CPA firms that process payroll assume significant amounts of liability storing sensitive information for hundreds of working people. If this liability makes you nervous, it’s time to encourage your clients to outsource payroll.
Inherently, the technology used by these bureaus is engineered to be secure. IT teams working for payroll providers assist the executives creating crisis response plans for different attacks from email phishing, to full breach response plans.
The Cybersecurity Layers of Processing Payroll
Payroll providers are responsible for transferring wages from an employer to an employee securely. Payroll is processed for millions of people weekly. The sensitive data housed in payroll software values from hundreds of thousands of dollars to millions. How is this data protected?
Payroll companies apply these layers of protection company-wide:
- Encrypted Hardware: Secure technology is installed directly on employees' computers at payroll processing companies. Typically these programs and settings cannot be modified without the help of a company's IT administrator. Payroll providers use VPNs for remote workers to ensure data is transferred securely.
- Limited Client Access: Generally, a client’s online access and account visibility depends on the client’s role in their company. It’s typically set up so that a client’s employees can log in and view individual pay stubs and reports. But employees cannot see the whole system.
Company owners and managers can see employment details for everybody on payroll–such as pay rates, attendance history, and IRS documents. Employees see a personalized dashboard, limited to them.
- One Point of Contact: Payroll providers generally assign one point of contact or representative to work with your client. There may be a secondary contact in the case that your client’s representative leaves the company or changes roles, but access should be limited to one or two specific agents. It’s not likely that the receptionist has access to your client’s accounts, but if you have concerns, voice them.
- Trained Service Agents: Customer Service Representatives are thoroughly trained in cybersecurity. These agents are the first line of defense between a cybercriminal and the payroll provider. There are also system requirements that require agents to change passwords regularly. Some companies also “test” employees with fake email phishing scam exercises to keep everybody alert. These exercises often appear to come from a member of the executive team or management requesting urgent help from an employee. If the employee falls for the scam, and clicks the link, they’ll be required to take another security training. Routine offenders may be subject to termination.
- Secure file transfers: Files are transferred over an encrypted portal specifically engineered for sensitive data. The internal payroll system is also encrypted. To avoid instances of cyber phishing, client information is never sent over email.
Assess the Service Team
As an advisor, you and your client will work closely with the payroll provider’s customer service team. The customer service team will be your best line of defense against cyber criminals. Customer service agents are inherently trained to anticipate, identify, and resolve sources of fraud before it actually becomes an issue for the payroll provider.
Customer service agents are trained to identify these types of fraud and the red flags that frequently precede them:
- New Account Fraud: This type of fraud occurs when accounts are set up based on stolen personal information or a stolen identity.
- Check/Credit Card Fraud: This type of fraud occurs when fake or unauthorized checks or credit cards have been used. Unapproved company transactions are also considered fraudulent and should be analyzed by management. It’s an unfortunate reality that sometimes your client’s own employees may be the ones committing fraud. Employee payroll fraud is an unfortunate reality that all business owners must be defensive of.
- Phishing Fraud: This type of fraud is most common over email. Cybercriminals will pose as company leaders, management, or even as other employees to attempt to get personal or company data out of employees. More often than not the stolen information is used to perpetrate identity theft or credit card fraud. Phishers also apply this technique to try and steal ACH/wire information over email.
- Identity Theft: Unfortunately, this type of fraud is rampant across all industries but definitely plagues the financial industry. Identity theft occurs when somebody uses another person’s financial or personal data without his or her consent. This type of fraud is extremely difficult to reconcile. To combat the issue, customer service teams are continuing robust security training for employees and additional verification steps for all clients.
Responding to Data Breaches
You could compare a cybercriminal gaining access to a library of payroll data to somebody winning the lottery: jackpot. There are several layers of protection that payroll providers put in place to make sure that data breaches, ransomware threats, and other cyber attacks never compromise company data.
Let’s take a look at some of the tactics in place:
- Third-Party Data Hosting: An advanced payroll provider knows better than to host data on its own site. Cloud-based third-party hosting servers like Connectria are a reliable alternative as these companies constantly monitor and backup data 24/7. Data hosting companies alert I.T. administrators of any threats. Examples of threats include: massive amounts of files being deleted; unauthorized file decryptions, and reports of unusually high CPU levels.
- Air Gapping: This advanced backup strategy is critical in 2022. This technique works by keeping a copy of your sensitive data offline, disconnected, and inaccessible to the internet at all times. Since the information is not available to the hacker online, the copy is preserved safely. These copies should be updated at least once a day before storing them offsite.
- Third-Party Data Monitoring: “You can’t fix what you don’t know about,” is an important detail any experienced I.T. Administrator would tell you. It’s true that the key to a successful cybersecurity plan is to be proactive; not reactive. Third-party cybersecurity monitoring companies like Arctic Wolf monitor the company network and system activities. These companies take data review a step further than monitoring third-party companies because they monitor communication on company servers. Examples include: alerting management to a forwarded phishing email or monitoring company inboxes on Outlook for external messages that may contain a virus.
- Several Points of Contact: When a data breach occurs, there is a line of command for notifying management within the company. First in line is the I.T. administrator, followed by the Chief Technology Officer, and then other members of the management team. This order may change at every company, but critical security threats related to a data breach should never be isolated to one person or department.
Hassle-free Payroll at ConnectPay
We know CPAs are busy. Our Connected Service Team can provide your clients with secure, dedicated support using our one-call service model and our encrypted online platforms. We’re here to answer your questions about cybersecurity as it related to payroll. Let’s Connect Today!