It’s payday! Your employees are expecting their automatic deposit to show up in their checking account by the time the workday starts. Of course, it will be there. It’s always there. Several years ago, your own internal employees would process the payroll, but now you’ve outsourced it to a cloud service, and you have confidence that its sophisticated, highly secure systems will protect the payroll process and your employees’ confidential data.
But wait.
A funny thing happened on the way to your checking account. The service you expected was impenetrable fell victim to hackers. No one received their checks. This is never good, but during a time when businesses want to find creative ways to show their employees they are respected and valued, missing a pay period (or maybe more) isn’t helpful and could hurt a company’s effort to retain talent.
This scenario played out on Dec. 11 when human resources management company Ultimate Kronos Group was hit by a ransomware attack that left many large employers nationwide dealing with payroll disruptions, including Rhode Island-based Care New England Health System, according to news reports.
At the 2,000 affected companies – which also included Tesla Inc., Puma SE, FedEx Corp. and Whole Foods Market LP – employees were left waiting for their direct deposit, causing their employers to scramble to provide manual processing or paper checks. It took until Jan. 22 for Kronos to restore all of its clients with access to the production systems. The company continues to recover nonproduction data.
Overconfidence in cloud services may put your business … in jeopardy.
My point isn’t that companies should move their payroll processing back in-house but rather that it is critical that business leaders understand the ramifications of overconfidence in cloud-based vendors and, ultimately, how to protect their businesses.
Employees are your weakest link. While hackers look for vulnerabilities in both technical code and in your employees with authorized access, human error was a major cause in 95% of all breaches, according to the IBM X-Force Threat Intelligence Index 2021 report. The best remedy is, naturally, user training. What’s more, you know that if you’ve tried to buy or renew your cyber-insurance policies lately, most carriers insist on both ongoing user training for your employees and a “written information security plan,” or WISP.
You’re still on the hook for breaches. Be sure to carefully scrutinize the contracts you have with your cloud suppliers so you understand just how much liability is on you if their systems are compromised. It is likely that you are responsible for meeting the extensive and multistep requirements to satisfy your state’s breach notification laws when your vendor’s systems are compromised. Certainly, no contract with a cloud service provider will address the damage to your firm’s reputation.
Businesses need a remediation plan. You must be prepared to step in with a thoughtful and comprehensive emergency alternative plan for handling the functions that you are relying on from a cloud service. It should cover all cloud service vendors with whom you have a contract. As an example, many companies use Microsoft’s Office 365 to host their email. Hopefully, your information technology provider’s coverage includes a complete backup of all email with the ability to continue to send/receive email messages should systems go down. Normally, these “failover” strategies will be included in a thorough WISP.
As companies of all kinds work successfully with cloud-based providers every day, it’s vital to be aware that overconfidence in cloud services may put your business, and its reputation, in jeopardy. Businesses are well-advised to train their teams, review their contracts with cloud vendors, and work with IT providers to plan for breaches to reduce vulnerabilities.
Peter Lachapelle is vice president of operations and finance at NetCenergy, an information technology company in Cranston.