Cyber Attacks: When Not If

In 2018, cyber attacks targeting employee data increased both in number and in sophistication. In response, employers need robust, multilayered security systems in place to guard against attacks and their repercussions.

It is no longer just an isolated problem, many would say it’s a pandemic. Organisations on a daily basis are finding themselves victims of various phishing schemes or attempts to extract sensitive data from their organisation.

These perpetrators are very, very determined. They have patience. They’re willing to keep trying again and again. And the sad thing is they’re becoming very successful at finding the weak points.

As cyber-criminals broaden their entry points into organisations, the scope of who may be considered culpable in the wake of a successful attack may widen too. Security is no longer solely I.T.’s problem because if there is a data breach, and if that data breach occurred in payroll, you’re going to be sitting in front of an officer answering tough questions.

Business owners also could face legal repercussions. In the coming years, there’s going to be more legislation geared towards protecting consumers and taxpayers against organisations that have poor security protocols in place.

What Can Employers Do?

When determining protection against a cyber attack, employers should know it is a matter of when not if an attack will occur.

The objective is to deter the criminals. Make it hard. Make it frustrating. To some extent, make it not worth their while to keep trying to find a back door.

People are the weakest link when it comes to data security. To mitigate that risk, employers should have a written security protocol that is reviewed annually. Employees should receive annual training to ensure they remain compliant.

It’s A Multi-Pronged Defence

Additionally, employers should limit the number of personal devices that connect to the company’s network. An iPod, mobile phone, USB flash drive or camera could introduce a virus to the employer’s network.

An internal hotline that allows employees to report any suspicious activity they see may also be helpful. Thirty-eight per cent of targeted attacks in 2018 were caused by malicious actions of employees.

Employers should also research the vendors and third-party providers they hire.

When assessing risks, employers should ask about data storage, who may access it, how securely are stored and for how long.

Employers also should ensure that endpoint protection is used to its fullest capability. Cybersecurity monitoring services and insurance may be worth considering as a whole.

Programs like those are expensive but should be weighed against the cost of a potential breach. As a business owner, or even a university or a health care facility, what is the cost if you have a major data breach? For some organisations, it will shut you down. And the damage to your reputation may be worth more than any monetary figure.

Always better safe than sorry!

Aurion software is regularly audited, screened and tested for security holes. Our expert legal and security team work tirelessly to ensure the date entrusted within Aurion is totally safe. Looking for a payroll provider who puts security as its number one priority? You’ve found it.

Keep up-to-date with more articles like this

Subscribe to our eNewsletter

Is Your Payroll Living in Ancient China?

There are no two ways about it – we live in a digital world. Information is just the flick of a touchscreen away. I even communicate with members of my team sitting two meters away via Asana. Many, if not all of us have embraced the technological era we live in. However, many recruitment and payroll departments are still living in an ink and paper world.

(more…)

Maturity in Regression Testing

Recently, Aurion has made large changes in how we perform regression testing. This has seen vast improvements in productivity and quality. However, before we get to the good stuff let’s discuss: what is regression testing?

(more…)

Seven Payroll Myths Busted!

Watching Mythbusters this weekend got me thinking, what are some common Payroll myths perpetuated? What’s fact and what’s fiction? Chances are you’ve heard a few of these before. Today, I’ll separate the truth from the lie, the factuality from the fallacy, the wrong from the right! Here are eight payroll myths that need busting!

(more…)

Vulnerable Workers Amendments – Updates to the Fair Work Act September 2017

RSS Subscribe

Vulnerable Workers Amendments – Updates to the Fair Work Act September 2017

Employers are facing harsh new penalties for breaching workplace laws under the recent reform to the Fair Work Act last month. The Fair Work Amendment (Protecting Vulnerable Workers) Act 2017 took effect from mid-September. Important changes were made to the existing Fair Work Act 2009 to better protect employees, particularly those employed by franchise chains.

The bill was introduced as a direct result of the ongoing 7-Eleven scandals involving the widespread underpayment and exploitation of vulnerable workers, as well as the difficulties experienced by the Fair Work Ombudsman in trying to recover wages for underpaid employees from smaller franchisors, who often kept very poor records or non-existent records.

