Troves of information, financial transactions can present tempting targets to hackers

Employers commonly utilize online cloud services to administer employee benefits and payroll. Those services entail the collection and management of huge amounts of highly sensitive information about employees and their dependents, including SSNs, government IDs, financial accounts and health information. Those activities also routinely involve significant financial transactions, including for payroll, retirement, and insurance and other benefits payments. As a result, online benefits and payroll services are valuable targets for cyberattacks — and successful attacks almost always result in huge losses and liabilities for employers.

Hackers commonly deploy a one-two punch when attacking an employer’s online benefits or payroll system.

First, they divert a large financial transaction (such as a payment to a retirement fund) or a series of smaller financial transactions (such as payroll payments) from the legitimate recipient accounts to their fraudulent accounts, and then rapidly withdraw those funds from the fraudulent accounts to avoid having them clawed back by the transferring financial institution or frozen by the recipient institution.

Second, they simultaneously steal highly sensitive personal information from the benefits or payroll system, so they can demand a ransom payment from the employer to refrain from selling the information on the dark web, and threaten to demand ransom from the employees if the employer refused to pay.

Employers often assume that the providers of these systems must have incorporated safeguards to prevent such attacks.

That assumption is often incorrect.

Here are five safeguards that high-quality online benefits and payroll systems should include:

1. Multi-factor authentication: Passwords alone are an insufficient security mechanism, since they often lack appropriate complexity, and employees frequently use the same password to access multiple online accounts. Thus, multi-factor authentication (MFA) is a necessity for all online benefits and payroll services. MFA can take different forms, such as a fob or a text sent to an employee’s mobile device.

2. Multi-user notification and authorization: Hackers divert financial transactions by modifying certain information in benefits and payroll systems, such as the financial account numbers for the recipients of such transactions, and the profile information (typically physical address, phone number and email address) of those recipients. Thus, multi-user notification and authorization are also necessities for all such systems.

3. Differentiated privileges: One of the most common mistakes employers make is to give all HR personnel the highest level access to their benefits and payroll systems, known as “administrator” privileges, even though all of them do not need such privileges to do their jobs. Hackers target employees with administrator access, because it permits them to make the changes and initiate transactions necessary to steal funds and download huge amounts of sensitive information. Limiting the access of HR personnel to only those functions necessary for them to perform their jobs significantly diminishes potential risk to employers.

4. Advanced technological defenses: Cybercrime is typically perpetrated from outside the United States. Thus, online benefits and payroll services should enable employers to geo-fence, prohibiting anyone from accessing the systems from international locations known to be used by hackers. Additionally, online benefits and payroll services often include advanced threat detection applications inherent within them. Those applications detect and alert employers to suspicious activity, such as numerous rapid changes to financial accounts and atypical downloading. Benefits and payroll services should also enable employers to encrypt either their entire databases or sensitive information within the databases, even while the data is at rest. If hackers are able to steal that information, they will be unable to decrypt it.

5. Robust access and activity logs: If a benefits or payroll service is compromised, it is critically important to determine the dates and time periods of the unauthorized access, the hacker’s activities within the systems, and the exact information accessed and downloaded by them. All benefits and payroll services should have log files capable of recording such information, and employers must ensure those files are configured so that such information is recorded and maintained for appropriate periods of time.

Employers must take responsibility for protecting the sensitive information collected and managed in their systems.

Cam Shilling, founder and chair of McLane Middleton’s Cybersecurity and Privacy Practice Group, assists businesses and private clients in improving their information privacy and security protections.