With every year that passes, cybersecurity and data breaches are becoming more and more of a concern for businesses. None more so than cyber-attacks on payroll, because when cybercrime involves personal information and sensitive data the damage can be far-reaching and long-lasting. Businesses who suffer a breach of data security run the risk of losing employee trust, damaging their brand image and may face penalties and legal action.

Payroll departments must securely store sensitive information on the company’s employees including bank account details, home addresses, health care information, social security numbers, and wage information. Employees who have their data compromised face ongoing attacks by cybercriminals including re-routing of their wages and even identity theft.

In 2016, the number of reported data breaches in the private sector increased by 40 percent whilst spending on information security including hardware, software and services rose to $73.7 billion from $68.2 billion the previous year.

The cybersecurity risk is present no matter the size of your organization. In small businesses, payroll fraud is twice as common as in large organizations because, on the whole, these organizations lack the high levels of protection against cyber threats that the larger companies can afford.

Evidence suggests that most attacks are not a quick cash grab. The Association of Certified Fraud Examiners discovered that of all the types of cybercrime, payroll fraud is a particularly long-lasting, with the fraud usually spanning 30 months as criminals access bank accounts and commit identity theft.

In 2012, Chinese hackers gained access to the US Office of Personnel Management’s system, but their presence was not detected until 2014. The scope of personal data the hackers had access to is astonishing. Security clearance information which can range from every address an employee has ever lived at, every foreign country they have ever visited, family names and addresses and fingerprint data.


Global cybersecurity


One of the major problems when dealing with a breach of cybersecurity is that data is often quickly moved from one jurisdiction to another making identifying your role and your options for recovery especially challenging.

For example in the Asia Pacific, it wasn’t until 2015 that governments began setting up agencies specifically tasked with dealing with cybersecurity breaches, meanwhile countries such as the United States change their cybersecurity regulations almost yearly making it hard to keep up.

Even within the US, each state has its own cybersecurity laws. New York, for example, is particularly strict when it comes to the financial sector, with companies being fined for non-compliance. California meanwhile, has some particularly strict data privacy laws due to come into effect in 2020 that will give consumers more control on the information a company may store about them and for how long.

If you conduct business in a region other than your own, you must adhere to their cybersecurity laws. In Europe, all trading businesses regardless of their origin must adhere to the General Data Protection Regulation (GDPR), with violators facing fines of up to 20 million euros or four percent of annual revenue.

The comparable legislation in Canada is the Personal Information Protection and Electronic Documents Act of 2000. Last year, the Canadian government spent $1 billion on cybersecurity, showing how much of a priority this has become in the North American nation.

In summer 2018, the British government introduced a minimum cybersecurity standard for businesses to follow, a bar that will be raised over time. The requirements include accountability, training and guidance, stricter access control, regular updates, a focus on email and web app security and having an incident response plan in place.

In other parts of the world, businesses are not so lucky. The worst legislation for cybersecurity is considered to be in Algeria, whilst the country least prepared for cyber attacks is Vietnam. For companies doing business in these countries, it is essential to act with extra vigilance.

So what are the best ways to protect yourself, your organization and your employees from cybersecurity threats? Experts recommend the following:

Top Tips


  1. Educate employees


It is in fact employees that have proven time and again to be the weakest link. Indeed, human error accounts for 52 percent of security breaches.

As Igor Baikalov, chief scientist at Securonix Inc says, “Human error is still the largest factor behind security breaches.”

That means that there’s only so much your anti-virus and malware protection will do in the fight against cyber risk if your employees aren’t following protocol.

The most common way for cybercriminals to access payroll data nowadays is through phishing attacks. Often the first that a company will know of a security breach is when employees report their wages unpaid. An investigation then reveals those paychecks have been diverted by hackers following the theft of personal information.

In 2017, BBR Services, a specialist insurer, witnessed a migration in the way criminals were accessing employee data. Having phished for login credentials over email, they used this information to not only redirect paychecks but also file for fraudulent tax returns and apply for credit in the name of the employee using their social security number.


The best way to protect employees and your organization is to take a proactive approach.

  • Have security policies in place and invest time and money in educating your employees on how to work within them.
  • Limit access to sensitive data to employees within Human Resources and Financial Services who need the information to perform their job.
  • Conduct simulated anti-phishing campaigns to further educate staff and encourage all users to forward unusual emails to Human Resources or the IT team.


