Cyber security factsheet

Plan and protect:

• Consider what data is held, where and why, as well as who can access it and how long it is stored for 
• Don’t store data for longer than it is needed. Check your retention policy and procedures and implement strong access controls, such as role-based permissions and a process for employees changing roles/leaving the organisation. Make sure that data is regularly backed up in a location separate to the main system and data location.  

Business Continuity Plan (BCP) 
Make sure you have a plan in place, that it is regularly tested (simulations and penetration testing) and that everyone involved knows how to respond and what to do in the event of an incident. 
 
Audit your supply chain 
The software providers who supported the CIPPs roundtable on cyber security commented how ‘great it is when a customer asks about our security’. A good provider will welcome the conversation and share processes and procedures with you to keep your payroll data secure. 
 
Training 
Conduct regular cyber security awareness training and educate the payroll team about common threats and best practice. 

Crisis management: 

• Put your BCP into action.
• Identify the problem and isolate it quickly. 

Communicate and manage expectations 
Inbound are the hardest to manage so consider your communication strategy, who do you tell at which point and make sure that you have detailed FAQs. Speak to your legal team, or seek legal representation, before you publish anything.

Evaluation: 

• Identify what went well and what could have been improved 
• Involve key stakeholders and evaluate how things went as soon as possible after the event, whilst it is fresh in your mind. 

Update your BCP 
Use the evaluation to update your BCP to improve it for the future. Ensure that this is a collaborative process and changes are communicated and understood.