service portals. l Limit employee browsing to trusted and secure websites. l Consider closing VPN (virtual private network) access outside working hours. l Enforce the change of HR/payroll systems password every three months and ensure the password is of sufficient length and strength to deter hackers. l Educate through a continuous awareness program HR/payroll staff of the importance of data security and the dos and don’ts. l Carry out penetration testing on HR/ payroll software every six to twelve months. If the business doesn’t own the software, the host or provider should do the test instead. l Encrypt data on mobile/portable devices. l Consider adding additional questions to log into self-service portals. l Perform rigorous employment checks on staff who work with HR/payroll systems and those who are DBAs (i.e. doing business as operational rather than legal names). The Morrisons data theft incident which led to employees suing the retailer identified that internal staff should also be considered. A shared responsibility It must not be forgotten that employees have a key role to play in keeping data safe too.
The Probrand survey also found that nearly half (46%) use the same password for everything at work. In addition, a quarter admitted to using an easily discovered piece of information as the basis of their password, such as date of births and spouses’ names. ...employees have a key role to play in keeping data safe... “Employees can be a critical line of defence against attacks that are delivered via emails,” says Collins. “Employers should conduct relevant and annual training (as a minimum) to reinforce a conscious and diligent culture. This should be extended to data privacy awareness and training which will become mandatory when the data protection bill becomes legislation in May this year.” Rains says every staff member should always act responsibly as follows. l Keeping logins and passwords safe and secure. l Not sharing logins or passwords. l Not providing their email address to organisations they do not know or have not vetted. l Refraining from sending personal data in email attachments if it is not encrypted or without a security password. l Refraining from using portable memory/ USB sticks/CD drives. l Limiting the use of their own personal laptops or tablets for accessing self-service portals only. l Protecting mobile devices with a password or fingerprint recognition. l Checking who the sender of an email is before clicking on inviting email links. Hackers may initially disguise the sender’s email address so that it looks genuine, but by clicking on it the real email address is revealed. Many people have been fooled by bogus tax refunds emails which looked like they come from HM Revenue & Customs (HMRC) but the email sender is not from HMRC’s domain. l Not opening .exe or .zip files attached to emails unless they are 100% confident of the source of the email. l Not opening MS Office/365 files (e.g. Word/Excel) unless they are 100% confident of the source of the email. l Being aware of any one in the HR/payroll/
IT team acting suspiciously, and reporting it to a manager. Insurance Cyber insurance: managing the risk (https://bit.ly/2xjAj3f), a whitepaper published by BDO in August 2017, found that businesses are continuing to spend up to four times more on insuring other company assets, such as property and equipment, than on cyber insurance – despite an increasingly widespread belief that their cyber assets are in fact up to 14% more valuable. Rains believes insurance to mitigate a risk is normally a good idea. “The activity of payroll processing is deemed a higher risk by most insurers. Premiums for a small- to medium-size enterprise [SME] start relatively cheap but increase based on the number of employee records you process. Providing you act in a professional manner regarding the safety of your data insurance gives you peace of mind that you can pay any ransom and get some compensation for any data breach fines/penalties, individual claims against you, damage to systems and software and any business interruption costs,” he says. Collins too believes that cyber insurance is a valid way to transfer risk when the cost of securing an asset is too high, suggesting SMEs with a turnover under £20 million consider the Cyber Essentials Scheme (https://bit.ly/1hkkmdz), which is a government-backed initiative to help businesses protect themselves from everyday online threats. As part of undertaking and passing this certification employers can apply for free insurance which will cover organisations up to £25,000. However, Rains warns that simply having insurance will not prevent an attack from happening. “My concern here, is that it might end up like car insurance where fake accidents claims are common. In this case will it encourage hackers and more cyberattacks because these criminals will know we are insured so they will get their ransom money,” he adds. Third-party support According to Collins, technology alone will not provide a silver bullet to security and finding budget for an in-depth security programme can be costly without an immediate return on your investment. “Work with a third party to validate your risk,”
41
| Professional in Payroll, Pensions and Reward |
Issue 40 | May 2018
Made with FlippingBook - Online magazine maker