Outsourcing payroll and data security: Is your payroll data safe with an external provider?

Updated: Nov 24


Image showing a calculator next to coins and 100 dollar bills

There are different ways to manage payroll, and many companies still outsource theirs. Is this safe, though?


The short answer is no.


Human error is the primary cause of security breaches and data leaks. In 9 out of 10 cases these happen unintentionally, and email is often at the heart of the problem.


According to law firm Harper James, a high level of reliance on external payroll operators significantly increases risk of data breaches. That is because running payroll externally often still involves sending emails that contain personal information – and payroll data is particularly valuable, as payroll processes involve making large wire transfers.


In this article, we’ll discuss the different aspects of payroll security – and also the best strategies to mitigate the risk of data breaches.


Security breaches and data leaks: Why is outsourcing payroll the least secure option?


Outsourced payroll, where you send all your payroll data to an external provider exposes you to significant security risk because:


  • You’re sending your most sensitive data to a third party, where you can no longer control what happens to it (although you’re still responsible for any breaches unless you actively inspect the providers’ information security systems)

  • Data is often shared unencrypted via email, exposing you to the risk of both phishing attacks and accidental leaks

  • Personally identifiable information (PII) can cause harm to employees and to your business if it gets in the wrong hands


A self-serve employee platform like Zelt enables you to eliminate all of these risks and retain full control of your data: Employees can access and update personal information within the platform, and data never leaves the app’s secure environment.


But let’s first see the different types of security breaches to which outsourcing payroll can expose you.


Accidental data breaches


While most companies are no longer printing sensitive data – which is a major security risk, both because documents can get stolen and because printers are often not properly secured – many are still using email to send it either to an external payroll provider or to their employees.


It is a well-documented fact that 90% of data breaches happen via email, and with modern email clients like Google Workspace automatically saving and autocompleting email recipients, sending an email with employee data to the wrong Alex quickly leads to a data breach you may need to report to the ICO.


Your employees’ payroll data in the wrong hands can put your employees at risk of sophisticated scams like identity theft or the recently highly successful safe account scam that led to hundreds of people in the UK losing their life’s savings.


Phishing attacks and payroll fraud


More dangerous than accidental data breaches are phishing attacks, and external payroll provides an ideal target for phishing because a) email is already the default channel of communication, creating an easier way in for the attacker and because b) many different people are involved and can be impersonated by the attackers.


Attackers may impersonate the payroll provider and

  • ask the employee to share personal data

  • ask the HR admin to share employee data

  • ask the employee to return supposedly incorrect salary payments (to their own account)

  • send manipulated wire instructions (with their own accounts) to the HR admin


Attackers may impersonate the HR admin and

  • ask the employee to share personal data

  • ask the employee to return supposedly incorrect salary payments (to their own account)


Attackers may impersonate the employee and

  • ask the payroll provider to update their bank account details (with their own account)

  • ask the HR admin to update their bank account details (with their own account)

Malicious internal data breaches


Malicious internal data breaches happen when an employee steals sensitive information. While many payroll providers do have some security procedures in place, employee churn within payroll firms is often high, and you simply cannot control what happens to your data when another company is handling it – and with each new environment where your data is located, there’s an added security risk.


Your data protection responsibilities are yours


You remain responsible for the security of your sensitive data, subject to requirements such as the GDPR and ICO, even if you’re using the services of an external provider.


Otherwise said, you cannot outsource your data protection responsibilities and have to make sure that the security measures in place at the third-party payroll provider are up to par. If you do not, then data breaches caused by an external party become your liability, too, and employees could sue you if they suffer from the breach, for instance if they lose their savings as a result of the safe account scam.


And if you think that you’ll instantly know when a security breach happens, think again: The average data breach takes 287 days to identify and contain, according to IBM.


You also need to be able to tell employees exactly where and how their data is stored, and be ready to give them access to it. A self-serve employee platform instantly solves this problem, as employees can access their data themselves and modify and delete it if needed.


Why is outsourcing payroll still such a popular option if it’s so risky?


If there are so many disadvantages to outsourced payroll management, why is it still such a popular option, you may ask?


Outsourcing payroll was historically the best option: Before we had good payroll software and automation, payroll was a lot of manual work. In that context, outsourcing it to an external provider made sense, which led to the growth of payroll bureaus.


Now, however, externally managed payroll can lead to more manual work because the process is so inefficient, and it also exposes you to additional risk of human error due to duplication of manual data entry and data sharing between multiple people involved in payroll.


