Skip to main content

In many ways, payroll cybersecurity is a key component of a company’s reputation.

Every employee needs to feel safe in the knowledge that their personal and financial data is protected from cyber threats. Word spreads quickly when people feel their data isn’t safe.

Many companies mistakenly believe they are immune from cyberattacks. But cybercrime impacts all businesses. In New Zealand, the direct financial loss from cybercrime incidents increased from $5.3 million in 2017 to $16.8 million in 2021, according to the national cybersecurity watchdog CERT NZ.

The risk is considerable. If a hacker gains access to a payroll system, they can steal bank account information, addresses, tax details and other sensitive data in just a few clicks. On top of the reputational damage, if a company fails to take steps to protect sensitive information, it could be penalised.

Cybercrime also comes with a business risk. Some attacks make it impossible for payroll systems to function for a time. While this is frustrating, it can also cause payroll to be in violation of agreements, such as taxation, leave payments, child support, leave accruals, allowances and deductions.

Because such a large percentage of the population depends on regular pay, not receiving the correct payment at the correct time can be devastating.

In this article, we help payroll professionals begin the process of reviewing data protection and cybersecurity protocols to see if they are up to the task.

Cybersecurity risks 101

It’s important to be able to distinguish between the types of attacks that could affect your payroll systems. Many computer attacks targeting sensitive data can result in the theft of company assets, personal information, confidential records, income, productivity, goodwill and other valuable data.

One example is the DDoS (Distributed Denial of Service) attack. This attack works by overwhelming a website with thousands to millions of computer requests that connect simultaneously, creating congestion and making it inaccessible. DDoS attacks are unlike other hacks in that the cybercriminal does not break into servers or steal data. But the attack can bring a system to a complete standstill.

Ransomware attacks are also common. This malicious software operates by locking a computer or a server and then demanding a ‘ransom’ from the owner in exchange for restoring access to the files. Some estimates suggest a new ransomware attack occurs every 11 seconds.

As we saw with the attack on Waikato District Health Board 2021, there is no limit to a ransomware hacker’s target set. Unfortunately, many criminals using ransomware software can’t even unlock a victim’s data even after a ransom is paid. So, it’s never a good idea to pay a ransom.

Employee data management and data leaks

The weakest link in any organisation’s digital security system is human beings. People make mistakes, forget things, and fall prey to fraudulent activities. More than anything, it is crucial that payroll staff are educated about cybersecurity threats and become aware that they too are a possible point of weakness.

The risk of a data breach can be reduced by reviewing your payroll authorisation and user-access policies. This will allow you to create policies that clearly define who can access what information. Ask yourself:

  • Who has access to your payroll software?
  • Who has access to specific information?
  • Does everyone in Finance have full access?
  • Can contractors, temps and freelancers access sensitive payroll data? If so, why?

As a rule, the number of people who have access to any payroll system should be limited. And to ensure maximum security, those with access should be trained in the protection of company records and data.

However, sometimes it isn’t the size of the team that matters. Companies can be more susceptible to data security issues when one person manages the entire payroll process. It’s far easier for hackers to compromise information when it’s all on a single account.

One way around this is to separate payroll duties and create separate accounts for each payroll manager to avoid creating a single point of failure.

According to the New Zealand Privacy Act 2020, a company must inform employees and regulatory authorities within a prescribed timeframe if their personal data has been compromised, accessed or acquired by an unauthorised person. Data that is electronically processed, stored in a filing system or an accessible record are all considered personal data. This includes:

  • References, CVs and job applications.
  • Personal files.
  • Information about payroll, including tax.
  • Medical files.
  • Employee compensation and benefits.
  • Employment contracts.
  • Appraisals and performance reviews.

Overall, payroll staff should follow best practice for collecting, processing and sharing employee data at all times. These practices must be regularly reviewed and updated to ensure compliance with privacy laws.

ISO 27001

ISO 27001 is a security standard that outlines the requirements for information security management systems (ISMS) and the best practices for managing information risks.

The ISO framework is a great way to reassure customers that a company is taking its payroll data security seriously. Affinity Payroll follows the ISO 27001 framework to ensure all information security risks — including those that could compromise the confidentiality, integrity or availability of customer and company information — are properly managed.

We encourage all companies both large and small to adopt and follow ISO certifications so they can better identify and manage cybersecurity risks as part of their ongoing strategy for information security and defending privacy.

Simple but effective actions you can take now

The first piece of advice for improving payroll cybersecurity is to stop using spreadsheets. Although it may seem unbelievable, many companies are still using simple spreadsheets to process payroll even though these documents contain highly sensitive information (which is also often shared via email). This puts information at risk of privacy breaches, identity theft, and ransomware attacks.

The alternative is to digitally transform your payroll-delivery process within a secure cloud environment. This will immediately increase security since the cloud provider will likely be using the latest cybersecurity protocols intended to protect sensitive information and prevent hackers, scammers and other cybercriminals from accessing your payroll data.

A cloud environment can offer safe access, management, and allow for the exchange of sensitive company data via secure channels. Cloud providers are also a great way for growing companies to scale quickly without worrying about weakening their security.

Other tips to boost your payroll security include:

  • Use password-management software.
  • Don’t share your password, use different (strong) passwords for each system.
  • Limit who can access certain systems.
  • Enable multi-factor authentication to add an extra layer of security.
  • Update operating systems and use the most recent software versions.
  • Have a business continuity plan in place should anything happen to servers or other systems that payroll depends on to function.

And if your company is considering shifting its payroll processes to a third-party provider, we recommend asking the following questions:

  • Which security accreditations do you comply with?
  • Is payroll data stored where it is needed? Who has access to it?
  • Can you track access and detect patterns? Is there an access log? Can it be edited?
  • Is it possible to identify, limit and monitor privileged identities?
  • What kind of on-premises security do you have in place?
  • How do you reference-check new employees?
  • Which firewall and antivirus protection do you use?

In the end, having robust and scalable security measures in place will benefit not only your employees’ financial wellbeing. It will secure your place in their hearts and minds as an employer who truly cares about their personal information, and who understands what a honour it is to act as a guardian of that information.



For over thirty years, Affinity has been a trusted partner for mid-market and enterprise businesses in Australia and New Zealand, empowering them to transform their payroll operations. With a focus on turning payroll from a cost into an asset, we have established ourselves as industry leaders in delivering innovative cloud-based payroll software and exceptional payroll services.