As with all business and HR software, payroll solutions are increasingly available via a Software-as-a-Service (SaaS) deployment. And when a website can publish its “Top 21 SaaS Payroll and Online Payroll Software Reviews” I think we can officially say that the cloud payroll systems market has grown beyond ‘niche’. However, a core issue for any potential user of cloud-based payroll software is the commonly-held perception that SaaS solutions are somehow less secure than their on-premises, licensed counterparts. The 14th annual Ernst & Young Global Information Security Survey (Into the Cloud, Out of the Fog) examines the data security issues surrounding cloud payroll solutions and the idea of holding an organization’s data ‘off-premises’.
2012 Information Security Trends
Ernst & Young identified three global trends that are having an impact on data security:
The pace of technological change continues to increase as goods and services are ‘digitized’;
There is a shift from traditional outsourcing contracts to cloud service providers; and
Organizations’ physical borders are disappearing with 24/7, anywhere mobile access to information
Interestingly enough, payroll software is subject to all three of these trends—especially when considering the increasing use of online payslips and payroll cards; the rise in SaaS software automation of the payroll process; and the beginnings of mobile self-service access to payroll data and transactions for employees and managers.
With 1,700 C-level participants across 52 countries, the E&Y’s survey found that, “61% of respondents are currently using, evaluating or planning to use cloud computing-based services within the next 12 months.” Cloud-based solutions offer high configurability, swift implementation and a generally higher degree of innovation. However, cloud service users are not always looking closely at the cloud’s particular security issues. With communication and data-sharing via the internet as opposed to a company network, data vulnerability increases. Ernst & Young believe, “organizations are making trade-offs — whether they realize it or not…, our appetite for external cloud services has increased our dependency on third parties and dimmed our view into the inner workings of core business applications. And as organizations become increasingly locked in to their cloud provider, they also face compliance, contracting, legal, and integration risks. Moving to the cloud is not just another change program; it is nothing less than a complete transition of business processes, including the risks associated with it.” Most users of SaaS payroll software treat its selection and implementation as simply the next IT ‘updating’ and neglect the fact that the cloud’s undoubted benefits are balanced to a certain extent by its risks.
Know Your Cloud Payroll Vendor
As SaaS makes it easier for businesses to access sophisticated services without the need for any technical aptitude or awareness, a further risk opens up. Of the survey respondents, 80% are using SaaS services, however, Ernst & Young point out that SaaS is not always what it seems, “although many people believe that they are purchasing SaaS, it may be from a cloud provider who is using Platform as a Service (PaaS) capabilities from another cloud provider who purchased its infrastructure from an Infrastructure as a Service (IaaS) provider who rents space in a shared data center. The lines between vendors are blurring, and in a world where data flows freely from vendor to vendor, trust becomes a precious commodity.” The organization using SaaS payroll software must reassure itself that the channels through which its data is passing are secure and the first step is to know what those channels are. Perhaps more than other point on data security, this is one of the most easily recognizable and avoidable cloud payroll pitfalls; and all it takes is due diligence on the front end to see past whatever hype you’re hearing from your payroll software vendor.
Mobile Access – Payroll on the Move
With the increase in use of tablets and smartphones to access corporate systems remotely, an organization’s data may now be stored on thousands of individual devices rather than a single closed network, and those devices are all connected via the internet. In some cases, companies are authorizing the use of employee-owned devices instead of providing devices with a preconfigured system; in other words, the security settings are down to the individual. Rather than cut back on mobile usage, Ernst & Young found that, “policy adjustments and awareness programs were chosen as the top two measures organizations are using to help address risks posed by this new technology.”
The Bottom Line Recommendations
The survey makes a series of recommendations which although being generally externally-focused can be easily adapted to the specific needs of payroll software, as follows:
Make security a part of regular payroll reporting, keeping the issue present at c-level discussions;
Build user awareness of the importance of security regarding payroll data;
Have visible measures in place that demonstrate to employees that the organization takes the security of their data seriously;
Establish guidance for the use of mobile devices;
Use encryption as a fundamental control (currently less than half of respondents are using it);
Apply attack and penetration testing to mobile apps before deployment to help reduce the organization’s risk of exposure;
Select SaaS providers that are transparent about data security.
The use of SaaS-deployed payroll software offers some unique data security risks. However, this fact is not intended as a discouragement nor an argument against cloud use. Rather it is an argument for using it intelligently, fully leveraging the benefits of the cloud while acknowledging and addressing the inevitable risk factors.
Most users of SaaS payroll software treat its selection and implementation as simply the next IT ‘updating’ and neglect the fact that the cloud’s undoubted benefits are balanced to a certain extent by its risks.”