Is your head in the cloud when it comes to cyber security?

  • March 2022

Part of the legacy of the pandemic is that more people are working on cloud-based systems remotely, meaning security of payroll-related data is more important than ever. So, how can the risks be mitigated, and what practices can and should be applied to ways of working going forward? Jerome Smail, business journalist, addresses this with a panel of experts


Contributing to today’s discussion are:

Jason Davenport MCIPP MIoD, non-executive director, CIPP

Lesley Holmes, data protection officer, MHR International

Glyn King, group managing director, Datagraphic

Will North, chief security officer, MHR International.

 

How should a payroll department review its security protocols?

Jason Davenport: The general data protection regulations (GDPR) brought many challenges for businesses. Hopefully, it brought with it a fresh opportunity to review:

  • what data is held

  • where it’s held

  • why it’s held

  • how long it’s held for

  • who can access it.

All access to data will be subject to a control protocol that should be regularly reviewed and, where necessary, changed.

Roles and responsibilities should be clearly defined – who is expected to have what level of access to areas of systems should be understood across the team. Non-disclosure agreements should also form a key part of contractual documentation, so members of staff with access to personal data are clear on the limitations of use.

If data is passed to a third party to handle, are protocols in place for how that’s provisioned and is it subject to regular review? It should be.

Glyn King: Begin reviewing security protocols by speaking to your organisation’s chief information security officer (CISO) or those responsible for information security governance. They’ll hold information security risk assessments for payroll that you can start to review.

A review considers the processes involved in collecting, storing, using, sharing and disposing of personal data, the level(s) of data confidentiality, the risks of a security breach and the procedures for implementation and governance.

These reviews often consider several things:

  • how staff manage data

  • the information security awareness training they receive

  • what record systems you have

  • how you manage data security.

One outcome may be identifying employee data subsets being held in many locations. This data could be more vulnerable to cyber-crime, inaccuracies, or may be kept for longer than necessary.

You can then start to design appropriate security measures addressing any changes or gaps identified. Working with your CISO, ensure controls reduce and mitigate risks to the confidentiality, integrity and availability of any information stored, processed and transmitted.

Ensure you have a multi-layered approach to information security that doesn’t rely solely on one system or solution to keep your data safe and don’t just consider technical measures. Human factors are at the centre of all information security incidents. Technology alone isn’t a threat; it’s how it’s used and manipulated that presents the threat.

Will North: The best place to start with security is understanding what data you have, where it is and its importance. With payroll data containing a myriad of personal data, such as bank account and salary details, securing it should be a top priority for all organisations.

Payroll departments should identify the locations payroll data is stored in – including fileservers, internal applications and cloud systems – and check sufficient controls are in place to mitigate the highest risks. As payroll data defines how much people get paid, compromising the security of this data is highly attractive to cyber-criminals, meaning risks are significant.

The first area of focus should be cloud-based human resource (HR) systems, where staff can update their bank account details. If staff fall for phishing emails and divulge their passwords, a malicious actor can log in to their account and change their bank account details. This is one of the most common types of successful cyber-attacks on payroll data. The best way to stop this is to ensure the cloud-based HR system uses multi-factor authentication (MFA). This makes a password alone less useful to a hacker. In addition, organisations should use behaviour analytics to baseline normal user behaviour to alert when a malicious actor logs in from an abnormal location or at an unusual time.

Payroll departments should ensure that payroll data in applications can’t be modified without authorisation, including:

  • only allowing access on a need-to-know basis

  • implementing segregation of duties so critical transactions need secondary approval

  • using software to monitor and alert on unusual access to data.

The security of payment files in transit between the payroll system (e.g. BACS) and the payment system should be a key area of focus. Someone with access to modify these payment files could change bank account details without authorisation and have salaries diverted to their own accounts. This risk should be controlled by limiting access to a minimum and having alerts in place if anyone opens or modifies these files.

 

As companies are more comfortable with cloud-based storage systems, what additional security measures should be enacted to ensure a safer environment for data?

JD: If the systems are cloud-based, knowing security policies to protect that data is essential. Knowing how frequently the systems are tested for all types of cyber-attacks is also important. Those responsible for the technical architecture of the systems need to be clear on the type of data housed within payroll, which, if compromised, could easily evolve into a personal breach of data.

GK: The rapid growth of hybrid working has accelerated cloud-based solution use. In payroll, if you’re transmitting employee data to e-payslip, pension or reward platforms, you’ll likely be using cloud-based solutions.

You need to be confident any cloud-based solution is a safe environment for your data. To help with that assessment, ask your cloud software provider for their answers to the 14 cloud security principles set out by the UK government’s National Cyber Security Centre (NSCS). The NSCS publishes these principles for the public sector and enterprise cloud service buyers, but the guidance is useful for anyone. Information on the NSCS website on steps to identify cloud services that are suitably secure for your needs is also worth a review: http://ow.ly/u4Tp30se6LO.