These amendments will affect both employers and employees. Since coming into effect on 15 September 2017, the bill ensures that workers will be better supported and protected from unscrupulous employers. As a result of ammendments to the Fair Work Act businesses will be held to stricter standards and greater accountability will be enacted to ensure that all businesses operate on a level and fair playing field.

What Do the Changes Involve?

The bill introduced a number of changes to the original Fair Work Act, with the main ones being:

  • Increased penalties for ‘serious contraventions’ of workplace laws.
  • Employers cannot ask for ‘cashback’ from employees or prospective employees.
  • Increased penalties for breaches of record-keeping and pay slip obligations.
  • Employers who don’t meet their record-keeping or pay slip obligations and can’t provide a reasonable excuse will need to disprove wage claims made in court (a reverse onus of proof).
  • Strengthened powers for the Fair Work Ombudsman to collect evidence in investigations.
  • New penalties for giving the Fair Work Ombudsman false or misleading information, or hindering or obstructing investigations.

The most notable changes to come from the vulnerable workers bill are the significantly higher fines for serious breaches of workplace laws, which are expected to catch employers who force their employees to pay back part of their wages in cash or as part of various cashback schemes, and the reverse onus of proof applied to employers.

Now, if an employer doesn’t keep or provide payslips and an employee claims that they have been underpaid, the onus is on the employer to prove that they have paid their employee correctly. This means there is no more incentive for dishonest employers not to provide payslips.

In addition, from 27 October 2017, franchisors and holding companies can also be held responsible if their franchisees or subsidiaries breach any of these workplace laws (whether they knew about it or they should have known about it and could have prevented it).

What This Means for Employers

If you aren’t already, you should be taking steps to reduce risk and avoid penalties by:

  • Considering outsourcing payroll to a reputable Outsourced Payroll provider who takes compliance and risk seriously
  • Ensuring you have proper record-keeping methods, systems and processes in place to prevent false, inaccurate or misleading records and pay slips from being produced
  • Undergoing a Fair Work Compliance Audit to ensure you are meeting your pay slip and record-keeping obligations
  • Communicating Fair Work compliance internally to ensure managers fully understand these changes, and that any changes to systems and processes are also understood and adhered to

At a practical level, satisfying employer obligations can be confusing and costly but this is a good opportunity to reassess your current pay slip and record –keeping processes. For the majority of employers who already do act fairly and honestly, these amendments won’t make much of a difference to how you run your business. They do, however, present a good opportunity to reassess your current pay slip and record-keeping processes to ensure you are meeting your obligations in the most effective and efficient way.

A reliable Outsourced Payroll provider can take much of the pressure off by ensuring accurate, compliant and timely payroll, every time. With the introduction of these new changes to workplace laws, now is a good chance for you to look closely at your current systems and processes and consider the additional security and peace of mind an Outsourced Payroll solution could bring to your business.

What This Means for Employees

As an employee, this bill provides greater protection against unscrupulous employers and makes it possible to get help and support if you are being treated unfairly.

If your employer is asking you to use your own money unreasonably, this could be unlawful. You can:

What This Means for Our Clients at Aurion

At Aurion, our clients can be reassured that we have proper record-keeping arrangements in place and that we continue to look for ways to improve our processes, reduce risk and minimise chances of contraventions of the Act. We always have and always will continue to cooperate fully with any Fair Work Ombudsman investigations or enquiries.

We are proud to work closely with businesses all around the country to improve systems, ensure compliance and reduce risk through a range of Outsourced Payroll and HRIS solutions. If you have any concerns or enquiries about how the vulnerable workers amendments may affect your business or would like to discuss implementing a tailored payroll solution, please don’t hesitate to contact us on 1300 287 466 or by sending us a message online.

2018-05-08T14:28:25+00:00 Tags: , , , |

Information Security Part 3: Protecting applications and users with HTTPS

RSS Subscribe

Information Security Part 3 – Protecting applications and users with HTTPS

This is Part 3 of a multi-part series on Information Security Management.

Aurion is committed to ongoing work to further improve our products and services to comply with the most rigorous principles and practices. As part of our commitment to improving information security for our customers, Aurion is continually working to broaden our security knowledge and understanding, and apply that to our software applications to benefit our customer community.

