Feature
Contributing to today’s discussion are: ● Jason Davenport MCIPP MIoD , non- executive director, CIPP ● Lesley Holmes , data protection officer, MHR International ● Glyn King , group managing director, Datagraphic ● Will North , chief security officer, MHR International. How should a payroll department review its security protocols? Jason Davenport: The general data protection regulations (GDPR) brought many challenges for businesses. Hopefully, it brought with it a fresh opportunity to review: ● what data is held ● where it’s held ● why it’s held ● how long it’s held for ● who can access it. All access to data will be subject to a control protocol that should be regularly reviewed and, where necessary, changed. Roles and responsibilities should be clearly defined – who is expected to have what level of access to areas of systems should be understood across the team. Non-disclosure agreements should also form a key part of contractual documentation, so members of staff with access to personal data are clear on the limitations of use. If data is passed to a third party to handle, are protocols in place for how that’s provisioned and is it subject to regular review? It should be. Glyn King: Begin reviewing security protocols by speaking to your organisation’s chief information security officer (CISO) or those responsible for information security governance. They’ll hold information security risk assessments for payroll that you can start to review. A review considers the processes involved in collecting, storing, using, sharing and disposing of personal data, the level(s) of data confidentiality, the risks of a security breach and the procedures for implementation and governance. These reviews often consider several things: ● how staff manage data ● the information security awareness training they receive
employee data subsets being held in many locations. This data could be more vulnerable to cyber-crime, inaccuracies, or may be kept for longer than necessary. You can then start to design appropriate security measures addressing any changes or gaps identified. Working with your CISO, ensure controls reduce and mitigate risks to the confidentiality, integrity and availability of any information stored, processed and transmitted. Ensure you have a multi-layered approach to information security that doesn’t rely solely on one system or solution to keep your data safe and don’t just consider technical measures. Human factors are at the centre of all information security incidents. Technology alone isn’t a threat; it’s how it’s used and manipulated that presents the threat. Roles and responsibilities should be clearly defined – who is expected to have what level of access to areas of systems should be understood across the team Will North: The best place to start with security is understanding what data you have, where it is and its importance. With payroll data containing a myriad of personal data, such as bank account and salary details, securing it should be a top priority for all organisations. Payroll departments should identify the locations payroll data is stored in – including fileservers, internal applications and cloud systems – and check sufficient controls are in place to mitigate the highest risks. As payroll data defines how much people get paid, compromising the security of this data is highly attractive to cyber-criminals, meaning risks are significant. The first area of focus should be cloud- based human resource (HR) systems, where staff can update their bank account details. If staff fall for phishing emails and divulge their passwords, a malicious actor
can log in to their account and change their bank account details. This is one of the most common types of successful cyber-attacks on payroll data. The best way to stop this is to ensure the cloud-based HR system uses multi-factor authentication (MFA). This makes a password alone less useful to a hacker. In addition, organisations should use behaviour analytics to baseline normal user behaviour to alert when a malicious actor logs in from an abnormal location or at an unusual time. Payroll departments should ensure that payroll data in applications can’t be modified without authorisation, including: ● only allowing access on a need-to-know basis ● implementing segregation of duties so critical transactions need secondary approval ● using software to monitor and alert on unusual access to data. The security of payment files in transit between the payroll system (e.g. BACS) and the payment system should be a key area of focus. Someone with access to modify these payment files could change bank account details without authorisation and have salaries diverted to their own accounts. This risk should be controlled by limiting access to a minimum and having alerts in place if anyone opens or modifies these files. As companies aremore comfortable with cloud-based storage systems, what additional securitymeasures should be enacted to ensure a safer environment for data? JD: If the systems are cloud-based, knowing security policies to protect that data is essential. Knowing how frequently the systems are tested for all types of cyber- attacks is also important. Those responsible for the technical architecture of the systems need to be clear on the type of data housed within payroll, which, if compromised, could easily evolve into a personal breach of data. GK: The rapid growth of hybrid working has accelerated cloud-based solution use. In payroll, if you’re transmitting employee data to e-payslip, pension or reward platforms, you’ll likely be using cloud-based solutions. You need to be confident any cloud- based solution is a safe environment for your data. To help with that assessment, ask your cloud software provider for their answers to the 14 cloud security principles set out by the UK government’s National Cyber Security Centre (NSCS). The NSCS
● what record systems you have ● how you manage data security. One outcome may be identifying
19
| Professional in Payroll, Pensions and Reward |
Issue 79 | April 2022
Made with FlippingBook - Online magazine maker