Is Cloud-Based Payroll Software Safe for SMBs?
IndustryView | 2015

Adoption rates for cloud-based payroll solutions are lower than other cloud-based human resources (HR) applications; largely due to security concerns. For this report, Software Advice surveyed small and midsize businesses (SMBs) on their use of cloud-based payroll software, their confidence in the security of these solutions and what steps they take to protect company data. The results will inform potential software buyers of possible security risks and best practices to follow when using cloud-based payroll solutions.

Key Findings:

  1. Only 24 percent of SMBs in our sample currently use cloud-based software to track and distribute employee payroll.
  2.  
  3. Ninety-six percent of SMBs are confident that the security measures used by their payroll software provider adequately protect their employees’ data.
  4.  
  5. The majority of respondents follow basic security best practices with their cloud-based payroll software, such as security training and two-factor authentication.

Share This:

Twitter LinkedIn Google Plus Facebook

Introduction

In the spring of 2014, a group of cybercriminals repeatedly hacked HR departments across the country, filing fraudulent tax refund requests. In order to carry out these attacks, the hackers stole the organizations’ credentials from the third-party, cloud-based payroll services provider they were using.

In a separate instance in December 2014, the cloud-based payroll software used by SAG-AFTRA—Hollywood’s largest union—was hacked. The security breach affected approximately 160,000 actors, stunt performers, recording artists and others, and forced the payroll provider to notify state regulators, credit reporting agencies and law enforcement officials of the incident.

Due to the prevalence of cyber attacks in 2014, there has been increased media attention on the security of cloud-based systems. Add to this the sensitive nature of payroll information, and it makes sense why SMBs tend to adopt cloud-based payroll systems at lower rates than other cloud-based HR applications.

The information stored in a company’s payroll software includes employees’ social security numbers, addresses and salaries—making it a prime target for identity theft criminals. Since cloud-based software is accessible not only through a company’s internal servers, but from any compatible device with an Internet connection, information stored in the cloud may appear to be low-hanging fruit for hackers. However, this is not necessarily the case—and there are security measures businesses can take to better protect sensitive data.

Software Advice surveyed payroll and benefits administrators at SMBs (defined here as businesses with $100 million or less in annual revenue and 1,000 or fewer employees) to gauge their confidence in the security of both their cloud-based payroll solutions and their overall organizations. We also spoke with payroll industry experts to learn how businesses can safeguard themselves against attacks on cloud-based software.

Less Than One-Quarter of SMBs Use Cloud-Based Payroll Software

There are four primary ways that most organizations conduct their payroll:



  • Using on-premise software (hosted in-house, on the company’s own servers);
  • Using cloud-based software (hosted remotely, on third-party servers);
  • Using manual methods (such as spreadsheets and email); and,
  • Outsourcing the entire process to a third-party payroll services provider.

In Software Advice’s 2014 HR Software BuyerView report, we found that 77 percent of buyers request cloud-based, general HR software. However, in the survey conducted for this report, we find that only 24 percent of the SMB payroll professionals in our sample use a cloud-based solution. In contrast, 53 percent use an on-premise system.

Current SMB Payroll Methods

Current SMB Payroll Methods

Since cloud-based software is accessible through the Internet and maintained by a third party, some businesses have been hesitant to adopt it, fearing that sensitive payroll data would be more vulnerable to hackers. In fact, security and data protection are among the top concerns enterprises have about implementing this type of software.

However, the actual experience of SMBs that use cloud-based payroll software paints a different picture. The rest of this report focuses only on the 24 percent of respondents in the chart above who use this technology. As it turns out, while media coverage tends to focus on security breaches of cloud solutions, such instances are the exception to the rule.

Nearly All Cloud Payroll Software Users ‘Confident’ Systems Are Secure

Contrary to what companies may believe about the security of their data in the cloud, Michael Fineberg, chief technology officer at cloud-based payroll software vendor SurePayroll, notes that “security is the first benefit” of such solutions. As he explains, this is because “your payroll information is not sitting on a computer that could be corrupted or crash.”

James Merlini, president of payroll software firm WorkPerks, Inc., agrees, adding that if a small business has an on-premise system operating on its own servers, it will “have a lot more liability.” This is because the business owner is responsible for keeping social security numbers, tax forms and other sensitive information safe.

But with a Web-based system, Merlini explains, “you know that it’s externally supported and updated somewhere else.”

The software users we surveyed agree that security is not a problem. In fact, a combined 96 percent say they are “confident” that employees’ private data is protected from hackers and unauthorized viewers within their cloud-based software solution. Of these, 44 percent are “very confident,” while 52 percent are “moderately confident.” Only 4 percent say they are “not at all confident” that their system is secure.

SMB Confidence in Security of Cloud-Based Payroll Software

SMB Confidence in Security of Cloud-Based Payroll Software

Fineberg says this confidence is justified. While he notes that SMBs should ensure they’re using a reputable software provider, once that is verified, there is little for them to worry about.

There are standard security precautions that most providers will take (and that companies should verify providers have in place), Fineberg explains. These include:



  • Regular internal security audits to ensure security protocols are up to par;
  • Security scans that constantly run on the software provider's servers;
  • Staff dedicated to continually implementing software updates if scans uncover any weaknesses; and,
  • 24/7 on-site security at the server location to keep client data safe.

Additionally, “sensitive information is encrypted in … databases and each session is protected by SSL technology,” Fineberg says. SSL, short for “secure sockets layer,” is the standard security technology used to establish encrypted links between a server and a Web browser.