Aurion clients may have noticed the recent change to the Aurion Technical Architecture document (clients can access this document here) recommending the use of HTTPS to further strengthen and protect your Aurion applications from security threats.

In this article, part of our Information Security Series, we’re exploring this change in more detail and discussing how to securely deploy Aurion Self Service and Web Recruitment to ensure secure access to sensitive data and communications for all users.

HTTPS – The basics

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The ‘S’ at the end of HTTPS stands for ‘Secure’. When a website uses HTTPS, this means all communications between your browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms, and sensitive data and communications.

HTTPS pages typically use one of two secure protocols to encrypt communications – SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use an ‘asymmetric’ Public Key Infrastructure (PKI) system. An asymmetric system uses two ‘keys’ to encrypt communications, a ‘public’ key and a ‘private’ key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa. The private key is kept strictly protected and should only be accessed by the owner of the key.

To use HTTPS an organisation deploying a website needs to purchase and install an SSL Certificate onto its web server to initiate secure sessions with browsers. Once installed, the website can be accessed over HTTPS – for example. https://customer.aurioninstall.com – as this tells the server to establish a secure connection with the browser. Once a secure connection is established, all web traffic between the web server and the web browser will be secure.

When accessing a website using HTTPS, modern web browsers such as Internet Explorer, Firefox, Safari and Chrome will display a visual indicator – usually a padlock icon – to indicate that a HTTPS connection is in effect.

Why use HTTPS

Security of sensitive data, such as payroll, personal and other HR user data, must be appropriately secured to ensure the data cannot be exploited. There have been multiple security exploitation tools, such as sniffing tools, developed in recent years leading to increases in the number of high-profile security attacks, but also the increased prevalence of HTTPS across the internet.

All communications send over HTTP (without an SSL certificate) are sent in plain text and can be intercepted and potentially exploited to learn more information about a user and their current web session. By exploiting plain text data, intruders both malignant and benign can potentially exploit every unprotected resource between your website and users, including intercepting sensitive data or observing aggregate user data to understand and identify your users.

Using HTTPS ensures that all traffic between the web browser and application is encrypted in transit. HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers – intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or companies that inject ads into pages.

Intruders can trick your users into giving up sensitive information or installing malware utilities. Additionally, intrusive companies can inject advertisements or other content that can break user experience and potentially introduce security vulnerabilities.

Additionally, HTTPS doesn’t just block security threats and intrusion of your website. It’s also a requirement for many modern application features and an enabling technology for app-like capabilities. Many modern API services and other service workers rely on HTTPS to support service delivery, and when HTTPS is not available. These services will not operate and user experience will be impacted.

Historically, HTTPS was unfavourable for specific technical and financial reasons. Using HTTPS removes some technical capabilities – such as caching of data – and SSL certificates could be expensive to purchase and implement. However, considering the greatly increased security benefits of HTTPS, coupled with the declining price of SSL certificates, use of HTTPS is now widespread across a range of internet websites and applications.

HTTPS is not solely the domain of financial and commerce applications anymore; HTTPS should be used by anyone wanting to provide critical security and data integrity for both their websites and their users.

Using HTTPS with your Aurion Self Service and Web Recruitment applications

Whilst we do everything possible to ensure application security for all Aurion applications and installations, for on-premise customer deployments Aurion does not provide SSL certificates as part of your Aurion installation. This ensures that customers who already have an SSL certificate for deployment of other internal resources do not need to acquire anything additional. Aurion Hosted and Software-as-a-Service (SaaS) websites are deployed using HTTPS.

It is the decision of each Aurion customer to use HTTPS; however, at Aurion we strongly recommend all customers use HTTPS when deploying Aurion Self Service or Web Recruitment to provide data security for both your websites and your users’ personal information and communications.

Whether your Aurion Self Service or Web Recruitment application is deployed via an internal-only network, or externally deployed for users to access over the internet, HTTPS should be deployed for users accessing these resources to ensure data security and privacy, and access to all required resources to ensure full application user experience.

Aurion clients can access further information about HTTPS for Aurion within the Aurion Technical Architecture document.

Keep up-to-date with more articles like this

Subscribe to our eNewsletter

2018-05-08T14:28:38+00:00 Tags: |

Information Security Part 2: Principles and Practices

RSS Subscribe

Information Security Part 2 – Principles and Practices

This is Part 2 of a multi-part series on Information Security Management.

