Keeping your payroll data safe in the cloud

Payroll is one of the most sensitive areas of a business and requires processing a great deal of personal data relating to your employees, including names, addresses, bank account details, social security numbers and salary information, as well as critical financial information pertaining to the business. While there are legal requirements to protect this information, worries about cybercrime are still valid. 

The 2021 Cost of a Data Breach Study found it can take an organisation around 30 days to identify and rectify a data breach. Even if they’re successful within the month, the average cost to the business is a staggering £930,000. However, the reality is that many businesses struggle to address a security incident within six months, let alone 30 days. 

According to UK government stats, 39% of UK businesses identified a cyber attack in 2022.  Of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack.  

While these numbers might seem high, it’s worth noting that cyber attacks are down from previous years - 46% in 2020. Even so, the importance of payroll security cannot be underestimated by accountants, bookkeepers and payroll bureaus especially when they have access to employee and sensitive data. That’s why in this post we will outline the steps that you can take to keep payroll data safe in the cloud.

The importance of payroll security 

Because payroll involves such sensitive information, it remains an attractive target for cybercrime. Any data breaches are likely to have severe impacts. That’s why businesses must do everything they can to keep payroll data secure and protected from cybersecurity attacks. 

Of course, this relates to physical records as well as information stored digitally.  It’s important that all businesses have policies and procedures in place to consider cybersecurity, and all staff must be made aware of them. As an accountant, bookkeeper or payroll bureau, it is your responsibility to keep employees data safe for your clients.

What are accountants, bookkeepers payroll bureaus and their clients data protection obligations for payroll?

Because it involves processing personal data, payroll is one of the key HR areas affected by data protection regulations.  In the UK, the main legislation governing data protection is the Data Protection Act 2018 which also implements relevant provisions of the EU General Data Protection Regulation (GDPR). GDPR governs any organisation that conducts business within the EU or holds data on EU citizens. 

The Data Protection Act covers personal data which would include HR records such as sickness absence, performance appraisals and recruitment notes. It would also include sensitive personal data which includes information about an individual’s race, ethnicity, politics, religion or beliefs, trade union status, health, sex life, sexual orientation, and any information relating to criminal records, which is also considered sensitive data. 

The Data Protection Act requires those holding or processing data to follow strict rules called ‘data protection principles’. Most HR and employment files and records are covered by the Act. Under the Act, employers are usually considered data controllers as they are responsible for the collection and processing of any personal data. Any employees, workers, ex-employees and applicants are considered data subjects. As an accountant, bookkeeper or bureau, you have an obligation to keep all the personal data up to date for clients and employees, and must also ensure that it is secure under the Data Protection Act.

When processing or storing personal data, a business must have confidentiality safeguards, and employers must tell employees what information they hold, what will happen to it, why they are collecting it, and who will see it.  The Data Protection Act also requires businesses to take measures to safeguard personal data which could include specifying security policies and encryption protocols, and providing secure workstations, servers and storage space. 

Payroll software can help you comply with GDPR and the Data Protection Act through features such as two factor authentication, password-protection, access control, encryption and secure storage. For the purposes of the Data Protection Act, automated payroll systems or software are considered ‘sub processors’, because they are used by the data processor to process the data.

So far we have talked about the obligations placed on businesses by GDPR and the Data Protection Act, but the legislation also gives certain rights to individuals in relation to data held about them. The three main rights are:

• The right to be informed – employees are entitled to know what you and your clients are doing with their data
• The right to be forgotten (erasure) – employees are entitled to ask for you and your clients to remove their data 
• The right to access – employees are entitled to ask for all data you and your clients have on them
  

This means that when it comes to your payroll system, you need to think about the data that you are collecting and processing in relation to your and your clients employees. In particular, do you have clear policies on data collection which sets this out to you and your clients employees? Do you have a policy for deleting information, either on request or as required by law? And how easy is it for your and your clients employees to access the information you hold on them? Here’s an insider tip: this is something that self service can be very helpful with. 

With this in mind, let’s look at tips your practice can implement to ensure that your payroll data storage is compliant and secure. 