As Fineberg notes, cloud-based payroll software providers use “Web servers [that] use the strongest available security: 128-bit SSL (256 bit on supported browsers).”

Users Slightly Less Confident in Company’s Own Security Precautions

Cloud-based payroll software has many benefits, says Thu Pham, an information security specialist at Duosecurity, a two-factor authentication service. In addition to requiring less support from the information technology (IT) department and reducing a company’s liability, she notes, this software can save time when it comes to payroll administration. This is a definite boon for SMBs, where HR departments are often understaffed.

According to Pham, cloud-based payroll is easier for employees because it “allows them to log in to their accounts and view employee financial information anywhere, anytime, [and gives] them the ability to access W-2s and payroll stubs electronically.”

However, this sort of universal access can also be a security pain point. With multiple users and the ability to log into the system from almost any location, companies must implement their own security measures—e.g., training employees on proper use of the system and verifying the identity of those who access the system remotely.

While respondents are extremely confident in the security of their cloud-based payroll solutions, they’re less so that their business has taken all necessary precautions to protect sensitive company and employee data. Just 36 percent say they are “very confident” in their company’s own security measures.

SMB Confidence in Internal Security Precautions

SMB Confidence in Internal Security Precautions

While over half still report being “moderately confident” in their company’s security measures, this certainly leaves room for improvement. Luckily, there are some steps SMBs can take to boost internal security.

Majority of Cloud Software Users Follow Basic Security Best Practices

According to Pham, following a few basic security best practices can further protect the data of companies that use cloud-based payroll software. The most basic of these precautions is providing employees with security training, which may consist of the following:

  1. Require employees to have strong passwords. The first line of defense is a strong password. When employees are given login credentials to the system, companies must ensure they are aware of password best practices. For instance, an employer might require that employee passwords be longer than seven digits, and include numbers, letters and/or special characters.

  2. Train employees on proper password storage. Companies should also instruct employees on the best way to store these passwords. This includes telling them that passwords should not be written down in plain sight. Instead, they should be stored securely, whether in a “password-keychain” application or committed to memory.

  3. Teach employees to spot suspicious Web activity. Pham advises companies to train employees “to spot phishing emails, and to never enter their payroll credentials into a form or website linked in an email.” Additionally, she says, employees should know how to check the address in their Web browser to verify that they’re logging into the legitimate payroll website for their company.

  4. Implement two-factor authentication. This method requires users to submit a secondary form of identity verification after inputting their password in the system. They may receive a text message on their mobile device, be sent an email or use a hard token to generate a unique PIN that must be entered to gain access. This method can relieve companies from training users on password practices, since remote attackers can’t log into the software without possessing the user’s device or having access to their phone or email.

As it turns out, the precautions Pham suggests are also the most popular security measures implemented by companies in our sample: 79 percent say they currently have security training in place for their employees, while 73 percent say they use two-factor authentication.

Top SMB Security Precautions for Cloud-Based Payroll Software

Top SMB Security Precautions for Cloud-Based Payroll Software

Session timeouts—where the user is logged out of the software after a specified period of inactivity—is a method used by 67 percent of our sample. Buyers seeking to implement this security measure should ensure their desired software solution offers it before making a purchase.

post logout screen

Wagepoint’s payroll solution logs users out after a period of inactivity

Meanwhile, one-quarter of our sample uses biometric authentication. This security measure associates users with a unique physical attribute (e.g., fingerprint recognition) and requires additional technology, such as a fingerprint scanner, in order to be implemented. This method is more expensive than the others listed in the above chart, and takes more time to implement, as employers must collect employee samples (i.e., fingerprints) and integrate the payroll software with the biometric technology. These factors are likely reasons for its relative unpopularity among our sample.

Conclusions

While cloud-based payroll software is still in its early days, its use is on the rise as more companies realize the many benefits of this technology, such as lower upfront costs, vendor-initiated software updates and decreased liability. As evidenced by the data in this report, companies using cloud-based payroll solutions are extremely confident in the security of employee and company data contained within the software.

In the wake of cloud-based payroll software security breaches in late 2014, smaller businesses with fewer resources and lower security budgets may fear they are more vulnerable to hackers who attempt to target their systems—but that is not the case.

“Low-tech and unsophisticated phishing, social engineering, brute force and other password-targeted attacks can work on companies of all sizes that have poor access security,” Pham explains.

To protect themselves, companies should verify they use a reputable software provider that employs common security precautions, such as:

  • Having 24/7 security staff that implements continuous updates;
  • Data encryption; and,
  • SSL technology.

In addition to ensuring their service provider has a strong focus on security, companies themselves should implement a few best practices to secure their sensitive data, such as the four best practices previously mentioned.

Methodology

To collect the data in this report, we conducted a seven-day online survey of nine questions, and gathered 77 responses from a random sample of payroll and benefits administrators at businesses with fewer than 1,000 employees within North America. We screened our sample to only include respondents who used cloud-based payroll software. Software Advice performed and funded this research independently.

Results are representative of our survey sample, not necessarily the population as a whole. Sources attributed and products referenced in this article may or may not represent client vendors of Software Advice, but vendor status is never used as a basis for selection. Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.

If you have comments or would like to obtain access to any of the charts above, please contact erin@softwareadvice.com.


Share This:

Twitter LinkedIn Google Plus Facebook