Recent high-profile cyber security events have further increased awareness about the imperative to improve information security practices in line with evolving cyber security threats. More advanced, sophisticated, and highly coordinated security threats demand appropriate risk management planning and preparation in all organisations to ensure swift response and prevent potentially catastrophic outcomes.

Aurion is committed to ongoing work to further improve our internal information security management practices to comply with the most rigorous principles and practices. Additionally, as part of our commitment to improving information security for our customers, Aurion is continually working to strengthen the security features of our products and services.

As part of this commitment, we have partnered with independent security consulting providers to better understand information security principles and how we, and our customer community, can best apply specific practices. In this article in our series about Information Security Management, we will explore specific types of cyber security threats, and how best to prepare and respond to cyber threats.

All organisations require rigorous information security management planning to adequately prepare for, and respond to, security threats. At the recent Technology in Government conference in Canberra, government representatives, service providers and software vendors met to discuss current technology trends impacting government into the future. Information Security Management featured prominently, headlined by a presentation from Gregory Touhill, Brig Gen (ret), CISSP, CISM, Deputy Assistant Secretary, Cybersecurity and Communications representing the US Department of Homeland Security. The US Department of Homeland Security has been instrumental in the development of the Framework for Improving Critical Infrastructure Cybersecurity policy for Information Security Management in the United States.

Additionally, here in Australia the Australian Government Information Security Manual (ISM) provides guidance about Information Security principles and practices within an Australian context. In this article we will explore the key concepts and guidelines of both policies, and how they can be applied in your organisation.

Cyber Security is ‘not a technology issue’

Brigadier General Touhill emphasised one key concept throughout his presentation – ‘Cyber Security is not a Technology issue; it’s a risk management issue’. The US Department of Homeland Security works across all levels of government – federal, state and local – to take the cyber security conversation ‘out of the server room’ so that all stakeholders better understand risk and share information about best practices for information security management to protect networks. This work has resulted in over 200 emergency response units and significantly improved response and reaction outcomes across US agencies. The US Department of Homeland Security has been actively promoting a ‘Cyber Neighbourhood Watch’ approach – users across public and private networks share information more efficiently and using more robust practices to ensure that risks are understood by potentially affected parties earlier for the benefit of the entire community.

Another key point raised by Brigadier General Touhill – cyber attacks cannot be prevented. Whilst exposure to cyber security attacks can be mitigated through effective network and process controls, all organisations need to have effective risk management plans to ensure that when, rather than if, a cyber attack occurs they are prepared to respond adequately.

Brigadier General Touhill identified a number of key programs that had impacted information security management policy across the US. President Barack Obama has actively promoted a cyber security response agenda that has included new programs focused on threat response, education and intelligence gathering and sharing. Specific programs have been implemented, aimed at rapid declassification of previously classified information so that the data can be shared across public and private agencies to better inform the community and enhance response planning.

Preparing an Information Security Management Plan

As Brigadier General Touhill emphasised, a risk management plan for managing information security practices is essential in any organisation. The US Department of Homeland promotes a framework based on the NIST Framework for Improving Critical Infrastructure Cybersecurity guidelines which promote a set of activities as achieve specific cyber security objectives as part of an effective information security management plan:

  • Identify – Develop the organisational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

The framework provides an approach which can be adopted by any organisation when viewing and assessing cyber security risk, and planning appropriate response protocols.

For Australia organisations, the Federal government has provided the Australian Government Information Security Manual (full text available here – http://www.asd.gov.au/infosec/ism/index.htm) to inform Australian public and private enterprises about cybersecurity risks and responsibilities, and information security management practices to implement to prevent cyber security attacks and improve reaction/response.

Improving Information Security Management at Aurion

At Aurion, we are committed to improving information security management practice in line with the Australian Government Information Security Manual to ensure the highest possible level of information security for our customers when using our products and services.

To that end, we have introduced new internal information security management processes, in conjunction with an independent external security specialist. These processes cover all internal and external production environments, and inform all information security practice at Aurion, and form an integral part of our Quality and Compliance control processes and our ASAE3402 and ISO9001 standards accreditation. These processes are reviewed regularly for currency and effectiveness.

