Securing the Payroll

Almost total dependence on computer systems is a feature of modern business life. The greater the dependence, the greater the risk of damage to the business when those systems fail. Ian Congreave suggests some issues that payroll departments should not fail to address to ensure that their system is always available and that employees are always paid on time.

It does not seem to be widely known that there exists a Code of Practice for protecting computer systems. If you think of how many departments in your business do not rely partially or totally on computers, and there may not be any, it should not really be unexpected that proper advice is available on protecting business-critical systems.

Before we look at the Code of Practice and consider its relevance to payroll, it must be said that payroll departments have a statutory obligation to put security measures in place. It is contained in the Data Protection Act 1984 and requires data users and computer bureaux to take measures to ensure that any system processing personal data - and payroll has probably more personal data than any other part of a company - is secure against (1) unauthorised access or disclosure, and (2) accidental loss or destruction of the data.

The new Data Protection Act 1998, which will come into force in October this year defines the obligation on data controllers (as data users will then be called) in the following way: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

So, what are the "appropriate technical and organisational measures" that should be taken in the context of payroll processing?

The starting point must be to identify the areas of activity where payroll is vulnerable because of its dependence on a computerised system. The Security Breaches Survey 1996 (a two-yearly survey of UK companies and their experiences with computer problems) identified the following "breaches", i.e. situations that disrupted all types of computer operation. The main problems are listed in descending order of the percentage of respondents reporting each type of breach:
• computer viruses
• computer failure
• power failure
• theft
• network failure
• user error
• staff misuse
• infringement of software copyright
• lightning, flood, fire etc.

And, of course, being a system that pays out money, payroll is more vulnerable than most to fraud. The Survey revealed few occurrences of fraud although, unlike other incidents whose effects are felt immediately, fraud can only be reported once is it discovered - and it can be very expensive.

The next question is, how many of such security breaches has your business, or at least your payroll office, already identified as a potential threat and planned for? If you are aware of the existence of an "information security policy statement" within your business, it is likely that most of such potential problems have already been anticipated and continuity (or, contingency) plans already put in place. Some payroll departments report that their systems are included in company-wide contingency plans and they know exactly what they will do in any event that could put payroll processing in jeopardy.

Most payroll managers and staff appear, however, not have heard of the British Standard Code of Practice for Information Security. In fact, half of the respondents to the last Security Breaches Survey hadn't heard of it and, if your business has not published and circulated to all of its computer users an "information security policy statement", it is likely that your business hasn't heard of it either. Nevertheless, it exists and is by far the best guide to help every business with critical systems to takes measures to protect them.

"Information security" is the jargon phrase used to describe the measures taken to ensure that your computer system, and the business-critical information that it holds and processes, are always available for use. The Code is practical in that it recognises that every organisation is unique in having its own specific requirements for information security. So there is no single set of procedures or actions that will cover every business. However, the Code does provide what it calls "key controls" that every organisation should act on. You might like to consider whether your employer has addressed these ten key controls:
1. A written policy document should be available to all staff.
2. Responsibilities for protecting assets and implementing security measures should be clearly defined.
3. Precautions should be taken to prevent the spread of computer viruses.
4. Copyright material (e.g. software) should not be copied without the owner's consent.
5. Important organisation records should be safeguarded from loss, destruction and falsification.
6. Software applications that handle personal data about individuals should comply with Data Protection legislation and principles.
7. There should be a managed process in place for business continuity planning across the organisation.
8. Users should be given adequate security education and technical training.
9. Security incidents should be reported through appropriate channels as quickly as possible.
10. Systems should be regularly reviewed to ensure compliance with organisational security policies and standards.

The Code of Practice also suggests a seven-point action plan for companies to follow in implementing information security measures. Some of the suggestions, translated into the payroll context, are as follows:

Potentially high risk areas in the payroll operation, such as those mentioned in the Security Breaches Survey, should be identified and measures taken, where possible and affordable, to minimise their impact should they occur.

Every payroll department should have its own payroll procedures manual that defines each step of the payroll operation. This is an ideal starting point for identifying risks, especially where internal procedures are dependent on the actions of other individuals and departments.

It is more professional to anticipate problems and consider what actions could be taken than to just "think on your feet" when something goes wrong. Written continuity plans should have the commitment of the departments who would be involved in implementing them and. most importantly, they should be kept continually under review and tested periodically.

Many problems are caused simply by staff doing something they shouldn't, or not doing something they should. Training must be an important part of any payroll department's routine, and staff should understand the importance of information security, how to use IT facilities, and the need to report all breaches, including near misses.

The principle "prevention is better than a cure" is a sensible approach to protecting your payroll operation. Computers bring amazing benefits but major risks, serious enough to bring down your payroll, or even your company.

So, a final thought that hasn't been raised already. Do you already know what you will do if your payroll software supplier, or your payroll bureau, goes bust? That is fortunately a rare occurrence but, if you are totally reliant on the supplier of your software or service for your continuing payroll operation, shouldn't you have a plan in mind?