Are Cloud-Based Payroll Systems Secure Enough For Business?

Headline-making data breaches have brought a lot of scrutiny to the security of cloud-based systems. Payroll systems, which store sensitive employee data including Social Security numbers and address, are particularly attractive to hackers. Last year, two separate attacks – one on the payroll system of actors’ union SAG-AFTRA and the other on Pennsylvania-based payroll company Paytime Inc. – exposed the personal information of thousands.

It’s no surprise, then, that when evaluating payroll management systems, data protection and security are two top concerns for businesses. New research from Software Advice found that in order to minimize the threat of external attacks, many businesses stick to on-premise payroll software, believing sensitive employee data is at less risk on the company’s own servers versus Internet accessible cloud data.

But the perception that cloud-stored employee data is less secure could be slowing the adoption of cloud payroll systems that can be more efficient and cost-effective, even as other cloud-based HR tools are growing in popularity. Software Advice’s poll of payroll and benefits administrators reveals on-premise payroll systems are the dominant choice of SMBs currently used by 53 percent of businesses, with less than 25 percent of businesses currently using cloud-based payroll software.

Security concerns might be keeping more businesses from moving payroll operations to the cloud, but the businesses already there are positive their data is protected.

Ninety-six percent of SMBs actively using cloud-based payroll software are “very confident” or “confident” that their employee data is protected from hackers and other unauthorized viewers. Michael Fineberg, chief technology officer at cloud-based payroll software vendor SurePayroll told Software Advice, “security is the first benefit” of the cloud. “Payroll information is not sitting on a computer that could be corrupted or crash,” he said.

Web-based systems also offer additional levels of external security and support not found through traditional payroll systems, including regular security audits, staff dedicated to monitoring threats, guarded protection of physical servers. Plus, as Fineberg pointed out, many cloud solution providers invest in Web servers with the strongest levels of encryption technology. Servers maintained by individual businesses most likely do not have the same level of protection.

Cloud-based payroll providers offer added levels of security, but companies still need to have strong internal security precautions. Web-based systems can be accessed by multiple people on a variety of devices from anywhere the Internet is available. Universal access makes the payroll administration process more efficient, but it underscores the importance of employee training and the need to verify the identities of any person accessing the system remotely. SMBs using cloud-based payroll software are certain their chosen provider secures their data, but are less sure about internal security, the research showed. Just 56 percent of respondents were “moderately confident” in the systems they have in place.

Thu Pham, an information security specialist at Duosecurity, a two-factor authentication service, recommends four simple ways businesses can incorporate to ensure employee data stays secure:

Strong passwords.

The best defense is a good offense. Login credentials should follow best practices. Passwords should be longer than seven digits, and include numbers, letters and/or special characters.

Password storage.

It may seem obvious, but it’s worth stating that passwords should not be written down in plain sight. If memorization isn’t an option, consider tools like an online password vault or keychain.

Early detection.

Pham advises companies to teach employees of the telltale signs of phishing emails, and employees should never offer up payroll credentials into a form or website linked in an email.

Two-factor authentication.

Dual authentication requires users to submit a secondary form of identity verification after entering their password. Second-factor methods can range from a text message on their mobile device to an email that is used to create a unique PIN that is required to gain access. Attackers can’t gain access to the software without having the authenticating device or some other means of creating the PIN.

The advantages of cloud-based services – lower up-front costs, reduced liability and added levels of security and maintenance – also apply to payroll systems. Despite the doubt that the data is secure. But data security is a two-way street. Providers need to do their part by investing in encryption, SSL technology and security monitoring. Users must implement best practices to be sure the systems are used in the most secure way possible.