To boost cloud-based software security at an operational level, you could enable MFA on high-risk accounts. MFA provides an extra layer of protection by using a secondary level of user authentication. This could be appropriate for an administrator account for a cloud-based service, like your e-payslip portal, for example.

 

How can businesses implement certain security controls for individuals working from home without compromising the trust of their employees?

JD: This is about building on a trusted relationship. Many of us will remember one of the key principles of managing access to data is via screen management. When away from your desk, lock your screen, so the system cannot be tampered with. This principle extends to the home, especially where it is shared by multiple users. You need to consider what printed materials are visible. As with a work environment, impose a clear desk policy on your workspace, so at the end of the working day, all items are stored properly. Any items to be thrown away should be shredded.

Lesley Holmes: Businesses should ensure staff are aware of their responsibilities to protect data and privacy and reduce the opportunity for fraud. Businesses can use monitoring, data loss prevention and access controls to reduce this risk if they’re proportionate, and employees are made aware. Fraud can take many forms and checks on financial transactions including changes to bank accounts can work to deter this activity.

Any monitoring and surveillance undertaken must be proportionate to the risk and communicated clearly so trust is maintained, otherwise a culture of fear can arise, which can leave staff feeling untrusted.

WN: Organisations shouldn’t be complacent, as aside from the many benefits of the cloud, there are different risks to data security which must be managed properly, or they’ll end up resulting in a security incident. These different risks are easy to manage, so organisations can realise the benefits of the cloud without compromising data security.

A common type of cyber-attack is phishing for user passwords. I’d be surprised if any organisation hasn’t been affected by this recently. It’s imperative that you know that the person using your cloud system is really them. As cloud systems aren’t only accessible to internal staff, if a malicious external actor obtains a user’s password, they’ll probably be able to access the system if additional security measures aren’t in place. This makes MFA such an important and valuable additional security measure for cloud systems. This usually involves a code being sent as a text to a mobile phone, which must be entered along with a username and password. This means if a user’s password is compromised via a phishing email, the attacker won’t be able to login and data is safe.

The Information Commissioner’s Office (ICO) recommends that MFA is used wherever possible and, most importantly, where the personal data is of a sensitive nature. This would certainly be true for payroll data. The government-backed cyber essentials scheme is making MFA mandatory for all cloud services from January 2023 for all participating organisations.

As staff at the cloud service provider maintain the underlying infrastructure, they’ll have access to your data in some form. Encryption can be a useful additional security measure to provide extra protection over the most sensitive types of data. If data on the cloud service is encrypted, even if someone at the cloud service provider has access, it won’t be readable and will remain secure. Cloud service providers appreciate the importance of this for customers and are offering ‘bring your own key’ encryption services, where the customer holds the encryption key and has full control over their own data.

Effective security due diligence on the cloud service provider is important. Ensure the security processes the cloud service provider is now responsible for, rather than your in-house IT team, are operated as, or more, securely than your own processes. Check if the cloud service provider has industry recognised security certifications, such as ISO 27001. However, there’s no better way to gain assurance than a physical, on-site audit of the supplier to check and see all this for yourself.

GK: The best approaches have strong information security measures and controls.

These include:

  • an asset inventory detailing office or home-based equipment and systems used to store or process personal data

  • access controls with user-level accountability and appropriate privileges

  • system-level password security policies, with strong passwords

  • regular information security training for all staff.

  • These controls and measures should be regularly reviewed, ideally by independent cyber-crime experts.

 

What protocol should be followed where there’s a breach of personal data?

JD: Information and context is key. Quickly engage with those affected. Evaluate who all the key stakeholders are and have a plan to meet them to address and review the situation until all actions have been completed. Have a communication plan alongside this.

It’s important to provide key information to those affected. Be clear on what each party is expected to do, or not do. Doing this builds confidence to support the situation. If you’re unclear, or hesitant in your communications, this may reduce trust or create unnecessary concern and anxiety.

LH: Every organisation should have a basic procedure for the reporting and management of personal data. This should clearly set out who to notify and what initial mitigation steps can be taken. Start a documented evidence trail for the incident and inform the necessary stakeholders of the event.

GK: If you have a data breach, you need to respond quickly and decisively. The last thing you need at that moment is to be learning what steps to take.

Make time now to consider how you’d react to a data breach. The ICO website has guidance for the UK. Perform exercises involving all key stakeholders in data privacy impact assessments. Based on these activities, controls and procedures can be implemented to reduce and mitigate the impact, should a breach occur. 


Is your head in the cloud when it comes to cyber security?

March 2022