Payroll Security: 9 Standards and Tips to Protect Employee Data

Too many companies make the mistake of believing that they’re immune to cyberattacks. More than half of small businesses think they’re too small to be the target of a cyberattack. But cybercrime is more prominent than ever, especially as more companies transition to cloud-based storage applications. The truth is:

• Cybercrime in the US costs small businesses over $2.7 billion
• The Identity Theft Research Center reported 1,862 data breaches in the US in 2021, compromising 294 million people

If one hacker gains access to an unprotected payroll system, then they can harvest your employees’ bank account information, address, social security number, and more with a few clicks. You owe it to your employees to maintain confidentiality, plus not taking steps to protect sensitive data can get your business penalized for non-compliance with privacy laws. 

9 tips to improve your payroll security

Payroll security involves going beyond a basic spreadsheet to track employee information. Larger companies have dedicated cybersecurity teams, but that isn’t an option for every business. Here are 9 tips a small business owner handling payroll and taxes can use to protect payroll-related data.

1. Train your employees on potential scams

Most of your employees will only have access to a limited interface instead of all of the sensitive data stored in your payroll system. But employees are a common target for scams and phishing schemes aimed to procure sensitive information.

Cybercriminals will send out text messages or emails to people to see if they can trick someone into passing along their login credentials for a platform. In some cases, these messages will use the company’s logo and the name of the CEO to earn the employee’s trust. 

Quick tips you can share to kick off employee training include:

• Double check the email address is accurate (and not a slight misspelling)
• Watch out for messages with a generic greeting such as “Hi Dear” or “Valued Customer”
• Keep an eye on misspellings and broken english
• Confirm suspicious messages on a second channel

If you want to learn more about recognizing scams, review the Federal Trade Commission’s (FTC’s) list of common scams that target small businesses.

2. Limit payroll access only to those who need it

Limit the number of people who can get into your payroll system, whether your payroll manager is the business owner or someone in human resources. As part of your company’s payroll best practices, anyone who has access to the payroll system should go through rigorous training to ensure the highest level of security. 

Your payroll system might have a security training program, but you can craft your own payroll security training module if they don’t. Be sure that your training includes the specific steps each person needs to take to protect company data and employee records. Depending on the size of your payroll team, you may want to have training sessions each year or whenever your system publishes a major update.

3. Implement cybersecurity basics

Payroll security should be a part of your overall cybersecurity initiatives. The stronger your defences are for every aspect of your online presence, the less of a chance you’ll experience any kind of cyberattack.

• Use strong passwords to protect sensitive data (especially since weak or reused passwords cause 80% of data breaches)
• Use a firewall to protect your online databases and systems
• Only give data access to employees who need it
• Use an automated clearing house (ACH) filter to prevent unauthorized people from accessing your business’s bank account
• Encourage your employees to opt for direct deposit rather instead of paper checks since checks are more vulnerable to fraud

Learn more about bolstering your businesses' cybersecurity practices.

4. Protect payroll information from on-premise threats

While cyberattacks are more common, there’s still the chance of a hacker accessing your software on-site. Even if you’re working remotely and decide to spend the day in a coffee shop, leaving your computer open while you order a drink or use the restroom can attract a criminal.

Ways to protect yourself from on-premise threats include:

• Conduct background checks for all new employees
• Log out of your computer when you’re away from your desk
• Lock the doors to your office when you’re out
• Keep printed documents locked in a filing cabinet when you’re not using them
• Position your desk so it’s facing away from doors or windows

5. Require strong, updated passwords

Cue the groans and eye-rolls–nobody likes to use a hundred complex passwords. But passwords are a significant vulnerability. As we said earlier, weak and overused passwords cause about 80% of all security breaches. 

Switching up login credentials every one to three months can help prevent a data leak, especially if your employees prefer using the same password for every online account. We recommend your employees change their password every month if they have access to the complete payroll interface. They can change less frequently if they have limited access. 

Encourage employees to use strong passwords, too. A strong password consists of uppercase letters, lowercase letters, numbers, and special characters. Use biometric security measures (like fingerprint scans) on whichever devices have them. 

If it’s possible, have your employees set up multi-factor authentication for their accounts. Multi-factor authentication usually means that after they enter their password, they also have to click a push notification or type in a code sent to their phone or email to verify their identity.

And never, ever write passwords on a sticky note kept near the computer.

6. Separate payroll duties

When one person handles the entire payroll process, companies are more vulnerable to security issues and data leaks. 

From an internal perspective, it’s less likely that someone will alter or steal sensitive information if they know someone else reviewing their work. From an external standpoint, having all of the information and access in one account makes it too easy for a hacker to wreak havoc on your business if they can compromise it.

An example of separating payroll duties includes having one human resources employee manage time cards, another handling payroll, and a third person issuing pay stubs. If you’re a one-person payroll department, you may choose to create separate accounts for different parts of the process.

7. Be cautious of what you print on checks

If you have some employees who still want to receive paper checks instead of direct deposit, it’s best to limit how much employee information is included on the paper check. Divulging excess employee information on checks exposes your business and makes you more susceptible to phishing or social engineering scams.

Do what you can to eliminate your employee’s addresses, social security numbers, and ID numbers on checks. If possible, only put their name since that’s all they’ll need to deposit it. If you have a third-party vendor printing your checks, talk to them about keeping sensitive information to a minimum.