Payroll giant ADP, who manage the payroll systems of over 640,000 customers suffered a breach in 2017. It occurred when customers of the company accidentally released sensitive data relating to their ADP account. This information was then used by the hackers to create a registration at ADP and access the confidential information, tax data and salary information of the employees of several companies including the US Bank. Cyber attacks like this can be extremely costly and damaging to a business’s reputation.

It was a phishing attack which brought down the security system of RSA Security in 2011. Hackers were able to pose as people the employees trusted to infiltrate and steal company data and employee records.

The attack cost the business $66 million and untold “psychological damage” according to vice president of eIQnetworks, Inc, John Linkous.


2. Password protection


Much as employees are the first line of defense in the fight against cybersecurity threats, their passwords are their strongest weapon. Every business should demand regular password changes from all users and should educate employees on how to create strong passwords.


This is the official advice when it comes to creating infallible passwords:

  • If you have the means, use at least two-factor authentication
  • If that isn’t possible, use password managers to create long, unique and random passwords
  • If password managers aren’t available, encourage employees to devise long, simple passphrases
  • Avoid common passwords such as names, or the words ‘password’ or ‘qwerty’
  • Use a different password for every site


According to the FBI, cybercriminals are becoming increasingly skilled at what is called data stuffing. This means that through a security breach at a company they obtain employees’ usernames and passwords and then assume that these same passwords will give them access to other accounts the employee holds such as their email or online banking. This can also work the other way around: entire companies have their data security compromised because a hacker discovers the password of a personal account belonging to an employee and uses this to access their work system.


3. Employ a trustworthy payroll system


When it comes to security issues and risk management, third party organizations are better able to protect themselves and your data as this is their specialism.

Before you hand over your identifiable information, check that your chosen partner has all the software, equipment and experienced professionals on hand to manage security issues. Read testimonials and even get in touch with existing clients to be certain that your sensitive data is in safe hands.

A professional payroll company will have data protection documentation and measures in place to protect against potential weak spots.

Taxi service Uber experienced a breach of username and password credentials back in 2016 which exposed the driving license numbers of 600,000 drivers through Uber’s GitHub account. Uber should not have been storing that data on GitHub, and what’s worse, the firm didn’t go public on the story for a further year when they paid the hackers $100,000 to delete the data but received no evidence that they had complied. This breach cost Uber dearly in both reputation and money.


4. Stay up to date


Upgrades to your system may look like downtime and cost, but those updates could protect you from an attack. Often they contain fixes to vulnerabilities within the system or updates as a result of new techniques or information in the news about potential hackers.

It is also important to keep abreast of changes to your system. Set up alerts for system changes including if email forwarding has been changed, as this could be a hacker’s attempt to access personal data. Confirm any changes to payroll information over the phone with the employee to be sure that it is not a criminal re-routing paychecks.

Finally, stay on top of the system admin. Delete old data from former employees regularly in line with relevant legislation for the particular country that employee was based and review email distribution lists and access lists to make sure that only the necessary information and access are available. This will reduce your chances of becoming the victim of an attack and reduce the severity of an attack, should one occur.

In 2018, NASA suffered a cyber attack that compromised personal data of staff including social security numbers. It is believed the breach occurred in one of its servers, and employees past and present across a 12 year period were affected. This was following a series of reports suggesting that NASA’s security systems were not up to scratch.


The future of cybersecurity


Though it is true that hackers are becoming smarter and continue to get better at personal engineering to obtain sensitive data, the good news is that information technology companies are remaining one step ahead by using the latest developments to keep businesses and their sensitive data secure.

Artificial intelligence allows automated analytics to conduct continuous risk monitoring. This will identify human error and lower incident response times. The technology can learn what typical employee behavior looks like so that when anomalies arise, alerts are deployed. They can even focus on employees with the most access and privileges as this is likely to be where most attacks or breaches will occur.

Payroll data is extremely valuable and criminals are agile in their bid to get hold of it. Failure to protect yourself and your employees can result in damage to your reputation and even involve legal consequences. Take the necessary steps to defend your organization against cybercrime today.

To find out more information about how Payslip can help keep your employee data secure contact us today!


Schedule a Free Chat With Us Today!

Share This