According to the 2017 Trustwave Global Security Report, gangs of cyber-criminals prefer to target commonly used software platforms with known vulnerabilities. Corporate and internal networks, as well as point-of-sale (POS) systems are most at risk, falling victim to 43% and 31% of attacks respectively.
The e-commerce environment is another firm favourite among cyber-criminals. The majority of breaches that occurred globally in 2016 were due to insecure remote-access software and weak internal policies such as poor password security. However, many e-commerce providers, often under pressure from banks, are tightening up their security measures and as a result, the number of cyber-attacks has dropped from 38% to 26%.
As it gets harder to ‘break-in’, cyber-criminals are turning to cunning alternative methods such as phishing and social engineering – currently responsible for 19% of all attacks and rising rapidly. These types of security breaches rely on gaining access to personal information like individual salary and bank account details. The cyber-criminal then uses that information to manipulate their way past corporate security checks and passwords. Therefore, protecting your company’s payroll data is crucial in the fight against cyber-crime.
Why payroll data must be kept secure
E-commerce, credit card and POS data are still the primary targets of cyber criminals. However, as banks and online retail platforms improve their security measures, personal information will increase in both importance and value. Payroll data may not be the primary target right now, but cyber-crime is changing and you need to be alert in order to stay safe.
Not too long ago, being able to forge the necessary signatures was enough to gain access to company vaults. Nowadays, cyber-criminals are using personal information to trick company employees into letting them in. For example, if a hacker gets hold of an employee’s banking details, they could impersonate someone from the payroll department and contact the employee with an email requesting them to open a link and insert the company’s network password. The unsuspecting employee is easily deceived; the email is perfectly professional and includes their personal information which inspires false trust.
In the event of such a security breach, your company could face severe legal consequences. When client or employee information is compromised, the company is typically made to accept responsibility and may have to pay a penalty or fine. However, the damage done to your business’ reputation is often far greater. Cyber-crime is costly and can lead to a loss of customer confidence and business.
How to keep your data secure
The most important element in your cyber-crime fighting arsenal is employee training. Your staff are your company’s gatekeepers – even an intern needs to know how to spot a phishing attack. Bear in mind that someone new to the working world, say a marketing graduate, will not have had much exposure to corporate cyber-crime threats. Regardless of their experience or area of expertise, all employees need to understand how to keep the company network safe. Hacking methods like social engineering play on employee ignorance and gullibility – your staff need to be regularly trained to spot suspicious email or phone call requests.
Weak passwords are also a problem. Given how many passwords the typical individual has to manage these days, it’s natural for employees to choose something simple. Unfortunately, this makes it very easy for cyber-criminals to break in – a dictionary attack can take just five seconds to crack the code! Part of your in-house cyber-security training needs to include how to create tough yet memorable passwords. What’s more, all passwords need to be run against a password complexity check to make sure that they are as uncrackable as possible. Nonetheless, regular password changes are crucial and locking out users after five unsuccessful login attempts is best practice.
You also need to ensure that the payroll technology you use is up scratch when it comes to information security. Outsourcing your payroll can protect it against cyber-attacks if the service provider you choose has the necessary security measures in place. For example, stored data should be encrypted and their system should undergo regular security checks. When choosing a payroll service provider look out for a company with an ISO 27001 certification in Information Security Management. Companies with this certification will adhere to best practice methods and enforce security measures that are far superior to what most companies can implement in-house.
Cyber-criminals are getting cleverer and more inventive every day. Your payroll data is valuable currency. Make sure your processes are secure, your employees are trained in cyber-security and that your company information is protected at all times. A cyber-attack is not a question of if, it’s a matter of when. Stay alert and keep your business safe from cyber-crime.
By Warren van Wyk