Following the recent security breach via the UK Ministry of Defence payroll (as reported by the BBC), a new insight from The Global Payroll Association (GPA) has revealed the extent to which cybercriminals are using payroll software as a means of breaking through companies’ cybersecurity, and how businesses of all sizes can best stop the hackers in their path.
Cyberattacks are nothing new and companies are increasingly turning to prevention rather than cure in the fight against it. The latest figures show that the UK cybersecurity software development industry is on track to surpass annual revenue of £1.1 billion in 2024. This will mark an increase of 6.3 percent versus 2023, and growth of 129 percent in the past ten years.
Payroll often exploited as the weak link by cyber criminals
The recent MoD attack is not the first time that weaknesses in payroll systems have been exploited by cybercriminals. In January 2022, UK-based contractor accountancy firm, Parasol, was hacked resulting in the theft of thousands of contractors’ personal data, including names, addresses, and bank details.
In that same month, UK-based financial services company, Brookson Group, was knocked offline by a cyberattack followed by a ransomware attack.
In December 2021, Kronos, one of the U.S.’s largest payroll and workforce management companies endured a massive ransomware attack; and another ransomware attack in November 2021 targeted Frontier Software, a payroll and talent management software provider.
In February 2020, an email sent to the wrong person resulted in an attack on Phoenix Pay System, leading to theft of personal information on 66,000 Canadian federal employees.
Further attacks have also impacted employees from companies such as WH Smith, Marks & Spencer, the BBC, Boots, and Jaguar.
What to do when payroll systems are attacked
There are a number of common cybersecurity weaknesses surrounding payroll software. These include failing to use reputable payroll systems; weak authentication mechanisms; failing to conduct regular checkups; a lack of data encryption; and a lack of employee education around the importance of vigilant cybersecurity measures.
There are a number of essential things that should be done, including:
- Gather as much information about the breach as possible – what happened, how did it happen, and what was stolen?
- Assess the impact – consider how the breach impacts the business and its employees.
- Respond – Every business must have a planned and well-defined response should a breach occur. This includes communicating with people from HR, IT, legal, and finance, ensuring that all departments are aligned.
- Communicate – Honest and open communication is a must in the aftermath of a breach. Employees must be informed of what’s happening and given a clear point of contact should they have any questions or concerns.
- Roll out backup payroll systems – If the primary payroll system is breached, a backup needs to be implemented as soon as possible to ensure employees continue to be paid properly and on time. It might be necessary to bring the process in-house while the external provider is down.
- Legal and Compliance – The business must work to understand their legal standing and obligations in the event of a data breach, including whether the situation needs to be formally reported and to whom.
- Re-evaluate payroll service provider – Once the breach has been resolved, it’s important to question whether a new payroll provider should be appointed. Is the current provider still vulnerable, or have they worked to properly improve their security? If there are any doubts whatsoever, look for another, more reliable provider.
Commenting on these steps, Melanie Pizzey, CEO and Founder of the Global Payroll Association, tells Digital Journal: “Cybersecurity investment in the UK is going up and up and it’s essential that it does so because the threat from cyber criminals is constant, as demonstrated by the recent MoD breach. But not all businesses will be as on top of their digital security as others, and we would strongly encourage organisations of all sizes to evaluate their security measures and ensure they’ve got the best possible protection.”
She adds: “This includes taking a very close look at your payroll service provider because, as we have seen, hackers have identified this as a potential weak spot to exploit to devastating effect for businesses and their employees. Payroll providers are caring for important and often sensitive data about your employees, so you should take real care in choosing a provider that can give that data the protection it deserves.”