In addition to that, the importance of cybersecurity and data protection in the times when payroll services became popular was much lower than today, and cybersecurity attacks were far less sophisticated.


Nowadays, cybersecurity attacks are becoming more and more frequent: Research from Sophos shows that phishing and ransomware attacks have doubled in the last 2 years. In the last year, 66% of companies were attacked by ransomware compared to 37% in 2020. In 90% of the cases, attacks affected businesses’ ability to operate and in 86% they lead to financial losses.


Now, however, with the right software, you can automate your payroll and reduce the manual element of data entry, especially with the introduction of employee self-service – and keep your employee data better protected. This way, you can control the impact of employee operations (payroll, IT, HR) on security risks and prevent data breaches.


How can you make sure that your payroll data is secure?


So, what are the alternatives and how can you make sure your data is safe?


The two main alternatives to outsourced payroll are:


  • In-house payroll processing, in which you use your own payroll software and handle all payroll processes yourself – the most secure option

  • Hybrid payroll processing, where you use your own software to manage data but delegate payroll processing to a third party (using your inhouse software).


Below you can see how these options compare to one another – and to outsourcing your payroll:

Own software

External software

Run payroll yourself

In-house


+ Full control

+ Reduces manual work

+ The most flexible option

+ Least security risk

+ Highest degree of automation


Recommended for companies that are financially confident


Zelt is the best software to use


N/A

Get external support

Hybrid model


+ Can ask an expert

+ Manual work is outsourced


Recommended for companies that are financially less confident


Zelt accommodates restricted external access to your accountant via customer permission groups which are easy to set up and adjust to your needs.


Outsourced payroll


+ Can ask an expert


- Manual data entry

- Lots of emails

- More mistakes

- Inflexible

- High security risk

- Low value for money


Not recommended to anyone: It’s an outdated and insecure model


In short, using a HMRC-approved payroll software like Zelt is the best option you have to keep your payroll data safe, whether you want to run payroll fully yourself or want your accountant to be in charge.


Zelt tackles the issue of payroll security with the help of a single self-serve interface for all employee data:


  • Employees can access their data at any point and update it if necessary, without sending emails with personal data to anyone

  • Data never leaves the platform

  • You have full control over who has access to what and can oversee all account permissions – and shut off permissions if needed (i.e. you can use a zero-trust approach)

  • If you’re using a hybrid payroll option, you can give access to external providers (accountants, payroll managers), but the data stays with you.


This way, employees can also access their payslips via a secure system, which helps you avoid printing or emailing payslips (both of which are risky).


Handle your payroll data securely to increase confidence and protect yourself against data breaches


Outsourcing payroll is the least secure option for payroll management, especially if you’re using email to communicate sensitive data – and we don’t recommend that option to anyone.


Managing your payroll in-house is the most secure option if you’re equipped with the right payroll software, as you retain full control over your data and who has access to it. Zelt embeds security into your existing people operations processes and helps you improve the way you handle sensitive data at your company – or even prepare for an ISO 27001 or SOC2 audit.



Frequently asked questions


Why is it important to protect your employee data?


Personally identifiable information (PII) is protected by GDPR and breaches can cause harm to your employees and the company. They may also need to be reported to the ICO and lead to heavy fines – or your employees suing you for failing to protect their data.


Why is payroll outsourcing not a good option anymore?


Employee data is not secure with an outsourced payroll provider, because in most instances it’s shared via email and stored externally, which creates an important risk of accidental data breaches, leaks, and phishing. Additionally, you cannot control what happens to your data once you send it to an external provider, but you remain responsible for any breaches or leaks.


Cyberattacks via email have grown by 600% in the past 3 years, and leaks take on average 287 days to identify and contain. For these reasons, completely outsourcing your payroll to an external provider is no longer a viable option and increases your exposure to cybersecurity risks.


Does outsourcing payroll reduce my responsibility?


No. You cannot outsource your data protection responsibilities, and have to review information security standards of the payroll outsourcing firm like they were your own, which is often not practically possible.


What is the most secure alternative to outsourcing payroll?


Using a HMRC-approved payroll software like Zelt is the best option you have to keep your payroll data safe, whether you want to run payroll yourself or want your accountant to manage it.


A self-serve platform enables your employees to access their data and update it as necessary, and you retain full control over who has access to what. If you’re using a hybrid payroll option, you can give access to external providers (accountants, payroll managers), but the data stays with you and never leaves the platform.




Tags:

1,409 views

Other popular articles

Newsletter