The cybersecurity risks posed by employee benefit, payroll services

Cameron Shilling

Employers commonly utilize online cloud services to administer employee benefits and payroll. Those services entail the collection and management of huge amounts of highly sensitive information about employees and their dependents, including SSNs, governmental IDs, financial accounts, and health information. Those activities also routinely involve significant financial transactions, including for payroll, retirement, and insurance and other benefits payments. As a result, online benefits and payroll services are valuable targets for cyberattacks — and successful attacks almost always result in huge losses and liabilities for employers.

Hackers commonly deploy a one-two-punch when attacking an employer’s online benefits or payroll system.

First, they divert a large financial transaction (such as a payment to a retirement fund) or a series of smaller financial transactions (such as payroll payments) from the legitimate recipient accounts to their fraudulent accounts, and then rapidly withdraw those funds from the fraudulent accounts to avoid having them clawed back by the transferring financial institution or frozen by the recipient institution.

Second, they simultaneously steal highly sensitive personal information from the benefits or payroll system, so they can demand a ransom payment from the employer to refrain from selling the information on the dark web, and threaten to demand ransom from the employees if the employer refused to pay.

Employers often assume that the providers of these systems must have incorporated safeguards into to prevent such attacks. That assumption is often incorrect, or the systems may contain some such safeguards but the employer has not activated them or configured them appropriately.

Here are five safeguards that all high quality online benefits and payroll systems should include, and should have properly activated and configured.

1. Multi-factor authentication: Passwords alone are an insufficient security mechanism, since they often lack appropriate complexity and employees frequently use the same password to access multiple online accounts. Thus, multi-factor authentication (MFA) is a necessity for all online benefits and payroll services. MFA can take different forms, such as a fob or a text sent to an employee’s mobile device.

More sophisticated and user-friendly MFAs employ certificates that the employer installs only on computers used by employees authorized to access benefits and payroll systems, and such applications have the added benefit of being transparent to users.

2. Multi-user notification and authorization: Hackers divert financial transactions by modifying certain information in benefits and payroll systems, such as the financial account numbers for the recipients of such transactions, and the profile information (typically physical address, phone number, and email address) of those recipients. Thus, multi-user notification and authorization are also necessities for all such systems.

For example, multi-user notification could be configured so that, when the profile information for an employee is changed (e.g., by someone using the credentials of a HR person or the employee), a second person would receive a notification of the changes (e.g., a different HR person or an accounting employee). Similarly, multi-user authorization could be configured so that, when the financial account number for one or more recipients is changed, a second person (e.g., a system administrator) receives a notice and must log in to the online system to authorize the changes.

3. Differentiated privileges: One of the most common mistakes employers make is to give all HR personnel the highest level access to their benefits and payroll systems, known as “administrator” privileges, even though all of them do not need such privileges to do their jobs. Hackers target employees with administrator access because it permits them to make the changes and initiate transactions necessary to steal funds and to download huge amounts of sensitive information. Limiting the access of HR personnel to only those functions necessary for them to perform their jobs significantly diminishes potential risk to employers.
4. Advanced technological defenses: Cybercrime is typically perpetrated from outside the Unites States. Thus, online benefits and payroll services should enable employers to geo-fence, prohibiting anyone from accessing the systems from international locations known to be used by hackers. Additionally, online benefits and payroll services often include advanced threat detection applications inherent within them. Those applications detect and alert employers to suspicious activity, such as numerous rapid changes to financial accounts and atypical downloading.

Finally, benefits and payroll services should enable employers to encrypt either their entire databases or sensitive information within the databases, even while the data is at rest. Thus, if hackers are able to steal that information, they will unable to decrypt it.

5. Robust access and activity logs: If a benefits or payroll service is compromised, it is critically important to be able to determine the dates and time periods of the unauthorized access, the precise activities of the hackers within the systems, and the exact information accessed and downloaded by them. All benefits and payroll services should have log files capable of recording such information, and employers must ensure that those files are configured so that such information is recorded and maintained for appropriate periods of time.

Employers cannot just assume that their online cloud employee benefits and payroll services providers are adequately protecting them from cyberattacks. To avoid the potentially huge losses and liabilities that result from such attacks, employers must take responsibility for protecting the huge amounts of sensitive information and the significant financial transactions collected and managed in those benefits and payroll systems.

Cam Shilling, founder and chair of McLane Middleton’s Cybersecurity and Privacy Practice Group, assists businesses and private clients in improving their information privacy and security protections.