HR software consultancies as strategic business continuity partners

As if the pandemic, war in Europe and inflation weren’t large enough challenges for organisations to contend with right now, this month has also served as a stark reminder of the dangers that cyber criminals pose to businesses large and small. 

A large-scale hack of some of the nation’s biggest firms, targeting employees’ personal data in another high-profile ransom attack, has highlighted how no firm is immune to the risks associated with online crime and how critical it is to both mitigate against such attacks, as well as preparing for what to do if the worst case does happen. 

Before we investigate how recent developments affect HR and payroll teams, let’s first recap on what’s happened. 

What’s happened recently?

This month’s huge news (July 2023) was that British Airways, Boots and the BBC (amongst others) have been victims of an attack by a presumed Russia-based cybercrime group which has stolen the personal details of more than 100,000 employees. 

The hackers found a vulnerability in a piece of software called MOVEit which was used by third-party payroll provider Zellis to transfer files, meaning that the affected companies – for which the hackers claim are in the hundreds – weren’t direct customers of the affected software. 

The Telegraph reported that BA emailed staff to say their personal information had been compromised, as well as Boots, who told employees the attack could have left names, dates of birth and NI numbers exposed. 

At the time of writing, the cybercrime group have claimed they don’t have the personal data, despite earlier demanding ransom negotiations begin and releasing small batches of stolen data – none of which so far matches up to an employee of one of the large British firms. 

The muddy waters have left cyber experts puzzled, but with Zellis reporting a breach did happen, and one in three UK firms reporting a cyber attack last year, it’s a stark reminder to all organisations of the importance of proper digital security as well as knowing what to do if the worst does happen. 

HR’s role in data and cyber security

Cybersecurity and data security are different things, and neither are the sole responsibility of an organisation’s IT department (or indeed the person who helps everyone set up their emails!). 

Some of the most critical information an organisation holds is about its people, including names, addresses, NI numbers, date of birth and banking details. This data must be held and moved around securely and follow strict government legislation, including GDPR. This directly applies to HR and payroll teams and how they request employee information, how that information is stored and transferred, and who has access to it. 

Cybersecurity refers to the systems and devices that organisations use. HR and payroll’s role here is a little less clear but equally important. Both outsourced and in-house HR teams have an important responsibility to ensure that the third parties it does engage with  – are up to the task when it comes to the cybersecurity of their products and services. 

What safeguards do they have in place to ensure a breach event can’t occur? What certification do they hold to prove the effectiveness of their internal processes? And what continuity planning do they have in place should an event occur? 

Organisations of all sizes should ask these questions of their third-party suppliers, as well as any platforms being managed in-house. 

HR’s critical role in the cyber security of an organisation and protecting employees doesn’t stop at software and data either. Training and manuals should be provided to all employees on how to handle data and how to spot phishing emails in particular – even in their work inboxes.

How external partners can support with business continuity 

An external payroll partner can support your own business continuity and help reduce risk exposure by the very nature of the work they do. 

Outsourced payroll providers are required both by law and through competitor development to offer best-in-class cyber security for their platforms and understand the latest legislation when it comes to handling data, thus reducing the risk of a breach in the first place. 

Legislative changes, periods of growth married with a shortage of internal resources, restructuring, and new technology adoption are all areas where an outsourced consultancy can help organisations to navigate challenges without error, downtime or incurring risk.  

Most organisations don’t have the internal resources to stay completely on top of legal changes, the latest case law and also developments in cybersecurity to properly mitigate against future risks – or develop internal strategies for what to do if data is lost if a hack occurs. 

External partners are specialists in these areas and make it their business to know what’s happening in the world of work from a legal and security standpoint with strong business continuity plans to support their customers – whether an incident happens internally for the provider, or within the organisation itself. 

At Phase 3, our business continuity packages are designed to ensure that, should the worst happen, your organisation can keep operating. 

As we’ve discussed above, areas surrounding payroll, finance and HR are fundamental to the smooth running of a business and can’t cease to function at any stage. With a business continuity plan in place, risks can be mitigated, and that worst-case scenario can be dealt with more easily. 

On top of cyber-related concerns, we can also offer critical staffing support to help cover gaps in case of injury or ill health, meaning critical day-to-day processes can still be achieved in the areas of payroll, finance, reporting and business analysis.