Are password protected payslips a ‘quick fix’?

In light of the COVID-19 pandemic, a popular ‘quick fix’ amongst many payroll teams was to email staff their payslips as a password-protected PDF file.

Whilst it is clear that these processes were introduced with the best intentions, unfortunately, sending password-protected PDF payslips via email is not as secure as it may appear.

Password-protected payslips rely solely on a password. Depending on the user, this can either remain a non-issue, or leave you susceptible to cyber-attacks; leading to payslips, and all the sensitive information detailed, getting into the wrong hands very quickly, as explained in our recent National Password Day blog.

To eliminate the risk of this, at ePayslips we recently deployed Multi-Factor Authentication (MFA). This functionality adds a layer of security and is used to ensure that users are who they say they are. When accessing their ePayslips account, the system requires the user to provide at least two pieces of evidence to prove their identity when logging into the system. Whenever you sign in to your ePayslips account, you will enter your password, as usual, followed by a code sent by an authentication app on your mobile.

Risk of the password itself aside, there are various other issues we need to account for whilst handling such sensitive information:

We also need to account for GDPR issues whilst handling such sensitive information. Article 32 of the General Data Protection Regulation states that the controller shall ‘implement appropriate measures to ensure a level of security appropriate to the risk’. In this circumstance, email is not an appropriate level of security due to the weakness of email systems.

So why are emails insecure:

1. No encryption: Email is inherently an insecure method of communication. All emails are delivered using Simple Mail Transfer Protocol (SMTP), which does not use encryption or authentication.
2. Ransomware/malware: Inboxes are regularly targeted by spam and phishing emails. Whilst these emails are not necessarily an issue whilst just sitting in an inbox, they can lead to consequences. Recipients can either click on a malicious link, causing the malware to enter your network, or pose to be a legitimate website to capture account details.
3. Data leaks: Accidental data leakage due to an unintentional error is unfortunately common. An employee can accidentally mistype an email address or copy the wrong person to an email chain. If a payslip is sent via email and is not password protected, there is a chance it could be accidentally sent to an unauthorised recipient.

Stephanie Coward

Managing Director, HCM

Stephanie Coward is Managing Director for HCM at IRIS, where she leads the strategy, innovation and growth of the organisation’s HR and payroll portfolio. She is responsible for positioning IRIS as a trusted partner to HR professionals and ensuring its solutions support the evolving needs of modern workforces.

With more than 25 years’ experience in the technology sector, Stephanie brings deep commercial and operational expertise, with a passion for improving the employee experience through technology.

Stephanie is committed to advancing IRIS’ HCM offering and helping organisations build more resilient, empowered workforces.