Cyberattacks: Ask When, Not If


With cyberattacks targeting employee data increasing in number and sophistication, employers need robust, multilayered security systems in place to guard against attacks and their repercussions, the vice president and chief operating officer of PenSoft said May 16.

“It is no longer just an isolated problem,” Stephanie Salavejus, CPP. “Many would say it’s a pandemic. Organizations on a daily basis are finding themselves victims of various phishing schemes or attempts to extract sensitive data from their organization.”

“These perpetrators are very, very determined. They have patience,” Salavejus said at the annual American Payroll Association Congress in Orlando, Fla. “They’re willing to keep trying again and again. And the sad thing is they’re becoming very successful at finding the weak points.”  

As cybercriminals broaden their entry points into organizations, the scope of who may be considered culpable in the wake of a successful attack may widen too, Salavejus said. “Security is no longer I.T.’s problem because if there is a data breach and you get investigated, trust me, if that data breach occurred in payroll you’re going to be sitting in front of an officer answering questions,” she said.

Business owners also could face legal repercussions, Salavejus said. “I think what you’re going to see in the coming years is there’s going to be more legislation geared towards protecting consumers and tax payers against organizations that have poor security protocols in place,” she said.

What Can Employers Do?

When determining protection against a cyberattack, employers should know it is a matter of when, not if an attack will occur, Salavejus said.

“Our objective is to deter the criminals. Make it hard. Make it frustrating,” Salavejus said. “To some extent make it not worth their while to keep trying to find a back door.”

People are the weakest link when it comes to data security, Salavejus said. To mitigate that risk, employers should have a written security protocol that is reviewed annually. Employees should receive annual training to ensure they remain compliant, she said.

Additionally, employers should limit the number of personal devices that connect to the company’s network. An iPod, mobile phone, USB flash drive or camera could introduce a virus to the employer’s network, Salavejus said.

An internal hotline that allows employees to report any suspicious activity they see may also be helpful, Salavjeus said. Thirty-eight percent of targeted attacks in 2016 were caused by malicious actions of employees, she said.

Employers should also research the vendors and third-party providers they hire, Salavejus said. “Ask the tough questions,” she said.

When assessing risks, employers should ask about data storage, who may access it, how securely are stored and for how long, Salavejus said.

Employers also should ensure that endpoint protection is used to its fullest capability, Salavejus said. Cybersecurity monitoring services and insurance may be worth considering, she said.

Programs like those are expensive, but should be weighed against the cost of a potential breach, Salavejus said. “As a business owner, or even a university or a health care facility, what is the cost if you have a major data breach? For some organizations it will shut you down,” she said.

Take a free trial of Bloomberg BNA’s Payroll Decision Support Network, your one-stop resource for reliable, up-to-date guidance and analysis in every area of payroll administration and compliance.

Follow Bloomberg BNA on Twitter @BloombergBNA and join the Bloomberg BNA U.S. and Global Payroll group on LinkedIn.