News of information security breaches is becoming commonplace. High profile data breaches of national retailers (Target), medical providers and insurers (UCLA, Anthem) and most famously, our government (Office of Personnel Management), has people feeling anything other than protected. In addition, businesses are scrambling to review their systems to make sure that they, and their customers, are not the next victim of an attack.
Payroll and Human Capital Management companies are not immune to this threat to data security. These types of companies manage data that is valuable to hackers intent on securing personally identifiable information to sell on the open market or use in direct fraudulent schemes.
Acknowledging the danger, and in response to this rapidly evolving battleground and methods of attack, many companies are moving quickly to harden their systems.
Today’s cloud-based human capital management systems like PayNorthwest’s Workforce Lumina platform are built are principles of security, reliability and accessibility. They are also based on usability. And therein lies the tension.
An important aspect of successful human capital management systems (payroll, talent acquisition, HRIS, time and labor tracking, scheduling, benefits administration) is that a large portion of your workforce actually uses it. Each person has his or her login in order to check pay information, enroll in benefits, request time off, swap schedules, etc. And yet, as the number and variety of sophistication level of the workers increases, the challenge of maintaining a secure system for all goes up. And as security measures are tightened, the usability of the system can go down as well.
And so, a tightrope walk between solid data security and system usability is made by purveyors of these now essential employee administration systems.
Recently, PayNorthwest, in the interests of the security of the very important information that its clients put in its trust, asked all its user to conform to a new set of tightened security procedures and policies. We would like to thank our many thousands of users who log in to the system everyday for their willingness to adapt to this change. This is a cost of time and convenience that we asked all to bear in the interest of a more secure computing environment for everyone. We are grateful for our wonderful clients’ understanding, willingness to adapt, and from many, their encouragement of our efforts.
In today’s world, data security is not obtained through one person or one company. Today’s systems and data are linked in a chain of dependency going from the user, to the device, to the application, to the telecom provider, to the data center and on and on. It takes every link in the chain to do its part. Payroll and HCM companies like PayNorthwest are audited on our security measures. Our software vendor and data centers are as well. But users are not in the business necessarily of thinking through how to best protect their, and their colleagues data. Here are a few system policies that are becoming best practices, if not standard requirements, for any user logging into a system with sensitive information:
- Strong passwords. Usually of a minimum length of 6-8 characters requiring a combination of upper and lower case and special characters
- Multi-factor authentication (MFA). Adding an additional level beyond a password to prove you are who you say you are. Often times this additional level relates to the device you “have” or are using.
- Password change. The bane of our existence, I know, but requiring password changes after a certain amount of time helps clear out the most egregious openings in a system if a password is not properly protect.
- Notification of changes. Creating notifications that go out to the user of any changes to the users log in credentials.
This is what life will look like for most of us, across all of our important logins (irs, bank, health providers, payroll providers, insurance providers, etc.). For the time being. The cat and mouse game between hackers and security professionals will continue. The state of the art in securing personally identifiable information will evolve as that game is played out. In the meantime, we – your payroll and system vendor – will do everything we can to make sure that data security remains our most important objective.