Copy of Professional September (Sample)

COMPLIANCE

"Your relationship with your supplier should be a healthy partnership with open and transparent lines of communication"

support specific to payroll departments. Finally, think about your supply chain. Within payroll, we quite often have multiple providers and software solutions with whom we’re processing and sharing data. Often, when we’re procuring software or engaging with a new supplier, we’ll ask questions, or the supplier will provide information in relation to security. However, how often do we revisit those questions or engage our suppliers in a conversation about their continued processes in relation to cyber-security? Those attending the roundtable said they would “welcome questions from customers in relation to cyber-security”. We also identified it would be best practice to audit your supply chain every 18-24 months, with some suggesting 12 months would be more appropriate. Unfortunately, the reality is that regardless of how many questions are asked or answered, we’ll never be able to fully assess risk in the supply chain, and the basic questions don’t appear to have evolved to align with the increased areas of risk posed by an ever-growing industry of cybercrime. What questions should payroll professionals be asking their third-party providers? Supply chain attacks aren’t new. Security Week (https://ow.ly/cUwQ50Py15M) comments, “Why attack a single target when successful manipulation of the supply chain can get access to dozens, or even hundreds, of targets simultaneously?” Within payroll, the most recent example of a supply chain attack is the MOVEit breach which affected brands such as

Where are your back-ups? It’s important to have back-up files; we all have them as part of our business continuity, but if they’re hosted in the same place as your main systems then they won’t be of use if those servers are compromised. It’s considered best practice to host your system back-up files separately and in another location.

the BBC, Boots and British Airways. A security flaw was exploited by hackers and impacted several organisations, including some that don’t use MOVEit directly, but have third-party arrangements in place for the transfer of payroll data. So, what questions should we be asking our supply chain? Roundtable attendees confirmed they welcome questions from their clients around data security, and provided some insights into what we should be asking. Can I see your business continuity plans (BCPs)? l how often do you test your BCPs? l what have you practised in your simulations? l What's the process for fixing areas identified within the tests? l how often do you carry out penetration testing? It’s important to check your supplier not only has BCPs in place, but also that they’re regularly reviewed and tested. When a cyber-attack or incident occurs, how it’s responded to and dealt with can make a huge difference to the impact of the attack. These questions are designed to provide you with confidence that your supplier takes cyber-security seriously and has tested various scenarios and responses, so they’re able to respond swiftly in the event of an incident.

What’s your data retention policy?

These are all important questions to ask. And remember, your relationship with your supplier should be a healthy partnership with open and transparent lines of communication. How should payroll respond if, and when, an attack does happen? Acknowledging, as we have previously, that risk can be managed but not removed, it’s important you have BCPs and response plans in place should there be an attack. So, the answer to, ‘how should you respond?’ is, ‘you should respond as outlined within your BCP.’ This plan should be tested regularly (every 18-24 months), and those involved in its processes should know what their responsibilities are, along with what they should be doing, and when, in line with the plan. Your BCP should contain detailed information of how payments will be made to employees if the payroll system isn’t

25

| Professional in Payroll, Pensions and Reward |

Issue 93 | September 2023

Made with FlippingBook - Online magazine maker