Payroll Security Means Tough Questions For Vendors
Payroll Data: A Closer Look at Security Questions

I don’t know about you, but I’d rather not have the deepest, darkest secrets of my bank accounts, social security number, demographic data or personally identifiable information (PII) accessible by some tech-savvy teenager with a penchant for hacking. I want to know that stuff is safe. That’s why I decided to dedicate this blog post to payroll data security. It’s a big deal after all, and as Ernst & Young’s (E&Y) 2011 Global Information Security Survey put it, “Knowledge is power, and information derived from data is any organization’s most valuable asset”—especially when it comes to payroll software.

But how do you know if your company’s payroll data actually is secure? I mean, other than donning full military gear and trying to break in to a vendor’s data center to test security measures, are there ways to ensure that your payroll data is safe? I think so, and so do a number of other companies too. For example, as the good folks at E&Y uncovered during that research I just mentioned, 74% of the businesses surveyed had specific classification and handling policies in place. Not only that, but nearly 70% of them ran employee awareness programs to keep staff informed about data security, and another 60% were putting additional measures in place like encryption as a means to further protect sensitive information. But that’s what the company’s themselves are doing; not the payroll solution vendors. So that got me thinking…if you’re in the market for a new payroll application, what questions should you be asking that vendor to get off on the right foot with payroll data security? Feel free to add your own, but here are the top ones that I came up with.

#1: Payroll Data Should Be Secure from Internal Threats; How Will You Help?

Aside from my unflinching resolve that the government is covering up evidence on alien abductions, I’m not much of a conspiracy theorist. That said, when it comes to payroll data, apparently one of the biggest threats to security comes from espionage-esque activities inside the organization rather than some malicious external hacker. At least that’s what McAfee found in 2011 during one of their massive global research studies. According to the company, “Insiders have two variables supporting their activities that outsiders don’t: trust and legitimate access”. And with the proliferation of smartphones, portable storage devices, and cloud services, that access and trust can be exploited and easily turned into data that literally walks out the door. Add to that recent research from Ponemon that found roughly 59% of people leaving a company take information when they exit, and you’ve got a full-blown catastrophe if measures aren’t in place. So ask that prospective payroll software vendor, how are you going to help mitigate these risks? After all, it’s perfectly reasonable to expect that payroll provider to aid in reducing the chance of insider data theft. Do they incorporate measures like accountability controls? What about automatic de-provisioning when an employee leaves? Or do take things even a step further with automatic recordings of employees’ interactions with sensitive information? Of course, you hate to be paranoid and assume that all employees have this type of proclivity, but wouldn’t you rather have the measures in place and not need them, instead of the other way around?

#2: Payroll Data Security Should Keep Up with Technology; What Will You Do?

No offense to Ben Franklin, but from what I’ve seen in the modern workplace world the only two sure things are that a) technology will change; and b) businesses will struggle to keep pace. Of course death and taxes are certainly up there, but when it comes to what’s going to impact your company first, I’d say the technology thing is a bit more pressing. So when Ernst & Young recently mused that increased mobile payroll access and the wider use of cloud payroll deployments were creating “holes through which data can leave”, my immediate first thought was that these newer technologies were simply outpacing security measures. And maybe that idea is spot on, but should it be? After all, isn’t it a basic, underlying assumption that when a business chooses to leverage a new payroll application that data should be safe? I think that’s just table stakes at this point, and I bet you do too; so ask your vendor how they plan on keeping up with those technology changes. For starters, find out about their certifications and attestations. SSAE 16 (which up until recently was referred to as SAS 70 Type II) is a good one for the U.S., but what you really should be looking for is the ISO 27001 (which is a set of 131 prescriptive controls that must be adhered to for designation). And aside from the fact that it’s the most robust security attestation in the world, ISO 27001 also happens to be the most widely accepted too—especially for those countries that are more cautious about Software-as-a-Service (or SaaS). And while we’re on the topic of SaaS, E&Y recommend querying your would-be payroll application provider about whether you’re actually getting SaaS or whether you’re instead receiving PaaS (or Platform-as-a-Service) or IaaS (Infrastructure-as-a-Service). In fact, according to E&Y research, “although many people believe that they are purchasing SaaS, it may be from a cloud provider who is using PaaS capabilities from another cloud provider who purchased its infrastructure from an IaaS provider who rents space in a shared data center. So make sure that the software or service that you’re paying for is what you expect. None of those options are bad, but checking a vendor’s ability to keep pace with changing payroll data security measures does you no good if you’re actually using a different platform.

#3: Payroll Data Should be Secure Across All Platforms; How Will You Handle This?

I touched on it just a second ago, but one of the most widely-held beliefs about issues with payroll data security is how many users have mobile access. At the core of this problem is that data (like payroll) can now be stored on multiple devices whereas in the past it was a single, closed network. And, when you add in the fact that self-service capabilities are increasingly being leveraged to give the workforce greater control over that data; then that scope of control just got a whole lot bigger. Even so, shouldn’t vendors have measures in place to deal with this? Seriously, any vendor worth their weight should at least be able to describe their data security for different platforms (and how they balance that with individual access); so ask them. Now granted, there are still elements of this strategy that will have to be handled internally (e.g. policy adjustments, awareness programs, etc.), but the point is that your payroll solution provider shouldn’t leave you high and dry to figure it out on your own.

The Payroll Data Security Bottom-line

Conspiracies, certifications, policies…I suppose we’ve certainly covered it all in this post. But as it is with all enterprise technologies, don’t be surprised if those elements don’t wind up chaning in over the next few years—that’s the nature of technology after all. What won’t change though is the need for payroll data to be secure. In fact, as esteemed author Vicki Lambert points out, the need for payroll security has actually increased over the years. So, when you’re looking at taking that new payroll software for a test drive, or even just looking under the hood of your current payroll application, keep in mind that you have a (dare I say) duty to ask your payroll vendor the above questions. If you don’t, you run the risk of being uninformed about payroll data security measures; which is a gamble I’d be willing wager you’re not ready to take.

