Security experts will tell you that most security breaches are not via hackers breaking through firewalls on corporate systems. One of the most common forms of security breach is via social engineering or hacking the human. Social engineering is the act of manipulating people to divulge confidential information or perform actions that they shouldn't.
This may seem like a strange subject for a blog on payroll but it is increasingly relevant in the world of payroll.
This is particularly relevant in a large payroll outsourcing business where payroll staff are exposed to enquiries from many thousands of employees. Employee helplines are notoriously difficult to manage security on. How would you know that the person you are speaking to is who they say they are. Simple measures like calling them back and asking them to email or write to us is difficult too. it presupposes that we know their email address is valid or that their address is correct. In fact on those simple measures you could spoof your credentials by simply finding someone's payslip.
If employee helplines are offered then some greater form of security is needed. managing that security then becomes an enormous issue. dealing with starters and leavers alone is an horrendous headache. The costs to manage this type of systems can be very large an disproportionate to the benefits gained. Particularly when the large majority of queries are actually related to matters beyond the knowledge of a payroll outsourcing provider. Queries like "I worked 7 hours of overtime last week and you have only paid me for 6" will 99% of the time need referring back to the employer.
So what is the answer? Clearly security is a major concern here. Without an effective model for ensuring that you can verify who it is you are talking too then no information or changes should be processed.
We think the answer is based in epayslip systems. Here, by default, an employee will have to undergo one-off identification processes to gain access to a website. After that the individual will also have a secure method of logging in to a company portal to access their payslips. Once logged in the employee can contact the employer and employee who will then both be confident that the messages are coming from a validated employee.
So long as the communications are focussed through that portal then the integrity of the system is ensured.