The threat of payroll stoppage or major disruption due to hackers has never been more pronounced, or significant. Data breaches through third parties have not only become a major concern but, since the pandemic began, increased remote work also appears to be contributing to further incidents. And, to top it off, thanks to more rigid privacy requirements, employers continue to discover their manner of collecting and using employee information may give rise to institutionalized breaches, with all associated liability surrounding them.
Will this never go away?
It is understood that the payroll profession is at a turning point due to the rise of increasingly sophisticated systems that can now handle many payroll activities. With these newer applications, those in payroll are leaned on to manage and analyze the wealth of data coming out of the function more effectively.
But payroll professionals cannot rely solely on these programs themselves to protect against the likelihood of a breach. There is no magic pill. Payroll must more directly join the fight against enhanced data security threats and better understand what to do should an incident occur.
Joining the fight means consistently knowing the trends of data breaches, understanding their severity and, most importantly, appropriately preparing to respond to these compromises.
Exposure to Incidents Measured
For trends, the level of data insecurity remains high. Some 75% of recently-surveyed operational technology organizations indicated they had at least one intrusion so far in 2023, according to Fortinet’s 2023 State of Operational Technology and Cybersecurity Report. Fortinet is a California-based developer of security solutions like firewalls, endpoint security and intrusion detection systems.
“Intrusions from malware (56%) and phishing (49%) were once again the most common type of incidents reported, and nearly one-third of respondents reported being victims of a ransomware attack in the last year (32%, unchanged from 2022),” the Fortinet report said.
One enhanced threat vector to pay attention to is associated with the increase in remote work. This is also documented by Fortinet. Out of 570 respondents from operational technology organizations, 62% said they experienced a security breach during the past two to three years that could be at least partially attributed to an employee working remotely, the report on the study said.
Attacks through remote workers may be more successful because employees in a comfortable, home setting may not be watching with the same level of diligence as in an office setting, according to Dan Burke, senior vice president and cyber practice leader at Woodruff Sawyer, which insures businesses for cybercrime and data breaches, among other things.
Categorizing Data Compromises
Preventing any breach is the goal but it is “inevitable” that organizations with sensitive data will suffer one level of breach or another, according to CrowdStrike. The global cybersecurity leader provides cloud-delivered protection of endpoints, cloud workloads, identity and data.
An employer’s incident response plan, also called a data breach response plan, is the cyber version of the general disaster response and business continuity plan that payroll professionals know and embrace. Like a response needed for a fire or flood, a cyber incident response plan should categorize the types of breaches by severity and effect on operations and then lay out processes for remediation.
Unfortunately, many people in payroll do not know about their organization’s data breach response plan.
Under these plans, severity levels of a data breach range from hardly impacting operations at all to complete shutdown. While there are consistencies across plans, the specific designation and labelling of a particular event will vary from company to company. It is important that payroll professionals understand some general levels of severity and then consult the plan for specifics.
A low-level incident, in general, may involve the inappropriate disclosure or transmission of certain company data to someone outside the company, or the uncovering of a poor practice or process that could lead to exposure. The simple disclosure of an internal hostname, for example, may qualify as a low-level incident. These are isolated and should have no or little impact on internal operations—the outside world does not need to know.
A step up from “low” may still be limited to internal remediation only, but can impact operations when, for example, unwanted or unapproved software is installed or potential viruses and malware get discovered and are removed promptly. A lost or stolen mobile phone, with appropriate company security installed, can also be an example of a mid-level incident. These drain IT resources but, even internally, many may not even know these incidents have been discovered and handled.
Falling into a higher severity are compromises that involve a brief interruption of services (this includes customer-facing services as well as payroll programs). A successful targeted phishing attack, for example, can result in downtime for a program and additional costs to remediate by either restoring the system or relying on backups. In some of these cases, there may be media exposure and, if payroll systems are involved, there is a significant negative impact on employees by any pay delay, discrepancy, or private data exposure.
Still higher are critical incidents that shut down operations for prolonged periods. For a payroll issue, the trust employees have in the employer’s ability to pay suffers. There are significant costs to remediate and additional liabilities to report to governmental authorities about the timing and scope of the breach. The negative public relations fallout from such a significant occurrence also needs to be considered. Additional liabilities can arise long after the incident has been remediated.
