Data breaches have become commonplace these days, increasing as hackers become ever more sophisticated. A podcast from Thomson Reuters from last year talked about the Taxpayer First Act, which sought to contend with identity theft involving the Internal Revenue Service and create measures to inform taxpayers when suspicious activity occurred. The act came about because the IRS suffered a massive breach in 2016, with over 700 thousand social security numbers stolen from stored W-2 forms, along with other payroll-related information. 

It's telling that when the IRS commissioner testified in 2017 in front of the US Senate Finance Committee, he admitted to another breach that allowed hackers to gain access to the personal information of students, who use an IRS software application to apply for student aid. This breach allowed identity thieves to steal some $30 million from the US government by submitting fraudulent tax returns. Payroll information that employers collect for taxation purposes - including W2 and I9 forms - has increasingly become used by criminals and sold clandestinely online. 

In another case in 2018, involving the Department of Defense, a third-party vendor who conducted background checks for the government was breached. The hack allowed access to birth dates, social security numbers, and fingerprint records of former, current, and potential government workers. And there are other accounts of hacked government agencies tied to payroll security issues. 

Top Breaches 

It's not just government organizations that are targets of these breaches. Here are some of the top data breaches: 

1. Yahoo experienced two breaches, with 3 billion and 500 million records stolen in consecutive years due to hacking in both 2013 and 2014. 

2. First American Financial Corporation lost 885 million records in 2019 due to lax security. 

3. Facebook had 540 million records compromised due to inadequate security measures in 2019.

4. In 2018, Marriott International was hacked, compromising 500 million records. 

5. And due to both poor security and hacking, Friend Finder Networks had 412.2 million records affected. 

So what does a company do to prevent such breaches?

Preventing Data Breaches

It's important to educate employees and implement protocols to keep your payroll information secure. The IRS works with employers and taxpayers, keeping them informed on what security measures to use. Here are a few simple solutions to help prevent identity theft from stolen payroll information:

• Activate anti-virus software: Antivirus software helps detect attacks before they cause significant damage, and they're not just effective against viruses. Most modern antivirus solutions have advanced detection capabilities beyond merely filtering out threats.

• Use a firewall: Firewalls act as a shield to protect your PC, tablet, or phone from malware and other threats that seek to compromise your data. When data passes from your computer to routers and servers, firewalls monitor where these packets of data go, often disallowing the data exchange when a site is considered unsafe. 

• Implement two-factor authentication: Two-factor authentications require two different factors in order to authenticate who you are before it allows access. Commonly, it configures your firewall to require a personal password along with a hardware token. 

• Use backup software and services: Data backups ensure you don't lose important files if your system crashes or your hard drive fails. Often a data breach will cause information to be lost, so it's important to save important company data in the event of a cyber break-in. 

• Utilize drive encryption: Encrypting information allows you to protect it better against cyber-criminals, significantly reducing the risk that data will become compromised. Full data encryption further ensures that a company will be in compliance with government regulations, and thus less likely to be the target of potential fines or lawsuits. Keeping your data safe with electronic signing of payroll and other employee documents, for example, is one good way to use encryption technology.

• Use secure virtual private networks (VPNs): A VPN provides an inexpensive way to safeguard your payroll information against cybercrime by encrypting data prior to sending it over the Internet. If you're using a VPN, your connection is more secure and less easy to hack, especially when using the company's WiFi. 

Managed Security Services 

Though we talked earlier about a breach due to the DoD using a third party, just because you're using a third party doesn't mean that your data is less safe. In fact, according to the 2019 Cybersecurity Pulse Report cybersecurity companies were asked, "Where do you see the highest risk coming from?" 

Of these firms, 87% replied, "The greatest threat lies with untrained general staff."

It may actually make more sense to have a third-party security specialist act as your cyber-security guard rather than keep security in-house. Having security experts can help your company avoid the devastating financial and reputational damage resulting from such breaches. 

Experts who provide managed security support tend to provide much more advanced security measures than your in-house teams can. As specialists in their field, they're trained to manage risks, effectively implement the proper controls, and develop custom strategies that make sense for your business and industry. 

If you had to train such workers, it would be financially impossible for many businesses. Plus, these managed security providers are steeped in the knowledge of what businesses need to remain in compliant to government regulations, along with knowledge of how to mitigate effects of common risks. Their security plans tend to be tailored towards specific needs, and they're in a position to maximize your return on investment while dealing with security priorities. 

Implementing Best Practices 

Still, companies need to employ best practices when dealing with payroll data. Employees can be your weakest link, or they can be one of your strongest. You need to ensure that your workers are aware, and this takes effective training. 

A 2018 report on privacy and security found that 75% of employees couldn't properly identify the best ways to deal with data privacy and cybersecurity. Workers using their own devices in the workplace can open portals for hackers, so limitations on where smartphones can be used may be necessary. Employees should also be aware how criminals can utilize cloud storage and the Internet of Things to access sensitive payroll data. 

Effective training is critical to ensure your employees know the importance of data security. And training will empower them to report potential risks. It's important that payroll data is treated with care, and that only those with the need to know have access. Regularly updating employees on potential threats will ensure awareness, making them part of the solution rather than part of the problem.