Global payroll teams have needed to adapt quickly in the last few years to ensure the continuity of one of the most critical transactions a business can perform – paying its people.
Given the criticality of the payroll process, it’s easy to see why many organizations have taken steps to relax standard operating procedures (SOPs) to ensure payroll teams can continue their sensitive work away from the office.
However, while watering down SOPs to ensure the wheels of payroll continue to turn, a variety of new security and compliance risks may present themselves. Many of these are linked to the ‘new normal’ of remote access, and the subsequent spike in opportunistic cyber attacks from hackers looking to exploit the pandemic.
The size and significance of these risks will, of course, vary from firm to firm – dependent on the scale of the business, the countries in which it operates and the extent to which it had already embraced remote working prior to the pandemic.
Regardless, even the best-prepared businesses are likely to have been affected to some degree or another.
In this post, we’ll explore some of the new security and compliance risks that all global payroll teams should be aware of, and outline what companies can do to minimize them:
People and operations
At a glance: In this section, we take a look at:
- Maintaining operations if team members are out of action
- Business continuity planning
The most obvious risk that global payroll teams faces in recent years is the possibility that one or more team members could become infected by the Covid virus and be forced to self-isolate. They could also be indirectly affected if family members fall ill – in turn requiring them to take time out to care for sick or vulnerable loved ones. In some cases, parental duties may be impacted due to mandatory school closures, homeschooling or childcare issues.
While sympathies will first and foremost be with any colleagues who have to face such challenges, the payroll process must continue to operate. So the big question becomes who will step into the shoes of any team member forced out of action, and more importantly, how?
This is where a global payroll business continuity plan comes into effect, which has assessed the risk and prepared a series of actions to mitigate them. For example, cross-training people from other business functions, such as finance, who could temporarily fill any gaps.
Loss of visibility and control
At a glance: In this section, we take a look at:
- Teams overwhelmed with increasing complexity
- Need for a centralized governance framework
In a devolved and decentralized global payroll operation, local teams will operate in isolation. In this situation, an organization is unlikely to have a comprehensive understanding of the payroll-related risks to the business as a whole, nor will it be able to define how best to mitigate those risks through an effective payroll governance framework.
Indeed, while payroll departments were pushed physically further apart by the pandemic, there’s a greater need than ever for a centralized and joined-up approach, with rapidly evolving legislation across the world pushing many payroll teams to the limit in terms of their ability to keep up.
As teams become overwhelmed by the increasing complexity of the landscape, the risks of late payments, late filing or tax inaccuracies go up in tandem – with significant knock-on effects right across the organization, not least for the workforce. While exceptions or deferrals were made by some tax authorities during the pandemic, employees may be less forgiving if their pay packet fails to arrive accurately or on time..
Cyber security awareness
At a glance: In this section, we take a look at:
- Increased social engineering and phishing attacks
- Video conferencing risks
- Cloud technology and tightened security
Of course, the new-world risks for global payroll extend far beyond operations and people. And with global payroll teams arguably the gatekeeper to some of the organization’s most important data, cyber security and data privacy have long been a major concern for the function. Yet the challenges of COVID-19 have shifted the goalposts significantly in this area, with an increasing requirement for data to remain secure, while being accessible from home.
For businesses working with sophisticated cloud technology, security is typically ‘built-in’, with most platforms now supporting two-factor authentication and other best-practice security protocols. However, in reality the majority of security flaws are linked to human error rather than technology – and as users transition to more remote working and collaboration, care must be taken over the sharing of data outside of the office environment.
Users should also be aware of the increasing prevalence of social engineering – the digital dark-art of manipulation that aims to trick people into divulging confidential information or passwords. ‘Phishing’ emails are nothing new, but they’re rapidly on the rise on the back of COVID-19, with some studies showing a spike in activity of up to 600% as hackers look to exploit the uncertainties and software unfamiliarities people may have at this time.
Just as the working world has gone mobile during the pandemic, so too has the phenomenon of phishing. A significant increase in enterprise mobile phishing attacks since the start of 2020, is no doubt down to the increasing numbers of people using their own devices at home – unlikely to have the same levels of security as a company machine.
Many home workers have upgraded their home connectivity to enable themselves to work quicker, take more video calls etc. But employees should work with their IT teams to ensure their home network is secure.
Not only are phishing attacks becoming more frequent and more mobile, they’re more sophisticated than ever, often designed to lead the user to a ‘spoof’ website or log-in page almost indistinguishable from the real thing. Raising internal awareness of these attacks, and providing guidance on how to spot the difference is key to keeping teams alert.
Caution should also be noted in the use of video conferencing facilities – with the new go-to communication tool for many dispersed teams increasingly a target for malicious forces. Attacks on platforms like Zoom have surged since the start of the pandemic, with privacy vulnerabilities uncovered that enabled sessions and chat text to be recorded without the participants’ knowledge. It has led Zoom to recently purchase a security firm to help achieve more resilient end-to-end encryption – and shows the importance of being vigilant when it comes to software choices.
New normal, new risks
Much has been made of the enforced shift to remote working, and the opportunity for organizations to establish a new normal of distributed teams. For global payroll though, it brings a number of fresh challenges relating to the safety and security of employee data, at a time when the function must also react to rapidly changing labor legislation across the world.
The security of home networks, devices and collaboration tools should be carefully considered, and teams reminded how and why to stay alert in the face of increased phishing attacks. At the same time, payroll must acknowledge the potential pitfalls of decentralization, and ensure an organizational view of risk remains visible at all times.