The data held in HR and payroll systems can be vulnerable to attack. Today’s global economy is driven by data and digital transformation. Coupled with the remote working phenomenon resulting from the Covid-19 pandemic, and the war in Ukraine, conditions are rife for rising cybersecurity threats.
According to Security magazine, there are over 2,200 cyberattacks each day. That breaks down to nearly one every 39 seconds. There is no shortage of headlines about IT system and portal shutdowns, ransomware and malware hits, and social engineering scams.
Breaches, thefts, and data hostage-taking can cripple industry titans like McDonald’s and Toyota, as well as schools, hospitals and non-profits. Add the French Ministry of Justice, Maryland Department of Health, and Montreal Tourism Agency, and it’s clear that no organisation in any sector is beyond reach.
HSE payroll systems threatened by cyber-attack
Closer to home, and in possibly the most high-profile case to date, Ireland’s Health Service Executive (HSE) fell foul of cybercriminals in May 2021. Described as “catastrophic” by the BBC, the health service suffered the worst cyberattack in the history of the Irish state at the hands of Russian gang Wizard Spider. The executive had to take its entire IT infrastructure offline or into quarantine. Email, HR, and payroll systems were inaccessible from the HSE’s internal network, making critical data entry impossible for a payroll deadline affecting 22,197 staff just days later.
Thanks to a managed service from Zellis, supported by a cloud-based payroll solution hosted at a third-party data centre, it was possible to isolate several key payroll systems and professionals from the impacted infrastructure. By combining ‘clean’ laptops and an SFTP-based network set up to exchange large payroll files between designated email accounts, the required data was uploaded to Zellis’ secure systems, which also took over hosting the employee self-service application.
We couldn’t have done it without Zellis and we were thankful we had a managed service. We paid all employees on ResourceLink accurately and on time for a couple of months with no systems of our own. It was an amazing achievement — a genuine good news story. And HSE management was delighted because there was no impact on frontline workers already hit hard by Covid-19.”Brid Harte, National Payroll Manager, HSE
The HSE scenario was echoed in a cyberattack on the Dublin Airport Authority (DAA) in December 2021, but with a distinctly different outcome. The authority’s third-party payroll system, MyTime, was out of action for 14 weeks. NUI Galway was also the victim of an attempted cyber-assault around the same time. And almost one in five Irish firms experienced a cyberattack or data breach during 2022. According to the Irish Times, a survey of 228 senior business leaders revealed that 18% of companies across Ireland were targeted last year.
The scale of the cybersecurity challenge
The digital disruption goes on. As recently as February, Munster Technological University Cork suffered a significant IT breach and phone outages, causing a campus closure. Cyber-criminals are constantly developing increasingly sophisticated methods, leveraging vishing (a form of phishing), digital extortion, and triple extortion tactics employing ‘distributed denial-of-service’.
The volatile global geopolitical context is giving rise to cyber-warfare and hacktivism. Additionally, among the top 10 cybersecurity threats emerging for 2030, identified by the EU Agency for Cybersecurity (ENISA) are:
- Human error
- Exploited legacy systems within cyber-physical ecosystems
- Skills shortages
This further highlights the power of highly secure employee-centric software, including HR and payroll systems, that protect valuable people data.
The main targets between June 2021 and 2022 were:
- Public administration and government (24% of incidents reported)
- Digital service providers (13%)
- Services (12%)
- Finance / banking (9%)
The fightback: moves to protect data, HR, and payroll systems
Such is the concern about the growing scale of cyber-risks, the European Parliament has adopted a new directive. It introduces harmonised measures across the European Union, including the protection of essential sectors. This will undoubtedly provide some form of safety net at the macro level. However, private and public bodies should focus on the micro side of cybersecurity.
A comprehensive audit of payroll and HR processes might prove to be an excellent starting point.
We’ve seen a substantial uptick in interest for managed payroll and HR services over the past 18 months, particularly following the amplified cyber-activity in Ireland. More and more organisations are now considering outsourcing their payroll, mainly because of challenges around growth outpacing legacy IT systems, cybersecurity threats, brand protection, and the ability to attract and retain qualified staff to maintain payrolls.”Seán Murray, Director of Product Services, Zellis Ireland
Zellis Ireland is a leading provider of cloud-based payroll, HCM software and managed services that look after people from hire to retire. With nearly 100 employees and 40 years of proven experience in Ireland, we provide specialist expertise to organisations including Aer Lingus, RTÉ, Vodafone, Irish Rail, and AIB.