A prime example of this critical type of incident occurred near the end of 2021 when a major provider of payroll services in the U.S. addressed a ransomware attack on a particular program by completely shutting services for that program down.
It took many client-employers months to recover from this incident, as they had no significant backup plan to perform the function impacted – in this case, timekeeping – effectively. And the fallout continues to this day as employers have been sued by employees for failing to pay correctly during the downtime. The service provider is also settling on claims to resolve harm done during the outage.
Managing the Risk and Threat
A severe third-party breach can be a show-stopper as much as an internal breach. However, it is important to understand that from a cybersecurity perspective, there are advantages to using a third-party provider, according to Woodruff Sawyer’s Burke. Third parties apply a lot of resources to minimize threats, resources average employers may not be able to leverage on their own.
For employers, the risk in using third parties needs to be weighed against the ability of the organization and the third party to address threats, he said.
He recommends the employer pay close attention to the cybersecurity clauses in the contract, as “that contract between you and third party is the first line of defense,” should an incident occur. It defines the expected response and outlines the liabilities of each party.
As for responding to a breach incident, Burke said the company’s incident response plan outlines who is involved and what is going to happen when an event occurs, such as how to escalate an issue and to whom. That plan should include legal services as well as cyber forensic tools and resources.
Programs need to be backed up, and in dealing with third-party providers, employers should find out what the normal backup is for the vendor and determine the need to back up internally, Burke said.
Structuring Data Enables Response
Privacy laws grant consumers and employees rights to data on them collected by employers. This is another vector for data security liability that employers must be diligent in addressing and is forcing employers to become more intentional with the data they collect and use.
According to Burke, a key part of ensuring compliance is mapping the data employers hold. What is the data? Where is it, and how is it stored? “It’s a huge operational exercise,” Burke said, but it is needed not only to ensure adherence to privacy requirements but also, in general, should incidents occur. This exercise can aid in determining how and where the data should be backed up.
And incident response plans, like disaster response plans, need to be tested, Burke said.
Separately, there are reports of some employers that suffered from the late 2021 ransomware breach considering expanding their internal backup capabilities to respond to the possibility that a similar event can occur in the future, which is another large and costly endeavor.
Breach Remediation Tactics
When a breach occurs, payroll professionals should not be surprised if systems are not immediately disconnected or shut down. A ransomware attack generally is a forced stoppage, but when other severe attacks are discovered “the natural reaction of wanting to swiftly disconnect all affected systems can be counterproductive in the long term,” according to CrowdStrike.
Why? In its white paper “You’ve Been Breached—Now What?”, CrowdStrike said focusing on the importance of preserving the system logs and also of not letting on about the discovery of the breach can be advantageous in the long run.
Effective, secure internal communications about the issue should be arranged and set up, likely under the breach response plan. “If there is reason to believe internal network communications may be compromised, out-of-band communication and collaboration channels should be established,” according to CrowdStrike.
An incident response company will probably be involved if the severity level is high enough. This firm, coupled with internal resources, will help define the scope of the breach and the damage done, investigate the entry point(s) and coordinate remediation so the attacker is not only removed from the environment but also prevented from re-entering another way.
No, this payroll issue is not going to be programmed away, but improved technology and planning will help mitigate the fallout from a breach incident. Payroll professionals need to be involved in these plans.
And, in closing, one last piece of guidance from Woodruff Sawyer’s Burke: Storing the incident response plan solely on company servers could mean no one can refer to the plan when a breach or attack shuts down access.
“Print out the incident response plan,” he said.
A special three-part LinkedIn Live series that connects the most recent data security headlines to Payroll kicks off on 28th June. Join Safeguard Global's Chief Product Officer, Tristan Woods and former Bloomberg BNA Managing Editor Michael Baer for “Surviving a Cyberattack: what to do if your employer or payroll provider is hacked" at 3 pm BST/10 am ET. Sign up to attend here.
Author: Michael Baer
Michael Baer is a trusted thought leader and innovative global information services developer. His most recent role was as a special advisor with DailyPay and, prior to that, he was managing editor overseeing domestic and international payroll news and analysis with Bloomberg Tax, previously BNA. Michael gained experience in payroll and human resources with Marriott and was later the personnel manager for the Shanghai Hilton.
