Breaches in payroll security systems can cause a major dent to a business’s financial situation. According to the Association for Certified Fraud Examiners (ACFE), the average case of payroll fraud can last up to two years and result in business losses of up to $62,400.
As a business, the two biggest threats to payroll security are 1) internal workers with access to classified information and 2) outside hackers who gain access to accounts by stealing passwords.
Companies need to ensure that they are keeping all of their employee and business data safe at all times, especially with respect to payroll systems. If there is even the slightest breach in keeping your payroll data safe, then your workers’ confidential information and the integrity of your payroll could suffer.
Here's our 15 essential tips for maintaining your payroll security.
Most payroll security breaches happen when employees give out confidential information.
In our world today, even outside of work, we are bombarded with texts and emails from people trying to obtain login information for our personal data. In 2021 alone, $3.25 billion of global revenue was generated by those committing cybercrimes on social media platforms.
Train your employees to look for red flags and keep your company information secure. One of the most common mistakes that hackers make when sending out phishing emails is using improper grammar or having misspellings in their emails. Teach employees to always be on alert for real threats to security data breaches.
Give every employee a training course during their onboarding that highlights inconsistencies from hackers like:
Using broken English
Misspellings in email addresses
Most importantly, encourage employees to carefully monitor external information requests, especially for their personal information like social security numbers. Many hackers try to gain easy access to people’s money by posing as banks or creditors.
One of the easiest ways to maintain your company’s payroll security and avoid issues is to limit who has direct access to payroll.
Make sure that only HR and admin employees have access to this information. Set up easy access control and other security measures, so that this information can only be shared by payroll administrators with permission.
Before software started eating the world, businesses used locked filing cabinets to keep important payroll and sensitive employee information secure.
Having employees’ use a strong password is equivalent to having a lock on your filing cabinet. Most security breaches occur because of weak passwords.
Encourage employees to set up a unique password that they only use for their job: the longer the password, the more secure. Make sure that employees use a mixture of upper and lower case letters as well as symbols and numbers to avoid hackers from guessing and breaching security. Most importantly, encourage employees to use a unique password for each account.
This includes creating strong passwords for social media accounts, such as LinkedIn, Facebook, Instagram, and Twitter.
One of the most important ways to protect your employees’ data is to make sure sensitive information like social security numbers and home addresses are secured.
Avoid printing sensitive information on employees pay stubs when you run payroll, even if the pay stub is virtual or direct deposit. Use an ACH filter that allows the blocking and filtering of debit and credit transactions directly from your business account. You can research which type of filter best suits your business needs to prevent any unauthorized transactions from posting.
Smaller businesses are more likely to be targeted than bigger companies for breaches in employee and business data. They are more likely to make mistakes or not have the resources to protect Personal Identifiable Information (PII) such as social security numbers, bank account numbers, and addresses.
Limit the number of messages you send containing Personal Identifiable Information. Make sure that you are running your payroll from a secure business computer and not from a personal laptop or tablet to further avoid any payroll security threats.
Do not give everyone access to employees’ personal information, even if you’re running a small business with only a few employees.
Only certain employees or administrators managing payroll should have access to employees' social security numbers and bank accounts.
You may even want to limit what sensitive information shows up for HR when they manage payroll.
Yes, you will always need to share some personal information to manage payroll, but protect the integrity of your business and employees at all costs.
A ghost employee is a fraudulent scheme designed to cash checks for someone who isn’t actually real or on your payroll.
This type of scam can happen in larger global companies that 1) don’t have a centralized payroll and 2) use different currencies to pay their employees around the world.
Normally, someone with access to payroll can set up and fund an employee account for someone who doesn’t actually exist; then, they can cash the checks themselves. This is why you need to vet (and maybe even conduct background checks) for anyone who will have access to employees’ Personal Identifiable Information (PII) as part of your ongoing security measures.
The only way to make sure that ghost employees are weeded out is to conduct regular payroll audits and check for payroll discrepancies.
Another easy way to protect the integrity of your business is to set up two-factor authentication.
Two-factor authentication means that the employee has two different methods for knowing their login, which makes it easier to confirm their identity.
One of the simplest two-factor authentication is to send a text message from a burner phone or email with a code that they enter into the application after attempting to login. This is known as social engineering. It only takes one person to make an error that can cost a business thousands—or even millions.
Time-sheet fraud, data breaches, fake reimbursements, and other forms of fraud can cause serious payroll headaches. That’s why you need to perform a payroll security audit.
Regularly checking employees pay rate, pay periods, and other information will keep you in compliance with tax & labor laws, as well as ensure that no discrepancies arise on your end with the local tax agencies in your country.
But you should have your payroll administration employees keep ledger reports that show every transaction, whether it be large or small, in your company. Closely monitor your employees’ time cards and align them with your payroll records.
