By Fariz Abdullah, CEO
It’s quite common these days for our data to be tucked up in the cloud, alongside our photos, children’s birthday videos, payslips, tax returns, pension details, renovation bills etc. But did you know that they are all at risk of disappearing with just the snap of a finger? If and when they do, what would you do? Is there a copy somewhere for you to salvage from?
Backing up data incidentally comes under the ambit of a wide range of standards, from data protection, best practices, cyber security to part of the Disaster Recovery Plan. The rationale behind this is that when data processing happens on an ordinary day, information will move from the source to be processed before it is sent somewhere to be stored.
But wherever the data ends up at, they are susceptible to hacking and data theft. This is probably why when we talk about payroll outsourcing, employees and HR practitioners alike tend to ask, “Is my salary data safe when it is outsourced to a third party?”
Without sidelining the fear factor, let’s look at some data breach incidents:
- In 2017, the Equifax data breach in the US exposed personal information of 143 million Americans. Legal recourse then provided the claimants up to US$700 million in compensation (source: (source: https://money.cnn.com, https://cnn.com);
- In 2019, the American Medical Collection Agency (AMCA) suffered a data breach, compromising personal and financial information of nearly 20 million patients. AMCA later filed for bankruptcy protection (source: https://www.zdnet.com) and subsequently ruled by the Attorney General for a US$21 million liability (source: https://www.attorneygeneral.gov);
- In 2020, the University of California paid a $1.14 million ransom to regain access to its data after a ransomware attack (source: https://www.forbes.com); and
- From a news report on 18 September 2022, e-payslips of civil servants in Malaysia were alleged to have suffered from data theft (source: https://www.nst.com.my).
But what’s the rationale to protect such information?
Thirdly, all hell may break loose when salary information of a certain individual(s) is leaked. This may inadvertently generate ill feelings, animosity,jealousy among colleagues and could also turn up the political heat in the office, risking resignations en-masse.
With payroll outsourcing enjoying an escalation of interest globally, in part due to the rising awareness for HR to move out of the back office to play a more strategic role, and another attributed to the increasingly complex practice of payroll, it makes sense for companies to begin understanding the critical factors that make up a good and ideal outsourcing partner.
In no particular order, companies can use the following to evaluate a potential payroll outsourcing vendor:
- Treatment of Sensitive vs Non-Sensitive Data – is the vendor well versed with what’s inside the system and which kind of data is considered sensitive?
- Operating System vs Application – what safety measures are in place at the different layers of the system?
- Digital vs Analogue – we know about firewalls, encryption and anti-virus but what about the safety net for analogue data?
- Users Access vs Client Accounts – what’s the rule that governs user access to client accounts?
- Processing vs Approval – is there any protocol to handle such processes?
- Ordinary Day vs Red Alert – quite simply, can the system continue to run in the event of a disaster like flood, fire or a pandemic?
- Upkeep vs Update – it’s easy when we talk about maintaining the daily tasks but what about the periodic updates, how are these managed?
Taking a page from the panic stricken 2020 and 2021, and thanks to our Disaster Recovery Plan, we knew exactly what to do when the roads and offices were off limits. We also knew which of our staff should come under the Essential Services category so they can walk into the office to process payroll for our clients and which can securely dial in through our pre-designated VPN by working from home.
Coming back to the question, “Is my salary data safe when it is outsourced to a third party?”
On the technical end, our Tier 3 (highest in Malaysia) bank-grade data centre stands as one of our strong pillars that spells confidence. It is fully certified for its safety credentials by international compliance standards like the Uptime Institute Tier III Certification of Constructed Facility & Design Documents; Threat, Vulnerability and Risk Assessment; Data Centre Risk Assessment (DCRA); Payment Card Industry Data Security Standard (PCI DSS) and ISO certifications for ISO/IEC 27001 Information Security Management System, ISO/IEC 20000-1 IT Service Management System and ISO 9001 Quality Management System. They are the reason why we pass the audit and penetration tests regularly, including those requested by our MNC clients. Going a step further, we also share our test results with our clients so they know how we’re performing from time to time.
But beyond the cold rooms and elevated floors of the data centres, one of the most commonly cited factors for data leakage is human errors. This includes passwords on sticky notes, sharing of passwords, absence of a password change schedule, placement of sensitive files and so on. When systems are also built with a single entry point without any perimeter fencing consideration, it raises the risk of having the data being tampered with.
In this sense, it is worth noting that as a fellow service provider in the market, we abide strictly to data security & protection as stipulated in our SLA and NDA, this includes safeguarding your payroll secrets with as minimal human intervention as possible, sometimes limited to only one or two personnel from our office to process north of 500 or even 1,000 payroll data and over multiple payroll cycles too.
Fariz Abdullah is the Chief Executive Officer (CEO) of CXL Group. The organisation offers HR solutions which include Contingent Workforce, Executive Search and Payroll & HR Outsourcing. Under his purview, Fariz has transformed CXL Group into an HR organisation that believes in the importance of advancing through technology but with a deep focus on the human touch in an increasingly digital era.