Is Cloud-Based Payroll Software Safe for SMBs?
IndustryView | 2015
Adoption rates for cloud-based payroll solutions are lower than other cloud-based human resources (HR) applications; largely due to security concerns. For this report, Software Advice surveyed small and midsize businesses (SMBs) on their use of cloud-based payroll software, their confidence in the security of these solutions and what steps they take to protect company data. The results will inform potential software buyers of possible security risks and best practices to follow when using cloud-based payroll solutions.
In the spring of 2014, a group of cybercriminals repeatedly hacked HR departments across the country, filing fraudulent tax refund requests. In order to carry out these attacks, the hackers stole the organizations’ credentials from the third-party, cloud-based payroll services provider they were using.
In a separate instance in December 2014, the cloud-based payroll software used by SAG-AFTRA—Hollywood’s largest union—was hacked. The security breach affected approximately 160,000 actors, stunt performers, recording artists and others, and forced the payroll provider to notify state regulators, credit reporting agencies and law enforcement officials of the incident.
Due to the prevalence of cyber attacks in 2014, there has been increased media attention on the security of cloud-based systems. Add to this the sensitive nature of payroll information, and it makes sense why SMBs tend to adopt cloud-based payroll systems at lower rates than other cloud-based HR applications.
The information stored in a company’s payroll software includes employees’ social security numbers, addresses and salaries—making it a prime target for identity theft criminals. Since cloud-based software is accessible not only through a company’s internal servers, but from any compatible device with an Internet connection, information stored in the cloud may appear to be low-hanging fruit for hackers. However, this is not necessarily the case—and there are security measures businesses can take to better protect sensitive data.
Software Advice surveyed payroll and benefits administrators at SMBs (defined here as businesses with $100 million or less in annual revenue and 1,000 or fewer employees) to gauge their confidence in the security of both their cloud-based payroll solutions and their overall organizations. We also spoke with payroll industry experts to learn how businesses can safeguard themselves against attacks on cloud-based software.
There are four primary ways that most organizations conduct their payroll:
In Software Advice’s 2014 HR Software BuyerView report, we found that 77 percent of buyers request cloud-based, general HR software. However, in the survey conducted for this report, we find that only 24 percent of the SMB payroll professionals in our sample use a cloud-based solution. In contrast, 53 percent use an on-premise system.
Since cloud-based software is accessible through the Internet and maintained by a third party, some businesses have been hesitant to adopt it, fearing that sensitive payroll data would be more vulnerable to hackers. In fact, security and data protection are among the top concerns enterprises have about implementing this type of software.
However, the actual experience of SMBs that use cloud-based payroll software paints a different picture. The rest of this report focuses only on the 24 percent of respondents in the chart above who use this technology. As it turns out, while media coverage tends to focus on security breaches of cloud solutions, such instances are the exception to the rule.
Contrary to what companies may believe about the security of their data in the cloud, Michael Fineberg, chief technology officer at cloud-based payroll software vendor SurePayroll, notes that “security is the first benefit” of such solutions. As he explains, this is because “your payroll information is not sitting on a computer that could be corrupted or crash.”
James Merlini, president of payroll software firm WorkPerks, Inc., agrees, adding that if a small business has an on-premise system operating on its own servers, it will “have a lot more liability.” This is because the business owner is responsible for keeping social security numbers, tax forms and other sensitive information safe.
But with a Web-based system, Merlini explains, “you know that it’s externally supported and updated somewhere else.”
The software users we surveyed agree that security is not a problem. In fact, a combined 96 percent say they are “confident” that employees’ private data is protected from hackers and unauthorized viewers within their cloud-based software solution. Of these, 44 percent are “very confident,” while 52 percent are “moderately confident.” Only 4 percent say they are “not at all confident” that their system is secure.
Fineberg says this confidence is justified. While he notes that SMBs should ensure they’re using a reputable software provider, once that is verified, there is little for them to worry about.
