Tag: data breach

Posted on

How to prevent workforce management system outages: mitigation through redundancy

Summary

  • Workforce management data breaches and outages are a very real threat

  • Businesses should build redundancy and backup plans into their systems

  • It comes down to choosing vendors with reliable data and network security

In light of the ransomware attack on Kronos (UKG) that caused disrupted operations for thousands of businesses across the nation, it is worth reflecting on how to properly build redundancy into a workforce management system so as to mitigate the pitfalls that come with mass system outages.  

As many unfortunate companies and employees experienced with the Kronos (UKG) data breach, having vital attendance, scheduling, and payroll systems shut down and remain inoperable for weeks can be disastrous. Without proper contingency plans and security measures in place, workforce management system failures can result in payroll running late, chaotic scheduling, extremely inaccurate timekeeping, and the potential for sensitive employee information to be leaked. 

Okay, now take a deep breath.

Outages and data breaches do not need to be so stressful or debilitating. Here are several measures you can take to build redundancy into your workforce management system to keep your business running smoothly in the event of a technological emergency. 

Have a business continuity plan

Essentially, this is a document that outlines in detail how a company will remain in operation during a sudden system disruption or outage. A continuity plan like this needs to be mapped out and understood by all parties well in advance to any sort of outage in order for it to work. Drafting up a plan in the moment of failure will do very little good and most likely add to the confusion and stress of the situation, so be sure to put one in place ahead of time. 

To create a business continuity plan, take the three following steps:

  • Identify key business functions. In the case of workforce management systems, these would usually be timekeeping, scheduling, and compliance.
  • Determine the minimum downtime for each function. This will help you gauge the urgency at which measures need to be taken to address outages. It will also clearly define a timeline for when replacement systems may need to be brought in. 
  • Create a plan to maintain operations. Here is where you actually decide on the temporary processes your company will take to continue scheduling and timekeeping. These are usually manual processes taking the form of paper-based tools and simple spreadsheets. In other cases, you might have backup software or hardware. 

Use best-of-breed software

This is undoubtedly the best way to ensure your workforce management system is failure-proof.

When using a traditional all-in-one software system that handles everything ranging from scheduling to payroll processing, you are susceptible to a single point of failure. As soon as an all-encompassing platform like this has a data breach and crashes, your company can be left without the ability to run a single critical business function for up to several weeks.

Instead, companies should use a suite of best-of-breed softwares from a variety of different vendors. Enlisting multiple platforms to perform different functions eliminates the risk of a single point of failure. For instance, if your specialized time and attendance system goes down, you are still left with the ability to use your payroll system which operates on a completely different server. In this case, all you would need to do is document time manually which then you can still plug in for payroll. 

Regularly export timesheets, schedules, and other relevant data

There are many precautionary measures that can be taken during normal business operations that can help mitigate damages from an outage. Exporting timesheets and schedules to store separately from your workforce management cloud is simple, efficient, and often, very useful. 

By routinely exporting and keeping former timesheets and schedules on hand, you effectively create a paper trail which you can use in case of ill-timed audits during an outage. These offline records can also be used as references for when you need to manually create previously automated schedules and timesheets. It’s always a good idea to have business-as-usual models available while in the midst of enacting a business continuity plan. 

Ensure systems have strong IT security infrastructure

Finally, at its core, a workforce management system simply needs to have reliable data and network security. Your business won’t need to suffer the damaging effects of software outages if the software doesn’t become compromised in the first place. 

While data breaches and system outages can happen to anyone, the likelihood of them happening is far lower in systems with proven track records of safety and reliability. You should look for past instances where a provider has fallen short in its IT security and use those red flags to help you choose a secure workforce management platform.

Proper workforce management IT systems should be SOC-2 certified so as to ensure maximum client data security. The system’s online infrastructure should also be hosted in a virtual private cloud, helping to safely isolate it from potential network breaches. 

You should also be sure that your workforce management system runs daily data backups as well as Point in Time Restore points. All backup data should be stored on a separate cloud server too, so that a single outage will not compromise the entire system and all its data.

Don’t let your business remain unprepared for workforce management and payroll system outages. These nightmares can happen to anyone, and the fallout can be severe without proper protocols and backup plans in place. If you’d like to find out more about what to do in the event of a system data breach or failure, contact us today. We’d love to chat.