The threat of payroll stoppage or major disruption due to hackers has never been more pronounced, or significant. Data breaches through third parties have not only become a major concern but, since the pandemic began, increased remote work also appears to be contributing to further incidents. And, to top it off, thanks to more rigid privacy requirements, employers continue to discover their manner of collecting and using employee information may give rise to institutionalized breaches, with all associated liability surrounding them.
Will this never go away?
It is understood that the payroll profession is at a turning point due to the rise of increasingly sophisticated systems that can now handle many payroll activities. With these newer applications, those in payroll are leaned on to manage and analyze the wealth of data coming out of the function more effectively.
But payroll professionals cannot rely solely on these programs themselves to protect against the likelihood of a breach. There is no magic pill. Payroll must more directly join the fight against enhanced data security threats and better understand what to do should an incident occur.
Joining the fight means consistently knowing the trends of data breaches, understanding their severity and, most importantly, appropriately preparing to respond to these compromises.
Exposure to Incidents Measured
For trends, the level of data insecurity remains high. Some 75% of recently-surveyed operational technology organizations indicated they had at least one intrusion so far in 2023, according to Fortinet’s 2023 State of Operational Technology and Cybersecurity Report. Fortinet is a California-based developer of security solutions like firewalls, endpoint security and intrusion detection systems.
“Intrusions from malware (56%) and phishing (49%) were once again the most common type of incidents reported, and nearly one-third of respondents reported being victims of a ransomware attack in the last year (32%, unchanged from 2022),” the Fortinet report said.
One enhanced threat vector to pay attention to is associated with the increase in remote work. This is also documented by Fortinet. Out of 570 respondents from operational technology organizations, 62% said they experienced a security breach during the past two to three years that could be at least partially attributed to an employee working remotely, the report on the study said.
Attacks through remote workers may be more successful because employees in a comfortable, home setting may not be watching with the same level of diligence as in an office setting, according to Dan Burke, senior vice president and cyber practice leader at Woodruff Sawyer, which insures businesses for cybercrime and data breaches, among other things.
Categorizing Data Compromises
Preventing any breach is the goal but it is “inevitable” that organizations with sensitive data will suffer one level of breach or another, according to CrowdStrike. The global cybersecurity leader provides cloud-delivered protection of endpoints, cloud workloads, identity and data.
An employer’s incident response plan, also called a data breach response plan, is the cyber version of the general disaster response and business continuity plan that payroll professionals know and embrace. Like a response needed for a fire or flood, a cyber incident response plan should categorize the types of breaches by severity and effect on operations and then lay out processes for remediation.
Unfortunately, many people in payroll do not know about their organization’s data breach response plan.
Under these plans, severity levels of a data breach range from hardly impacting operations at all to complete shutdown. While there are consistencies across plans, the specific designation and labelling of a particular event will vary from company to company. It is important that payroll professionals understand some general levels of severity and then consult the plan for specifics.
A low-level incident, in general, may involve the inappropriate disclosure or transmission of certain company data to someone outside the company, or the uncovering of a poor practice or process that could lead to exposure. The simple disclosure of an internal hostname, for example, may qualify as a low-level incident. These are isolated and should have no or little impact on internal operations—the outside world does not need to know.
A step up from “low” may still be limited to internal remediation only, but can impact operations when, for example, unwanted or unapproved software is installed or potential viruses and malware get discovered and are removed promptly. A lost or stolen mobile phone, with appropriate company security installed, can also be an example of a mid-level incident. These drain IT resources but, even internally, many may not even know these incidents have been discovered and handled.
Falling into a higher severity are compromises that involve a brief interruption of services (this includes customer-facing services as well as payroll programs). A successful targeted phishing attack, for example, can result in downtime for a program and additional costs to remediate by either restoring the system or relying on backups. In some of these cases, there may be media exposure and, if payroll systems are involved, there is a significant negative impact on employees by any pay delay, discrepancy, or private data exposure.
Still higher are critical incidents that shut down operations for prolonged periods. For a payroll issue, the trust employees have in the employer’s ability to pay suffers. There are significant costs to remediate and additional liabilities to report to governmental authorities about the timing and scope of the breach. The negative public relations fallout from such a significant occurrence also needs to be considered. Additional liabilities can arise long after the incident has been remediated.