At a product level, our software quality and testing processes include a rigorous program of security testing, including regular vulnerability assessment testing and assessment against the oWASP criteria. Our product development program is currently expanding to include additional information security features and adoption of additional recommendations provided in the Australian Signals Directorate (ASD) standard to further improve the robust security offered by our Product Suite. In our latest software version, Aurion 11, we are implementing additional controls and features to ensure maximum protection from cybersecurity threat for all deployment types. Additionally, our testing program is continually evolving to include additional security testing types to cover all common cybersecurity scenarios and risks.

Over the coming months in this security series, Aurion will be providing further information about these changes, and additional insight into optimal security practice and measures that can be implemented to reduce risk, such as the implementation of SSL and other deployment strategies designed to minimise exposure to common cybersecurity attacks.

Keep up-to-date with more articles like this

Subscribe to our eNewsletter

2018-05-08T14:28:41+00:00 Tags: |

Information Security Part 1: Have you had the discussion?

RSS Subscribe

Information Security Part 1: Have you had the discussion?

This is Part 1 of a multi-part series on Information Security Management.

Within all organisations, a solid commitment to ensuring security of information is paramount. At Aurion, we are focused on supporting our customers in the adoption of strong security strategies to ensure data safety and compliance.

This first article sets the scene on why it is important for all organisations to consider Information Security as part of their daily conversation.

What is Information Security?

Information or Cyber Security refers to processes and methodologies which are designed and implemented to protect physical, electronic, or any other form of confidential, private and sensitive information or data from unauthorised access, use, misuse, disclosure, destruction, modification, or disruption.

Information security is concerned with all information processes regardless of whether they involve people, technology, or relationships with trading partners, customers and third parties. Information security addresses overall protection at all points within the life cycle of information used in the organisation.

Why is Information Security important?

Information Security relates to the protection of information assets against the risk of loss, operational discontinuity, misuse, unauthorised disclosure, inaccessibility or damage – all of which can have significant impacts on an organisation. It is also concerned with the increasing potential for legal liability that organisations face as a result of information inaccuracy, and the loss or absence of due care in its protection.

Extensive media coverage relating to cyber terrorism, hacking attacks and cyber attacks have become commonplace. All such attacks against organisations and people target confidentiality, integrity or availability of information.

In general, these attacks reflect the fact that the world is becoming increasingly interconnected with a high demand for data accessibility and availability across many channels. The internet renders such attacks being precipitated from anywhere in the world.

Cyber attacks are launched, and many are successful, because organisations and people remain vulnerable to attack due to flaws in the components that make up any system such as people, process and technology. The important point to note here is that security is not just a technological problem – people, and the activities performed by those people, are a key element in the protection of an organisation’s systems and information.

How can security attacks be prevented?

As cyber threats become increasingly sophisticated and targeted, cyber security incidents can have significant and direct impacts on organisations. However, properly assessing the security risks specific to your organisation can help to minimise the likelihood and consequences of the cyber threat.

We encourage you to review your strategies to protect your vital HR Information and to ensure that you have appropriate protection in place to safeguard that data. Items to consider include application configuration and infrastructure such as firewalls, security subsystems and the procedures and processes used to monitor and audit system activity. Your Aurion software includes a number of features designed to mitigate specific Information Security risks, such as password complexity rules and user lockout utilities.

How we’re addressing Information Security at Aurion

At Aurion, we have made significant investments in reviewing and improving our internal information security management practices to protect our customers and their data. These investments have resulted in tangible changes to our internal security management processes, and the delivery of our software and services.

Within both our software applications and our hosted data centre, Aurion conducts a comprehensive and ongoing program of security testing to ensure compliance with the most rigorous security methodologies and standards. This testing is conducted by specialised third-party security testing providers at all points of the software and service delivery cycle to ensure comprehensive and expert coverage.

Additionally, over the coming months, Aurion will be communicating with our customers about improved security practice, and introducing additional security features to address increasing information security requirements. We look forward to working with customers to further deliver on the commitment of secure and robust Payroll HRIS solutions and services.

Keep up-to-date with more articles like this

Subscribe to our eNewsletter

2018-05-08T14:28:44+00:00 Tags: |