Payroll. One of the key essential activities of your city operations. Without paying your city employees in a clockwork fashion and carefully following all regulations, your city may get into staff retainment, financial, and even legal trouble.
That’s why threats to payroll need to be taken seriously. And there are more technology-related threats than ever—from cyber criminals to internal issues with data processing. Let’s look at a few of these threats and how IT can help you combat them.
A few months ago, our Director of Finance and Human Resources received an email from “me.” (Note that this was not the first of its kind.) Take a close look and see if anything appears suspicious.
From: Nathan Eisner <firstname.lastname@example.org>
Sent: Tuesday, October 02, 2018 10:57 AM
To: [OMITTED FOR EXAMPLE]
Subject: Direct Deposit Info Update
I changed my bank and i ll like to change my paycheck dd details, can the change be effective for the current pay date?
If you glance at it quickly, the email almost looks legit. But there are two glaring red flags:
1. The FROM email address is clearly not from our company (and specifically from my work email address).
2. The grammar is slightly not right, and the sentence is unusually direct without any helpful context.
Unfortunately, these kinds of emails often trick employees at organizations. KnowBe4 talked about a recent case at Wichita State University in Kansas: “Three employees of [Wichita State University] fell prey to a common phishing scam asking for their credentials, giving cybercriminals access to change banking details. We’ve said it time and time again: the bad guys do their homework. In the case of the attack on WSU employees, cybercriminals spoofed the university’s payroll system and sent emails to employees tricking them into providing their university ID and password. That was all the attackers needed to gain full control to the employee’s profile, personal data, and most importantly – banking information.”
We suggest reading our phishing tips, reviewing some of the FBI’s phishing tips about payroll scams, and continually training your payroll and finance department employees about how to spot phishing attacks.
Not having defenses or preparation against ransomware can affect your payroll. Madison County, Idaho experienced such a situation in October 2018. The Rexburg Standard Journal said, “The hacker demanded money to restore files and access, but Madison County officials declined to pay. Instead, officials turned to their IT specialists to fix the problem. […] IT workers succeeded in restoring the county’s pay system, which allowed for county workers to be paid, reported Madison County Clerk Kim Muir. ‘They got the payroll system back up. Otherwise we’d be cutting paper checks, and we don’t want to do that,’ she said.”
Despite the optimistic tone of this article, consider that the ransomware took down the county’s payroll system for more than four days. What if the Tuesday of that week was payday?
Is your payroll system ready for a ransomware attack? We suggest reading our 2018 blog post, “Ransomware Cripples City for Weeks—and What We Can Learn, “ to find out.
3. Hacking through security vulnerabilities
Hackers take advantage of unpatched, vulnerable software to break into servers and extract information such as payroll data. Sometimes, vendors (especially those with outdated or poorly managed software) may not proactively keep up to date with the software patching you need (as seen by the example of Click2Gov last year). Other times, cities fail to stay up on patching—leaving financial systems exposed.
We recommend reading “Why Is Patching a Problem? Reasons Behind Resisting a Surefire Cybersecurity Best Practice.” If you address the root causes of why you don’t proactively patch your software, then you will make your payroll systems more secure.
4. Risk of permanent data loss
What if your payroll software experiences a server failure? What if a natural disaster occurs and wipes out your servers? Can you recover your payroll data in hours or days?
As part of your disaster recovery plan, you need to make sure you can recover important data such as payroll data sooner than you recover less critical data. And also work with your IT staff or vendor to make sure your payroll data is all—and not partially—recoverable (which you can confirm by regularly testing your data backup).
5. User access and authorization
Who can access your payroll software? Who is authorized to access specific information? Does everyone in the finance department have “admin” (or full) access?
Thinking through your user access and authorization policies can help you lessen the risk of incidents that expose data. This includes third party access to your applications. Do vendor employees have access to sensitive payroll data for no clear reason? Do contractors unnecessarily have access to sensitive data? Your IT staff or vendor can help you perform an audit of who can access your payroll software and what they can see. Then, you can create policies that more clearly define who has access to what information.
6. Data processing and integrity
Sloppy, weak, or error-prone data processing and integrity doesn’t serve you well. A few tips include:
- Ensuring that you have reliable transaction logs: In a previous blog post, we noted, “These logs record all electronic information about transactions that take place within an application. For example, you may enter payroll information each week into your accounting application for each employee. Each completed set of data that you input for each employee counts as a transaction if the data is processed between, for example, your system and a bank. Transaction logs must match what are known as ‘source documents.’ For example, payroll information may originate from a timesheet (either on paper or sent electronically). If the timesheet and the paycheck doesn’t match, then there may be a transaction error. Experiencing many transaction errors may indicate a problem with your application or with the way your employees are using it.”
- Set up proper controls and processes. The right controls and processes help prevent data input errors or fraud—such as an employee changing payroll data or deleting payment records.
- Put field edit checks in place to reduce errors. You can require that employees fill in certain fields, information gets autocorrected, and autofilled data populates fields.
7. Software best practices
Your payroll system, beyond patching, is affected by software quality. Make sure you:
- Use updated operating systems: Unsupported operating systems (like Windows XP) opens your payroll software up to cyberattacks. Windows 7 will be unsupported as of January 14, 2020, and your payroll software is at risk if you are running it on this soon-to-be-outdated operating system.
- Run your payroll software on a server or servers (preferably in the cloud): Some cities run important software like payroll software on a single PC. There are so many reasons why this is a bad idea, from data backup uncertainty to lack of cybersecurity oversight. Run your software on servers or, better yet, through the cloud so that you don’t have to maintain hardware onsite.
- Use modern software: Using old, outdated software opens your city to up many security risks such as ransomware, viruses, unauthorized access, and permanent data loss. You also will risk your payroll software freezing, slowing down, and crashing. Don’t skimp on your payroll software.
Worried about risks to your payroll software? Reach out to us today.
Original Date: 3/13/2019