Last Monday, 10 April, multiple employers across the UK and Ireland were unable to access their payroll systems.
This came as SD Worx, which manages the payroll systems for companies like Asda, M&S, WHSmith, and Chester Zoo, was hit by a cyber attack.
A spokesperson tells UNLEASH: “SD Worx took immediate action, activated its security incident response and crisis management plans.
“It preventively isolated all UK&I systems and servers to mitigate any further impact for its customers in the UK and Ireland and to adequately assess the situation.
“As a result, there was temporarily no access to the systems for UKI customers. There was no impact for customers in other countries: the operations outside UK and Ireland are running on completely separate environments.”
Over the past ten days, SD Worx has been working hard to restore customer access.
“After having rebuilt, restored and thoroughly tested the environment, SD Worx has started providing gradual access to the SD Worx…systems for the vast majority of SD Worx UK&I customers’ HR and Payroll professionals”, adds the spokesperson.
This week SD Worx has been gradually releasing “system access to all UKI customers’ employees as well.”
Should HR be worried?
The words ‘cyber attack’ will have set off alarm bells for HR leaders in companies all across the world. But SD Worx was quick to reassure its customers, and the wider market.
The spokesperson shares: “A full forensic investigation by dedicated forensic experts was launched. The root cause has been identified.
“Based on the results of the forensic investigation, there is no detection of any confirmed impact on confidentiality or integrity of customer data.
“There are no indications that customer data has been extracted: the forensic experts did not find any traces of data exfiltration tools or exports that took place nor has SD Worx been contacted by the threat actor group, who could be identified, that they have obtained data.
“Incident reports were sent to the affected customers to keep them informed. Further forensic actions will continue.”
Thankfully, there was no data breach this time, but that employers and HR vendors might not be so lucky next time.
Sam Grinter, senior principal analyst at Gartner HR, tells UNLEASH: “This year multiple HR technology vendors will be subject to ransomware attacks, affecting over 5,000 enterprise clients and tens of millions of employees.”
Therefore, this incident with SD Worx should act as a warning to HR to take action, and quickly. But where should they start? HR and cyber experts share their insights.
Work with vendors on cybersecurity
“The cyber attack on SD Worx serves as a reminder that HR departments and HR tech vendors must work together to prioritize cybersecurity and protect sensitive employee data”, notes data security company Dasera’s CEO Ani Chaundhuri.
Grinter agrees. “All organizations will have an array of HR applications across the company and cyber attacks have the potential to impact tools which are critical to the key function within the business”.
“HR leader and HR tech vendors must expect future cyber attacks, and they should firstly collaborate to access the risk of a cyber attack or outage on HR applications,” adds Grinter.
This enables them to see which applications are most vulnerable – “leaders must then create contingency plans to deal with potential threats to each application”.
Third party security audits can be a huge help, notes Dasera’s Chaudhuri. “HR departments and vendors should consider having their systems audited by third-party security experts to ensure that all potential vulnerabilities are identified and assessed”.
Data governance consultancy OvalEdge’s CTO Srini Kadiyala adds that HR should involve IT teams in these conversations with vendors.
This will help them “evaluate their use of third parties, their practices for data management, their requirements for engaging new vendor and their plans for getting existing vendors up to standard”.
Ultimately, according to IRIS’ cloud CTO Ben Houghton, all HR vendors need to be “vetted at the start of the relationship on cybersecurity protocols and data protection measures”, but that alone isn’t enough.
As cyber risks evolve and hackers get more and more sophisticated, that vetting process needs to continue “throughout the entire working relationship”.
Upskill employees in cyber
Essentially, HR needs to get proactive – and not just sit and wait for things to happen.
Beyond the work with vendors, HR needs to make sure that everyone in the organization is aware of (and implementing) best cybersecurity practices. The first step here is employee training.
“Security is a team sport – every employee must understand that they play an essential role,” notes Cigent Technologies CEO John Benkert.
“Employee security training is essential. Employees need to know what security tools are available and when to use them”. Vendors can help HR teams with this training, explains Dasera’s Chaudhuri.
Given that “data breaches and cyber attacks are worryingly becoming more common and an ongoing problem”, IRIS’ Houghton notes that “security training should be undertaken several times per year”.
While “there is no one-size-fits all approach to cybersecurity training”, the gold standard, according to Houghton, includes best practices around document management, personal data protection and cybersecurity protocols.
Gartner’s Grinter agrees. “Continuous assessment and the updating of practices is like running a fire drill; you hope you never need it, but it’s a life saving process if you ever do”.
The International Festival of HR is back! Discover amazing speakers from the world of HR and business at UNLEASH America on 26-27 April 2023.
Sign up to the UNLEASH Newsletter
Get the Editor’s picks of the week delivered straight to your inbox!