TECHNOLOGY
Balancing the advancement of technology in payroll services with the threat of cyber risk
Jim Steven, head of crisis and data breach response services, Experian Consumer Services and Oliver Price, director – cybersecurity transformation at S-RM provide insight into how they respond to cyber-attacks from a systems perspective and how they communicate with the individuals whose personal data has been compromised
P ayroll services have advanced rapidly over the last few years, embracing technology and leveraging data and access to bring other employee benefits together in a more seamless employee experience. At the same time, we’re living in an age where criminals and fraudsters have found ways to monetise access to this data. The preferred weapon they use is known as Ransomware. Ransomware uses malicious code called malware to lock or copy data, requiring victims to pay to release or return this information. Cyber threats have escalated dramatically in recent years. The UK’s National Cyber Security Centre issued 24.4 million notifications to organisations of potential malicious activity or vulnerability exposure in 2023, and saw a 64% increase in the number of reports of cyber-attacks with a potentially nationally significant impact. The impact of these incidents is profound. The average cost of a data breach in 2023 was $4.45 million according to the Ponemon Institute’s Cost of a Data Breach Report . Beyond financial loss, cyber-attacks can lead to operational disruption, reputational damage and loss of sensitive data. Recovery from cyber
"Beyond financial loss, cyber-attacks can lead to operational disruption, reputational damage and loss of sensitive data"
incidents is also not an easy feat, with that same report finding that it takes an average of 280 days to identify and contain a breach. This prolonged recovery period further amplifies the financial and operational impact on organisations. Once it has been determined that a data loss event has occurred involving personal identifiable organisation information, thoughts then move to the communication plan.
down to what contact information you hold on the people themselves. The content of the communication is also critical. Does the content need to change depending on the cohort groups? So, staff / ex-staff on a payroll, for example. If you work in a multiple jurisdictional organisation, different languages may be required. Legal and compliance teams will have to approve the translations. The clearer the content of the notification, the fewer inbound enquiries you will receive. For example, if no financial data is compromised, reassure people of that in the email / letter. Understanding the amount of resource needed to handle inbound enquiries is essential. You may need to balance the distribution of the communications against the level of resource you can access. Using multiple channels like voice, live chat and email can mitigate this but ultimately this is a brand decision. Using a script of 15-20 questions really helps in terms of messaging and ensuring call handling times are kept
How do you provide information to those impacted and across which communication channels? When Experian engages with clients, the default communication channel is email. It’s perceived to be faster and more cost- effective. Ultimately, however, it comes
| Professional in Payroll, Pensions and Reward | April 2024 | Issue 99 38
Made with FlippingBook - Online magazine maker