Keep a close watch on problems like buddy punching, where one employee has another employee clock them in when they’re not actually working. This is more common when workers are physically in the office. You want to make sure that all your employees are being paid properly, but only if they’re actually working.
Payroll information is an essential part of building and running HR. Make sure that you train all of your employees on how to use the payroll system that you’re using.
You should begin this process early on and create a payroll security manual to give to new hires on the payroll team when they begin their onboarding and training process.
Even employees who don’t directly work in the payroll department should understand exactly what payroll software your business uses and how to login and view their pay stubs.
With proper training, discrepancies and confusion with payroll security should be kept to a minimum.
With the advancements in technology, remote work has become common among today’s workforce. Most employees have the luxury of working from anywhere, but without proper training, working from home could be a recipe for security breach disasters.
During the initial training process, focus heavily on maintaining your company's security and integrity through common sense practices. Even a simple reminder at an all-hands meeting can help. The more comprehensive the training, the better the results will be.
Make sure that they aren’t leaving their laptop open or unattended in public or co-working spaces. Tell them to always log out of their computer when they walk away. Remind them not to take photos of confidential company information on BeReal.
Keep all of your payroll security and technology updated at all times. You should constantly be scanning and looking for software updates, instead of waiting until the last minute to make changes.
If you use third-party integrations across multiple companies or data, double check that 1) you have access to these integrations and 2) that they are secured.
Outsourcing your payroll may be a great option to avoid any headaches, but you’ll need to make sure that the company you’re working with is reputable and following all of the given tax and labor compliance laws.
Focus on building a strong HR team (both internally and externally), especially one that keeps up on ever-changing labor laws and regulations. Encourage your employees to ask questions and read articles about the latest security practices. This learning process can take many forms.
SOC compliance is a type of certification (normally for third-party payroll providers and organizations) proving that a business has completed a third-party audit demonstrating they have the proper controls in place for managing finances.
If you or your management team are planning to hire a third-party payroll processing company to manage your payroll, make sure they have completed their SOC compliance.
There are 3 different types of SOC compliance audits:
SOC 1: Focuses solely on controls that affect the customer’s financial reporting. This ensures they are properly protecting the customer’s financial information.
SOC 2: More "general and assesses" service providers controls for various Trust Services like security, confidentiality, availability, and processing integrity and privacy.
SOC 3: SOC 3 is the same as SOC 2 compliance, but for higher-level companies and their shareholders. This type of SOC compliance is for more in-depth and higher profile businesses.
All payroll processing companies will need to meet SOC compliance at some level. Research the business you plan to partner with and assess your organization’s payroll security needs.
Even after an employee has quit or been let go, you will still need to protect their personal information, including biographical information like social security numbers, insurance, paystubs, workers compensation, and retirement accounts.
In most countries, you’ll need to keep employee records after their departure. In the United States, for example, EEOC regulations require that you keep all personal or employment records for one year. You are required to keep related payroll records for 3 years after their departure.
Failure to keep these records can result in non-compliance penalties and even investigations by the IRS. These investigations count as tax fraud, which can lead to fines or even jail time if the reason behind losing the records is severe enough.
Before management begins the process of working with a global EOR like Via, using a third-party payroll processor, or opening an entity in another country and running your own payroll, you should do extensive research. If you decide not to partner with an EOR, you will probably need to hire a legal team to help you understand the payroll security laws in that country.
In Europe, there is the General Protection Data Protection Regulation (GDPR), which is a European law for all individuals in the EEA (European Economic Region). Per this law, businesses must protect all the personal and security information for those living in this region.
Brazil has a similar law called the General Data Protection Law (LGDP). LGDP is designed to unify 40 existing laws in a strategic effort to protect the processing of personal security and information of Brazilian individuals.
So, before you make the exciting leap to open a business in another country and run payroll, you’ll need to know exactly what laws are in place to protect the personal information of employees in those countries.
Managing payroll and understanding payroll security can be daunting at first. It’s hard to know where to start and what to put in place to protect business and your employees.
Via makes hiring international talent and managing international payroll seamless. With our-easy-to-use platform, Via manages the local human resources processes for global employment such as work visas and permits, benefits, secure payroll, background checks, work data privacy, and more. Our team of local labor lawyers and on-the-ground experts ensure that your company remains compliant while expanding abroad. As your employer-of-record/entity, Via assumes full responsibility for employment liability, so that you can focus on what matters: recruiting and managing your team, as well as offering products and services.
With Via’s transparent pricing, you can pay full-time employees or contractors across borders with no hidden set-up fees, no foreign exchange or transaction fees, and no minimums–start with 1 employee and scale up at your own pace. You can get started in 1-2 business days. That’s why a lot of businesses partner with an EOR service like Via. We expedite the process of hiring and recruiting, setting up HR, and adhering to all employment laws in other countries.