When it comes to payroll security, decreasing risk is worth the reward.
By Debbie Bolla
The 2017 Equifax data breach was a strong reminder to organizations that personal information can never be too secure. This is especially true when it comes employee payroll data. Thatâs why it is more important than ever for HR to be proactively and strategically ensuring that employee payroll data is secure.
âPayroll inherently deals with sensitive information,â says Loren Downey, senior director of payroll operations at Namely. âWhen it comes to security, donât take any risks.â
Data security is certainly on the minds of HR leaders. In fact, a survey by Bloomberg BNA and the American Payroll Association found that respondents from companies with up to 100 employees reported data security as their biggest challenge last year.
So just how can HR drive down risks? Downey recommends that organizations regularly train HR executives who use payroll software on any new updates and perform regular audits of controls, checks, and balances.
Karen Crone, CHRO of Paycor, agrees that HR should maintain a solid ecosystem of team members that are involved in payroll processesâand audits can make a big difference. âRegular audits of payroll procedures are helpful to stay on top of who has access to what information,â she says. âThis will allow HR to understand who can process a check through a corporate bank account, who can run payroll, and even who has access to sensitive employee information, including social security numbers and direct deposit accounts.â
How often should HR perform an audit on payroll practices? Leah Machado, director of HR services for Paychex, recommends four times a yearâessentially at the end of each quarter. In addition to reviewing HRÂ team member access and checks and balances, Machado advises to assess:
- status and classification of all employees;
- timekeeping processes;
- compliance with federal, state, and local regulations;
- employee benefit accruals, deductions, and enrollments;
- recordkeeping as it relates to requirement and security; and
- financial management (bank reconciliation and payroll tax payments).
More Mobile, More Problems?
Todayâs employees expect to be able to review their pay information at any time, from anywhere. Thatâs why the majority of organizations offer their workforce a mobile app that does just that. But on-the-go capabilities come with its own set of potential security risks and challenges.
âEvery company should have a strong mobile device policy for work use,â says Crone. âAwareness and education are just as important to information security as technology.â
She says to start by making sure employees have unique user IDs and complex passwords that are refreshed every few weeks. Leveraging an app with an auto-lock feature gets employees into the habit of signing off after each use. As an extra measure, Crone advises using encryption technologies for any personal mobile devices that are used for work. Biometric authentication of said devices, such as fingerprint or facial recognition and multifactor authentication procedures are valuable, added precautions.
Namelyâs Downey recommends training employees on how to use the mobile app, and says it canât hurt to remind them of common-sense measures to protect their information. âThat means always staying up-to-date with security patches and steering clear of public Wi-Fi when they want to access their paystub,â she explains.
Mike Gioja, Paychexâs senior vice president of IT and product development, says organizations should take caution when selecting an app by examining permissions, privacy settings, and anything else that could compromise the security of the device.
âFrom a developer standpoint, mobile applications should not store any information on the device to ensure data is not left behind when the app/transaction ends,â he notes.
Extra Security Steps
While these measures are critical to preventing security breaches, itâs also important to be prepared if there are any red flags. âItâs critical to have a solid program in place to [halt] suspicious activity,â says Crone. âMake it easy for your employees to report trouble if they think theyâre in it. Itâs better to know than to let the problem grow within your network or organization.â
Payroll service partners often alert organizations of suspicious behavior and changes in sign-ons and passwords. Gioja says partners can also offer to manage user accounts and user activity.
When it comes to payroll security, decreasing risk is worth the reward. âAs hard as it may be to establish and manage these best practices, when something goes wrong from a security perspective, the reputation and financial cost can be significant,â says Crone.