A prime example of this critical type of incident occurred near the end of 2021 when a major provider of payroll services in the U.S. addressed a ransomware attack on a particular program by completely shutting services for that program down.
It took many client-employers months to recover from this incident, as they had no significant backup plan to perform the function impacted – in this case, timekeeping – effectively. And the fallout continues to this day as employers have been sued by employees for failing to pay correctly during the downtime. The service provider is also settling on claims to resolve harm done during the outage.
Managing the Risk and Threat
A severe third-party breach can be a show-stopper as much as an internal breach. However, it is important to understand that from a cybersecurity perspective, there are advantages to using a third-party provider, according to Woodruff Sawyer’s Burke. Third parties apply a lot of resources to minimize threats, resources average employers may not be able to leverage on their own.
For employers, the risk in using third parties needs to be weighed against the ability of the organization and the third party to address threats, he said.
He recommends the employer pay close attention to the cybersecurity clauses in the contract, as “that contract between you and third party is the first line of defense,” should an incident occur. It defines the expected response and outlines the liabilities of each party.
As for responding to a breach incident, Burke said the company’s incident response plan outlines who is involved and what is going to happen when an event occurs, such as how to escalate an issue and to whom. That plan should include legal services as well as cyber forensic tools and resources.
Programs need to be backed up, and in dealing with third-party providers, employers should find out what the normal backup is for the vendor and determine the need to back up internally, Burke said.
Structuring Data Enables Response
Privacy laws grant consumers and employees rights to data on them collected by employers. This is another vector for data security liability that employers must be diligent in addressing and is forcing employers to become more intentional with the data they collect and use.
According to Burke, a key part of ensuring compliance is mapping the data employers hold. What is the data? Where is it, and how is it stored? “It’s a huge operational exercise,” Burke said, but it is needed not only to ensure adherence to privacy requirements but also, in general, should incidents occur. This exercise can aid in determining how and where the data should be backed up.
And incident response plans, like disaster response plans, need to be tested, Burke said.
Separately, there are reports of some employers that suffered from the late 2021 ransomware breach considering expanding their internal backup capabilities to respond to the possibility that a similar event can occur in the future, which is another large and costly endeavor.
Breach Remediation Tactics
When a breach occurs, payroll professionals should not be surprised if systems are not immediately disconnected or shut down. A ransomware attack generally is a forced stoppage, but when other severe attacks are discovered “the natural reaction of wanting to swiftly disconnect all affected systems can be counterproductive in the long term,” according to CrowdStrike.
Why? In its white paper “You’ve Been Breached—Now What?”, CrowdStrike said focusing on the importance of preserving the system logs and also of not letting on about the discovery of the breach can be advantageous in the long run.
Effective, secure internal communications about the issue should be arranged and set up, likely under the breach response plan. “If there is reason to believe internal network communications may be compromised, out-of-band communication and collaboration channels should be established,” according to CrowdStrike.
An incident response company will probably be involved if the severity level is high enough. This firm, coupled with internal resources, will help define the scope of the breach and the damage done, investigate the entry point(s) and coordinate remediation so the attacker is not only removed from the environment but also prevented from re-entering another way.
No, this payroll issue is not going to be programmed away, but improved technology and planning will help mitigate the fallout from a breach incident. Payroll professionals need to be involved in these plans.
And, in closing, one last piece of guidance from Woodruff Sawyer’s Burke: Storing the incident response plan solely on company servers could mean no one can refer to the plan when a breach or attack shuts down access.
“Print out the incident response plan,” he said.
A special three-part LinkedIn Live series that connects the most recent data security headlines to Payroll kicks off on 28th June. Join Safeguard Global's Chief Product Officer, Tristan Woods and former Bloomberg BNA Managing Editor Michael Baer for “Surviving a Cyberattack: what to do if your employer or payroll provider is hacked" at 3 pm BST/10 am ET. Sign up to attend here.
Author: Michael Baer
Michael Baer is a trusted thought leader and innovative global information services developer. His most recent role was as a special advisor with DailyPay and, prior to that, he was managing editor overseeing domestic and international payroll news and analysis with Bloomberg Tax, previously BNA. Michael gained experience in payroll and human resources with Marriott and was later the personnel manager for the Shanghai Hilton.