Payroll: The Next Payment Security Battleground

It’s hard to imagine a more appealing target for hackers than payroll. There are enormous amounts of money changing hands and inconsistent and often outdated security measures.

While payroll security may be getting better, the speed of change is still too slow to prevent ongoing data breaches. There is enough evidence to suggest that payroll remains a preferred target. 

In the past year alone, payroll has been at the heart of numerous breaches, either as a result of hack attacks or human error – often a combination of both. Last month, a thief broke into the car of a Facebook payroll employee and stole a hard disc containing the names, bank account numbers, and salary details of 29,000 Facebook employees. Meanwhile attackers in Tallahassee stole half a million dollars in city payroll by redirecting deposits of paychecks belonging to municipal workers.

Also, officials at the Cheyenne Regional Medical Center (CRMC) in Wyoming discovered a hack aimed at the payroll data of its patients. Accounts at the center contained large amounts of sensitive data in additional to private health information, including credit cards and financial data.
More incidents are sure to follow. In fact, the number may already be much greater that people realize. The CRMC hack was only discovered five months after the fact. How many hacks on payroll have gone completely unnoticed?

Payroll as the Soft Underbelly of Payments
Payroll remains vulnerable, in part, because the field has been slow adapt to the new reality. With so much value placed on absolute accuracy, companies are reluctant to make the large-scale changes to stay up to date in data protection.

While fintech companies are offering automated solutions in many areas of finance, payroll has remained one of the last bastions of the old way of doing things. In large companies with thousands of employees, the payroll process is virtually identical to what it has been for many years, and the process for about 85% of the workforce remains largely manual.

A payroll department processes enormous amounts of spreadsheets. Companies might use software suites to process the numbers, but they are still entered manually. Some companies still do payroll on paper.

The manual process has two primary vulnerabilities: the first and most obvious is that with any manual process, it is impossible to eliminate human error. That means there will be errors in payroll, and there will be errors in handling the data. The errors in payroll can harm a company in the area of trust between employee and employer. The errors in handling data can have much larger ramifications if the data gets into the wrong hands.

The second vulnerability of a manual payroll process is the absence of a clear and secure channel for transferring data. As many phishing attempts and attacks take place this year, hackers use lookalike pages to take advantage of the intense back and forth between accountants and their clients.

The issue is complicated even further when a company has employees overseas. A global payroll is even more complex as a manual process because it then has to deal with multiple languages, reporting styles, currencies, tax codes, and employment laws.

Startups Showing the Way Forward
With technology advancing at lightning speed, it is only a matter of time before payroll joins the workforce revolution already underway. The modern office is growing increasingly automated and increasingly global, and companies are increasingly turning to digital office assistants – bots capable of performing routine and repetitive tasks – to save time and effort.

Not surprisingly a number of fintech start-ups see the current moment as ripe for disruption, using SaaS technology to offer secure payroll solutions that are easy to install and intuitive to use. Large companies have been reluctant to adopt solutions that are hard to install and sync with the accounting systems already in place at their companies.

New automated solutions are cloud-based, so they fit seamlessly with the legacy accounting programs that are commonly being used. The cloud also allows startups to offer their products on a subscription level rather than as software that sits on computers. The SaaS approach lowers the risk for a company with a large workforce. It also eliminates the need for companies to handle their own maintenance. The SaaS provider also ensures the product is constantly upgraded to keep up with advances in standards.

These startups present the latest weapon in the ongoing war between hackers and payments. As long as there is money moving from place to place, thieves will try to get it. Payroll has served as a soft target for too long. The workforce is changing, and that’s sweeping payroll into the modern age.

Ryan Kh is an entrepreneur & startup investor. Founder of Catalyst For Business and managing editor for He is passionate on covering topics like big data, data security, business intelligence & entrepreneurship. 

What’s Hot on Infosecurity Magazine?