Seven tips to ensure payroll security 

Cybersecurity awareness training 

Weak and stolen credentials such as stolen passwords are one of the simplest and most common causes of data breaches according to training provider and cybersecurity experts IT Governance. Insider error is another top cause. For this reason alone, thorough training and best practice guidance around cybersecurity awareness is essential and one of the best things you can do to inform staff and your clients.

Cybersecurity risk assessment 

It’s wise to complete a risk assessment to determine any risks to your payroll data. Once risks have been identified, you can put in place controls, policies and protocols to address them. This might be restricting access to the payroll system, putting a data retention policy in place, classifying the sensitivity of the data you and your clients hold, updating security measures, or implementing new, more secure processes or measures such as firewalls, antivirus and patches.

Secure data storage 

Cloud payroll is generally much more secure than payroll stored on legacy in-house systems because it is fully encrypted and runs on continuously updated infrastructure. As an example, our customers’ data is hosted on Amazon Web Services (AWS). Data is either hosted in Dublin (for UK customers), or in the AWS Asia Pacific (Sydney) region, and is GDPR and PCI compliant.  Data is transferred using 256bit SSL encryption and all sensitive data is encrypted on disk. All data transferred via the payroll platform is done so via HTTPS. No data is transferred via HTTP. Whatever system you suse, it is crucial to ensure that your and your clients’ employee data is encrypted and stored securely.

Run regular data backups

Regular backups are a general rule of security, whether it is virtual or paper-based. Any data backups should be stored off site in accordance with best practice, such as in a fireproof facility. If you’re running payroll in house, you might want to use a dedicated computer to access the software and use enhanced access and security protocols. Cloud payroll makes this less of a concern. 

If you’re still using a paper based system, we recommend you consider switching to a digital solution such as cloud payroll in order to make GDPR compliance more streamlined when it comes to storing records securely while also ensuring accessibility.  With KeyPay, full backups are carried out daily and transaction logs every 15 minutes. Our backups are verified and tested on a weekly basis.

‍Maintain password hygiene

Use a password manager such as 1Password to keep passwords secure and protected.

Do not share passwords with anyone. Ensure different passwords are used for different applications – and make sure they are strong. Password managers can help to confirm this. To add an extra layer of security, it is recommended to use passphrases instead of passwords. Where possible use 2 factor authentication on your payroll account to provide an additional layer of security and make it harder for attackers to gain access.

Grant access

Limiting user access is a good way to keep security in check. KeyPay full access users can grant restricted access to other users in order to protect potentially sensitive data. 

Use a Virtual Private Network (VPN) 

VPNs are often used to encrypt data and hide IP addresses by bouncing network activity through a secure chain to another remote server.  Using a VPN is a safe and secure way to access cloud services, even on public networks. That being said, it’s a top cybersecurity tip to avoid using hotspots or free public wifi. But if you do, make sure a VPN service is used.  

How KeyPay helps business owners stay safe 

Businesses often choose to use payroll software simply because of security. At KeyPay, we ensure we have processes and checks in place to ensure compliance as well as to safeguard us from attacks. We are also ISO/IEC 27001:2013 certified and have disaster recovery procedures in place to respond quickly to potential attacks. We carry out regular drills to maintain these processes. This means that we are quick to identify and address any breach. We maintain certification through extensive audits of controls to ensure that information security risks that affect the confidentiality, integrity, and availability of company and customer information, are appropriately managed.

In a nutshell, we do the hard work so that you don’t have to worry.

‍

Disclaimer: The information in this article is current as at 28 October 2022, and has been prepared by KEYPAY LTD (company number 11417566) and its related bodies corporate (KeyPay). The views expressed in this article are general information only, are provided in good faith to assist employers and their employees, and should not be relied on as professional advice. The Information is based on data supplied by third parties. While such data is believed to be accurate, it has not been independently verified and no warranties are given that it is complete, accurate, up to date or fit for the purpose for which it is required. KeyPay does not accept responsibility for any inaccuracy in such data and is not liable for any loss or damages arising either directly or indirectly as a result of reliance on, use of or inability to use any information provided in this article. You should undertake your own research and to seek professional advice before making any decisions or relying on the information in this article.