There are standard security precautions that most providers will take (and that companies should verify providers have in place), Fineberg explains. These include:
Additionally, “sensitive information is encrypted in … databases and each session is protected by SSL technology,” Fineberg says. SSL, short for “secure sockets layer,” is the standard security technology used to establish encrypted links between a server and a Web browser.
As Fineberg notes, cloud-based payroll software providers use “Web servers [that] use the strongest available security: 128-bit SSL (256 bit on supported browsers).”
Cloud-based payroll software has many benefits, says Thu Pham, an information security specialist at Duosecurity, a two-factor authentication service. In addition to requiring less support from the information technology (IT) department and reducing a company’s liability, she notes, this software can save time when it comes to payroll administration. This is a definite boon for SMBs, where HR departments are often understaffed.
According to Pham, cloud-based payroll is easier for employees because it “allows them to log in to their accounts and view employee financial information anywhere, anytime, [and gives] them the ability to access W-2s and payroll stubs electronically.”
However, this sort of universal access can also be a security pain point. With multiple users and the ability to log into the system from almost any location, companies must implement their own security measures—e.g., training employees on proper use of the system and verifying the identity of those who access the system remotely.
While respondents are extremely confident in the security of their cloud-based payroll solutions, they’re less so that their business has taken all necessary precautions to protect sensitive company and employee data. Just 36 percent say they are “very confident” in their company’s own security measures.
While over half still report being “moderately confident” in their company’s security measures, this certainly leaves room for improvement. Luckily, there are some steps SMBs can take to boost internal security.
According to Pham, following a few basic security best practices can further protect the data of companies that use cloud-based payroll software. The most basic of these precautions is providing employees with security training, which may consist of the following:
As it turns out, the precautions Pham suggests are also the most popular security measures implemented by companies in our sample: 79 percent say they currently have security training in place for their employees, while 73 percent say they use two-factor authentication.
Session timeouts—where the user is logged out of the software after a specified period of inactivity—is a method used by 67 percent of our sample. Buyers seeking to implement this security measure should ensure their desired software solution offers it before making a purchase.
Wagepoint’s payroll solution logs users out after a period of inactivity
Meanwhile, one-quarter of our sample uses biometric authentication. This security measure associates users with a unique physical attribute (e.g., fingerprint recognition) and requires additional technology, such as a fingerprint scanner, in order to be implemented. This method is more expensive than the others listed in the above chart, and takes more time to implement, as employers must collect employee samples (i.e., fingerprints) and integrate the payroll software with the biometric technology. These factors are likely reasons for its relative unpopularity among our sample.
While cloud-based payroll software is still in its early days, its use is on the rise as more companies realize the many benefits of this technology, such as lower upfront costs, vendor-initiated software updates and decreased liability. As evidenced by the data in this report, companies using cloud-based payroll solutions are extremely confident in the security of employee and company data contained within the software.
In the wake of cloud-based payroll software security breaches in late 2014, smaller businesses with fewer resources and lower security budgets may fear they are more vulnerable to hackers who attempt to target their systems—but that is not the case.
“Low-tech and unsophisticated phishing, social engineering, brute force and other password-targeted attacks can work on companies of all sizes that have poor access security,” Pham explains.
To protect themselves, companies should verify they use a reputable software provider that employs common security precautions, such as:
In addition to ensuring their service provider has a strong focus on security, companies themselves should implement a few best practices to secure their sensitive data, such as the four best practices previously mentioned.
To collect the data in this report, we conducted a seven-day online survey of nine questions, and gathered 77 responses from a random sample of payroll and benefits administrators at businesses with fewer than 1,000 employees within North America. We screened our sample to only include respondents who used cloud-based payroll software. Software Advice performed and funded this research independently.
Results are representative of our survey sample, not necessarily the population as a whole. Sources attributed and products referenced in this article may or may not represent client vendors of Software Advice, but vendor status is never used as a basis for selection. Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.
If you have comments or would like to obtain access to any of the charts above, please contact firstname.lastname@example.org.