IN 2013, Yahoo was hit with one of the biggest, if not the most massive, data hacks in history. At that time, the company was in the process of a huge takeover deal. The company only revealed the breach in 2016 when it admitted that over a billion subscriber accounts had been compromised. It claimed that the hackers were able to access security questions and answers but were not able to steal payment cards and other bank details of the company's subscribers.

Lucky for Yahoo? Not really. It lost credibility to investors and the loyalty of its clients, which are some of the harm businesses subjected to data leaks have had to endure even years after a cyberattack. Nearly a decade later, we still hear reports of data losses due to cybersecurity breaches. In today's data-driven world, we have become increasingly susceptible to such. And as more companies embrace digital transformation, it also opens the floodgates for possible cyberattacks that become more sophisticated and more difficult to evade over time.

The truth is no one is ever really safe. The Philippines has risen in the rankings of countries most targeted by cyber threats, placing fourth in cybersecurity provider Kaspersky's 2021 list. The usual targets are students and those working from home during the pandemic. If personal files are seen as attractive targets, we can only imagine how much more attractive files of businesses are to hackers.

In the same way that trade secrets are protected by Philippine data privacy laws, a company's payroll data is also treated as highly confidential and private. When we speak of protecting payroll data, it is important to realize that we are dealing with two distinct kinds of information: payroll strategies and procedures and the personal data of corporate staff. When payroll information is compromised, businesses risk not just employee personal data but also their competitive advantage over other firms. Employee data includes their names, addresses, benefits and bonuses while employer data covers statutory liabilities and bank account information — the latter an irresistible lure for hackers.

In taking the first step to prevent a payroll data breach, a distinction must be made between breaches done through malicious stealing and those due to negligence or lack of due diligence. Common to both types is weak technology. If the issue is poor cybersecurity practice, it is advisable to focus company payroll policies on fostering a culture of accountability, with emphasis on instilling a proper and a common mindset when it comes to preventing data breaches. It may also be helpful to look at the current security culture within the firm, which is particularly helpful for companies who are or are keen on implementing remote or hybrid work arrangements.

The easiest but one of the most neglected ways in keeping sensitive information safe is regular updating of employee laptop and payroll passwords. How often should this be done? Kaspersky advises that password updates be made every 60 to 90 days. This will depend largely on company policies, taking into consideration the needs and nature of the business. Another tip from experts is that security software should also be updated regularly and investments be made in top encryption programs to protect confidential information.

Sometimes, data is compromised due to employee negligence and their failure to follow company security protocols. In UK-based software company Egress' 2021 Insider Data Breach Survey, nearly three-fourths of companies surveyed admitted having data breaches due to employees disregarding data security rules. Ninety-four percent of those firms also confirmed experiencing insider data breaches within the 12-month period before the survey was held. What was interesting was the key finding that human error or mistakes were the top cause of the breaches.

Employees should be one of a company's biggest defenses against data breaches, not a vulnerability. To ensure their active participation in preventing data leaks, it is vital that they see the importance of promoting data security. This can be achieved through regular training and mentoring. Payroll management personnel, for their part, should always be on the lookout for bad corporate habits that can possibly lead to internal data security problems. Remember, it is always best to nip problematic corporate practices in the bud before they spell disaster for your business.


As published in The Manila Times, dated 29 June 2022