8. Remove old data quickly

Once someone leaves your company, deactivate their login credentials as quickly as possible. Ghost accounts leave your company’s information vulnerable to cyberattacks because those accounts will have stale passwords and nobody's oversight to make sure information doesn’t change. 

The US government requires you to keep employee data on file for an entire year after they leave the company and maintain their payroll information for three years. After three years, it’s best to get rid of old employee data. 

Check out our guide on how long to keep payroll records to learn more.

9. Outsource your payroll process

As a business owner, you’ve likely got a thousand things on your plate. It’s easy to let things like payroll security fall to the wayside when trying to keep many balls up in the air. At the same time, if you’re a small business, you might not have room in the budget for a full-time HR or payroll team that can stay on top of payroll security around the clock. 

Third-party payroll providers use payroll software with top-tier security measures already in place. A third-party payroll provider can give you the expertise you need to keep sensitive data secure while focusing on other aspects of your business. Outsourcing your payroll opens the door to affordable enterprise-level security standards to protect employee and company data.

Payroll security standards to look for in payroll providers

There are plenty of payroll providers out on the market. Pick one that offers fair pricing without sacrificing features to keep your company’s information secure.

Built-in compliance

The last thing you want to worry about is ensuring that your system is compliant with the plethora of data security laws. If you have employees in multiple countries, choose a provider that has the expertise to keep your international payroll processing in line with local, regional, and federal laws. 

For example, if your company is based out of the US but has employees working in Europe, you must be compliant with the European Union’s General Data Protection Regulation (GDPR). The GDPR is one of the strictest sets of data laws in the world, and one of their requirements for companies includes signing a Data Processing Agreement (DPA). If you use a third-party payroll provider and have employees abroad, you’ll need to sign a DPA.

ISO certification

Look for systems built on the ISO 27001 framework for the highest level of security. ISO 27001 (or ISO/IEC 27001:2013) is an international standard for maintaining the security of information assets. The framework was first published in 2013 and offers a management system for implementing an information security management system (ISMS) to guarantee integrity, confidentiality, and accessibility of all corporate data.

SOC compliance

The American Institute of CPAs (AICPA) published a series of reports called the “System and Organization Controls” (SOC). These reports verify an audit of security controls for key attack surfaces. The SOC suite consists of:

• SOC 1: SOC for Service Organizations: ICFR
• SOC 2: SOC for Service Organizations: Trust Services Criteria
• SOC 3: SOC for Service Organizations: Trust Services Criteria for General Use Report
• SOC for Cybersecurity
• SOC for Supply Chain

SOC reports are commonly used by financially-driven companies, so you want to make sure that your payroll provider is SOC compliant. SOC 2 reports are the most common for security and data confidentiality certification. But all SOC requirements are founded on the five “Trust Service” criteria: privacy, confidentiality, security, processing integrity, and availability.

Easy access control

The best payroll systems allow you to easily set different view permissions for the people in your company. Remember, a top security practice is to make sure only a few people can view or interact with sensitive data. Platforms with easy access control make it significantly easier for you to keep the number of people who can see sensitive data to a minimum.

Cloud security and backup servers

Payroll providers usually store data securely on the cloud and have redundant servers to back up your data, if there’s a breach or data gets lost or otherwise corrupted. These data centers protect your data in the event of an emergency so you don’t have to worry about losing essential files. 

Data encryption

Any payroll provider that doesn’t utilize data encryption is not worth your money and will not pass payroll audits. In cybersecurity, data encryption means converting data from a readable format into an encoded format. The encrypted information can then only be read or processed after it’s been decrypted by someone who has the ability and permission to decode it with the encryption cipher or algorithm.

Data encryption is one of the simplest but most effective methods of ensuring that the information stored on a computer isn’t compromised. If a hacker gets ahold of encrypted data, they can’t do anything with it unless they also have the cipher or algorithm. 

Training

Any system you adopt for automated payroll should come with comprehensive training modules to help you and your employees get up to speed efficiently. If you’re outsourcing your payroll altogether, you might not need much training for your employees because the provider’s crew handles nearly everything.

Updates

If a system isn’t frequently making updates, they aren’t proactive about preventing data breaches. Your payroll solution should consistently deploy software updates to keep security at peak performance.

International payroll security: data security laws across the globe

If you are a global enterprise, you’ll need to ensure you stay compliant with regional data privacy laws.

Let’s talk about some data protection standards worldwide:

Brazil’s General Personal Data Protection Law (LGPD): This law unifies forty different Brazilian laws regarding data privacy. The framework outlines ten principles companies must consider when processing personal data (Article 6). Learn more about hiring in Brazil.

EU’s General Data Protection Regulation (GDPR): The GDPR is one of the most well-known statutes regulating data privacy, and it has the most rigorous rules. Any company that targets or collects data from a European citizen must comply with the GDPR.

Japan’s Act on Protection of Personal Information (APPI): With new amendments going into effect on April 1, 2022, APPI sets the standards for a company’s published privacy policy. Learn more about hiring in Japan.

Deel ensures payroll security for employee data across the globe

Maintaining payroll security shouldn’t be a challenge. With Deel, fund payroll with just a click and keep your employees’ sensitive information encrypted and secured.

Multiple currency options and various withdrawal methods make it easy for your international team to get paid on time without hiccups. With industry-leading security standards, access controls, and full GDPR compliance, it’s a payment and compliance solution you can rely on.

Reach out and book a demo today to see Deel in action.

This post is provided for informational purposes and should not be considered legal advice. Consult a legal professional for more info.