Focuses on issues of importance to payroll professionals across Canada. It contains news, case studies, profiles and tracks payroll-related legislation to help employers comply with all the rules and regulations governing their organizations.
Issue link: https://digital.hrreporter.com/i/991499
2 Canadian HR Reporter, a Thomson Reuters business 2018 News June 2018 | CPR who needs their password reset, or a payroll service provider ask- ing for updated information. When emails are used to do this, it is typically called phish- ing. The emails appear to be from a legitimate person or organization seeking financial and/or identify information. "A cybercriminal might cus- tomize each phishing email, so that can make you fall victim to the phishing email and click on that link," said Manikkayam. In the United States, the In- ternal Revenue Service (IRS) has repeatedly warned payroll departments about phishing emails that pretend to be from a member of an organization's executive team seeking updated employee information. They may ask for names, social secu- rity numbers, and income in- formation, often from their W2 forms, which are similar to T4s. "The W2 scam has emerged as one of the most dangerous and successful phishing attacks as hundreds of employers and tens of thousands of employees fell victim to the scheme in the past year," the IRS said last fall. Another concern is that pay- roll systems could become vic- tim to malware or ransomware attacks if an unsuspecting pay- roll professional clicks on a link in an email or on a website, said Manikkayam. A malware attack could install software on the payroll system that enables cybercriminals to access or destroy data. "Cyberattacks that manipu- late or destroy data can under- mine trusted systems without the owner's knowledge and have the potential to damage critical infrastructure," said The Global State of Information Security® Survey 2018 on information se- curity by professional services firm PwC. The report surveyed more than 9,500 global company ex- ecutives. In 2017, 30 per cent of respondents said their employee records were compromised be- cause of a cyberattack. A ransomware attack is a form of malware that can lead to an organization's computer system or files being held hostage. "Somebody clicks on an unsuspected-looking link and they download a piece of mali- cious code onto that machine," said Manikkayam. "From there, the machine gets locked out so people cannot access the payroll information." The cybercriminal then de- mands payment to "unlock" the computer or the files. Cyberattacks may come from outside or within an organiza- tion. PwC's report estimated that 30 per cent of security inci- dents likely come from current employees and 26 per cent from former employees. Cybercriminals working with- in an organization pose an in- creased threat, said Manikkayam. "It's more dangerous because an insider may be having in- creased levels of access to criti- cal resources within the organi- zation," he said. "They might know where the payroll database is stored and who has the access, so they can use social engineering to try to find out the password." There are a number of tools organizations can use to pre- vent cyberattacks. They include using up-to-date antivirus soft- ware and firewalls, applying se- curity updates as soon as they are available, and implementing tools to scan and filter incoming email. Other methods include lim- iting the number of employees with administrative privileges to computer programs, requir- ing complex passwords, and restricting the types of websites employees can visit. For payroll, Manikkayam rec- ommended having multiple se- curity controls in place. "It's all about the concept of layered security, understand- ing how the payroll database has been configured, whether the default passwords have been changed or not. In many instances, the default database password has not been changed for a long period of time. Anyone who knows the default database password gets free access." Manikkayam's concern about passwords highlights the fact that technology alone will not solve cybercrime. "Another concern is the hu- man factor. It remains the great- est hurdle for any kind of cyber- security program," he said. A recent report on global in- formation security from pro- fessional services firm Ernst & Young underscores the role that employees play. "For many organizations, the most obvious point of weakness will come from an employee who is careless or fails to heed the cy- bersecurity guidelines," said the report Cybersecurity regained: preparing to face cyber attacks. "Employee awareness is also a crucial front-line defence, build- ing cybersecurity conscious- ness and password discipline throughout the organization." The report recommends or- ganizations implement educa- tion and awareness programs for employees. And Manikkayam said such programming should include a number of components. "(Employees) should find out when to change their individual password; how not to fall victim to a social engineering attack; how they should not click on a phishing email; how not to re- veal sensitive information un- less you are sure who the person is on the other side; and about sharing sensitive information over unencrypted channels," he said. Employers should run the programs regularly — possi- bly once a month to begin — so that employees learn to keep cybersecurity top of mind, said Manikkayam. "Handling the human factor starts with having good security policies, good security proce- dures, and having periodic secu- rity awareness education for all employees in the organization. Because if you do it only once a year, the chances are that the em- ployees might go through that and then forget it after a couple of months," he said. "Do a periodic phishing ex- ercise to see whether specific departments are getting into a compromise, like they are click- ing on the link, they are trying to open an attachment with a mali- cious file." In case a cybersecurity breach does occur, payroll departments should be proactively prepared with pre-written policies and procedures to deal with it, said Manikkayam. The policies should address a range of issues. "What are the cybersecurity incidents and what are the re- sponse methods? What are the procedures which should be followed in case of any kind of security compromise or breach on the payroll data?" he said. "It definitely makes sense to have all of these things docu- mented and have a training awareness session given to the first responders in case a secu- rity incident happens." Internal attacks pose increased threat: Expert from CYBERSAFE on page 1 Cybersafety strategy The federal government has created a cybersafety guide for small and mid-size businesses. It includes the following tips: • Use complex passwords containing letters, numbers, and symbols. • Only visit trusted websites while using business computers or working with business information. • Never remove or disable security safeguards, such as anti-virus software, on business networks and computers. • Ask anyone making unusual inquiries about employees, families, or sensitive business matters to verify their identity. • Always report suspicious activity to a supervisor. • Do not forward potentially harmful emails. If you need to show it to a supervisor, show them your screen or print it out. • Do not answer suspicious emails or provide confidential information requested in emails even if they appear legitimate. Contact the legitimate client or organization through another means to ask if they sent the email. Source: Get Cyber Safe Guide for Small and Medium Businesses