No matter the size or industry, most U.S. businesses are vulnerable to cyberattacks — both from inside and outside the company. Among the data targeted are employee payroll records. Just imagine the consequences if your company's employee records were compromised: Worker's personal information might be used to perpetrate identity theft, your company's accounts might be hacked and emptied, and the incident could become a PR disaster.
According to cyber defense company Phishme's Enterprise Phishing Susceptibility Report, more than 90% of cyber attacks are launched through phishing activities. Knowing this, you may actually find it relatively easy to protect your organization's data. The key is to learn about phishing schemes and to educate your employers on how to fend off perpetrators.
Your IT network can be infiltrated in various ways — even by a "mole" in your office. But one of the most common methods hackers use to access payroll records is what's called the business email compromise (BEC) scheme. With a BEC attack, a hacker sets up an email account in the name of one of your employees or managers. Then the hacker uses the account to contact another employee to ask for payroll records or to instruct the worker to click a link that downloads malware. The email looks legitimate, so the recipient is likely to respond.
To thwart BEC schemes, take the following precautions:
There are variations on the basic BEC scheme. For example, with the "imposter" method, the hacker may pose as the company's CEO or as a trusted advisor, such as lead outside counsel. The cybercriminal might use the right terminology and even official-looking forms to request information. Intimidated by the sender's identity, a rank-and-file employee could decide to accommodate the request without first verifying it.
When it comes to phishing, employees are either your company's most formidable weapon or weakest link. Train new payroll employees about email fraud risks and regularly update and remind longer-tenured workers about phishing threats as they emerge. Make sure they understand that it's better to be cautious and take the time needed to verify an email than to act recklessly simply to get work done quickly.
Formalizing cybersecurity procedures can help guide employees. So create a formal plan for handling confidential information and require every employee to acknowledge it. If employees fail to follow procedures, be sure to discipline them — even if no data is lost. Following through on such matters communicates how seriously you take cybersecurity risks, particularly when it comes to information housed in your accounting department.
Although not specific to protecting payroll data, several best practices can help fortify your company's entire IT system. For example:
But even if you take every precaution, there remains a risk that your company's payroll or other business records will be hacked. Make a fraud contingency plan so you'll know what to do if cybercriminals breach your defenses. The plan should specify what needs to be done in the immediate aftermath and who should do it. For example, an owner or CEO might be responsible for working with the IT manager to secure the network. A public relations manager might disseminate information about the incident to internal and external stakeholders. Legal counsel might be needed to meet with law enforcement.
Although it's probably not the first action you need to take after an attack, be sure to report hacks to the FBI Crime Complaint Center at www.ic3.gov. And if, following a phishing incident, you suspect payroll information might have been stolen and used to perpetrate tax identity theft, notify the IRS at phishing@irs.gov.
Businesses offer cybercriminals bigger prizes — large cash and data reserves — than most individuals. Therefore, hackers are likely to continue targeting companies with phishing scams. Fortunately, you're not a sitting duck. Prioritize cybersecurity and train employees to fight potential invaders and you'll reduce this very real risk.
Get in touch today and find out how we can help you meet your objectives.