When it comes to payroll security, decreasing risk is worth the reward.
By Debbie Bolla
The 2017 Equifax data breach was a strong reminder to organizations that personal information can never be too secure. This is especially true when it comes employee payroll data. That’s why it is more important than ever for HR to be proactively and strategically ensuring that employee payroll data is secure.
“Payroll inherently deals with sensitive information,” says Loren Downey, senior director of payroll operations at Namely. “When it comes to security, don’t take any risks.”
Data security is certainly on the minds of HR leaders. In fact, a survey by Bloomberg BNA and the American Payroll Association found that respondents from companies with up to 100 employees reported data security as their biggest challenge last year.
So just how can HR drive down risks? Downey recommends that organizations regularly train HR executives who use payroll software on any new updates and perform regular audits of controls, checks, and balances.
Karen Crone, CHRO of Paycor, agrees that HR should maintain a solid ecosystem of team members that are involved in payroll processes—and audits can make a big difference. “Regular audits of payroll procedures are helpful to stay on top of who has access to what information,” she says. “This will allow HR to understand who can process a check through a corporate bank account, who can run payroll, and even who has access to sensitive employee information, including social security numbers and direct deposit accounts.”
How often should HR perform an audit on payroll practices? Leah Machado, director of HR services for Paychex, recommends four times a year—essentially at the end of each quarter. In addition to reviewing HR team member access and checks and balances, Machado advises to assess:
- status and classification of all employees;
- timekeeping processes;
- compliance with federal, state, and local regulations;
- employee benefit accruals, deductions, and enrollments;
- recordkeeping as it relates to requirement and security; and
- financial management (bank reconciliation and payroll tax payments).
More Mobile, More Problems?
Today’s employees expect to be able to review their pay information at any time, from anywhere. That’s why the majority of organizations offer their workforce a mobile app that does just that. But on-the-go capabilities come with its own set of potential security risks and challenges.
“Every company should have a strong mobile device policy for work use,” says Crone. “Awareness and education are just as important to information security as technology.”
She says to start by making sure employees have unique user IDs and complex passwords that are refreshed every few weeks. Leveraging an app with an auto-lock feature gets employees into the habit of signing off after each use. As an extra measure, Crone advises using encryption technologies for any personal mobile devices that are used for work. Biometric authentication of said devices, such as fingerprint or facial recognition and multifactor authentication procedures are valuable, added precautions.
Namely’s Downey recommends training employees on how to use the mobile app, and says it can’t hurt to remind them of common-sense measures to protect their information. “That means always staying up-to-date with security patches and steering clear of public Wi-Fi when they want to access their paystub,” she explains.
Mike Gioja, Paychex’s senior vice president of IT and product development, says organizations should take caution when selecting an app by examining permissions, privacy settings, and anything else that could compromise the security of the device.
“From a developer standpoint, mobile applications should not store any information on the device to ensure data is not left behind when the app/transaction ends,” he notes.
Extra Security Steps
While these measures are critical to preventing security breaches, it’s also important to be prepared if there are any red flags. “It’s critical to have a solid program in place to [halt] suspicious activity,” says Crone. “Make it easy for your employees to report trouble if they think they’re in it. It’s better to know than to let the problem grow within your network or organization.”
Payroll service partners often alert organizations of suspicious behavior and changes in sign-ons and passwords. Gioja says partners can also offer to manage user accounts and user activity.
When it comes to payroll security, decreasing risk is worth the reward. “As hard as it may be to establish and manage these best practices, when something goes wrong from a security perspective, the reputation and financial cost can be significant,” says Crone.