In light of the COVID-19 pandemic, a popular ‘quick fix’ amongst many payroll teams was to email staff their payslips as a password-protected PDF file.
Whilst it is clear that these processes were introduced with the best intentions, unfortunately, sending password-protected PDF payslips via email is not as secure as it may appear.
Password-protected payslips rely solely on a password. Depending on the user, this can either remain a non-issue, or leave you susceptible to cyber-attacks; leading to payslips, and all the sensitive information detailed, getting into the wrong hands very quickly, as explained in our recent National Password Day blog.
To eliminate the risk of this, at ePayslips we recently deployed Multi-Factor Authentication (MFA). This functionality adds a layer of security and is used to ensure that users are who they say they are. When accessing their ePayslips account, the system requires the user to provide at least two pieces of evidence to prove their identity when logging into the system. Whenever you sign in to your ePayslips account, you will enter your password, as usual, followed by a code sent by an authentication app on your mobile.
Risk of the password itself aside, there are various other issues we need to account for whilst handling such sensitive information:
We also need to account for GDPR issues whilst handling such sensitive information. Article 32 of the General Data Protection Regulation states that the controller shall ‘implement appropriate measures to ensure a level of security appropriate to the risk’. In this circumstance, email is not an appropriate level of security due to the weakness of emails systems.
So why are emails insecure:
- No encryption: Email is inherently an insecure method of communication. All emails are delivered using Simple Mail Transfer Protocol (SMTP), which does not use encryption or authentication.
- Ransomware/malware: Inboxes are regularly targeted by spam and phishing emails. Whilst these emails are not necessarily an issue whilst just sitting in an inbox, they can lead to consequences. Recipients can either click on a malicious link, causing the malware to enter your network, or pose to be a legitimate website to capture account details.
- Data leaks: Accidental data leakage due to an unintentional error are unfortunately common. An employee can accidentally mistype an email address or copy the wrong person to an email chain. If a payslip is sent via email and not password protected, there is a chance it could be accidentally sent to an unauthorised recipient.