Posted on

Kronos (UKG) data breach leaves businesses in the dark for “several weeks”

Summary

  • Workforce management company Kronos (UKG) suffers ransomware data breach

  • Kronos Private Cloud applications to be offline for “several weeks”

  • Impacted businesses seeking timekeeping and payroll alternatives ahead of busy holiday season

Christmas came a little early this year for thousands of businesses using Kronos attendance systems – this time delivered by the horrific Krampus, however, not jolly ol’ St. Nick. 

Kronos (UKG), a large workforce management and HR software provider, announced yesterday that they suffered a ransomware attack over the weekend on Dec. 11. The attack impacts UKG solutions using the Kronos Private Cloud, namely Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions. 

The applications will be unavailable for “several weeks” while Kronos works to resolve the breach – unfortunate timing for businesses heading into the final stretch of the holiday season. Many will be left without the necessary capabilities to account for overtime, apply bonus payments, adjust for shift differential pay, and simply run payroll on time. 

For many organizations, the breach likely compromised sensitive employee information such as names, addresses, social security numbers, and employee IDs.

People everywhere are very alarmed about the breach, with their concerns even outperforming the search intent of avid PlayStation gamers and night sky fanatics, according to Google. That’s when you know things are serious. 

 

A Kronos representative has suggested clients “evaluate and implement alternative business continuity protocols related to the affected UKG solutions.” As such, many are reverting to rudimentary pen and paper practices to stay on top of attendance and scheduling, while others still are seeking entirely new workforce management systems. 

The breach comes as a surprise seeing as Kronos is such a long-standing and well-established brand in its field, with its origins dating all the way back to the 1970s. Some of its major clients include Puma, Tesla, Clemson University, and the MTA.

Ever since their merging with Ultimate Software to form UKG in 2020, the elderly company has struggled to update its outdated time clocks and hardware systems to keep up with newly emerging workforce management solutions. This latest security breach will undoubtedly prove a major setback in building customer trust heading into the new year of a still-young decade. 

In light of this recent ransomware attack, businesses should reevaluate the security of their workforce management systems. With a national labor shortage currently reducing employee engagement and satisfaction, businesses are already on thin ice with staff. The last thing they need right now is for their timekeeping systems to shut down. Employees are not very forgiving when it comes to the accuracy and timeliness of their pay – something Kronos and its clients are about to experience firsthand. 

The safety of employee information and the reliability of payroll is of the utmost importance when it comes to workforce management practices. If having your workforce management and payroll processes offline for weeks at a time is damaging to your business, then it’s probably time to make a change. Don’t let Krampus ruin the holidays for you or your company next year – be sure to invest in modern-day workforce solutions with top of the line data security.

Posted on

Do Employers Have a Duty to Protect Employees’ Personal Information?

data analytics, data privacy

Employees trust their employers with a whole bunch of personal information. Social security numbers, medical documents, insurance records, birth dates, criminal records, credit reports, family information, etc. And it’s not like employees have a choice over whether to disclose and entrust this information to their employer. These documents are all necessary if employees want to get hired, get paid, and obtain health insurance and other benefits. Thus, an employer’s personnel records are a treasure trove of PII (personally identifiable information — any data that could potentially identify a specific individual, which can be used to distinguish one person from another and de-anonymizing otherwise anonymous data).

For this reason, cyber-criminals target myriad businesses in an attempt to steal (and then sell on the dark web) this data.

Also in Legal: Biometric Privacy Lawsuits Rising

If a company is hacked, and employees’ PII or other data is stolen, is their employer liable to its employees for any damages caused by the data breach?

I’ve covered this issue twice before (here and here), with different courts reaching opposite results (albeit the majority of them concluding that an employer can be held liable).

In AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), the D.C. Circuit Court of Appeals recently addressed a similar issue, and concluded that employee-victims have standing to sue their employer following a data breach from which their personal information and data is stolen. A “substantial risk of future identity theft” is sufficient harm to give rise to a lawsuit, and the “their claimed data breach-related injuries are fairly traceable to [their employer’s] failure to secure its information systems.”

All of these cases are legally interesting, and, I submit, largely practically insignificant. Regardless of whether you, as an employer, have a legal duty to protect the personal information and data of your employees, you still have a significant financial and reputational incentive to take reasonable steps to maintain the privacy and security of the information.

Moreover, as data breaches continue to increase in quantity and quality, courts and legislatures will look for ways to shift the cost of harm to those who can both better afford it and better take measures to hedge against them. Thus, I predict that in five years or less we will have a legal consensus on liability.

The question, then, for you and your business to answer is what are you going to do about it now? The time to get your business’s cyber-house in order is now (actually, it was years ago, but let’s go with now if you’re late to the game). Don’t wait for a court to hold you liable to your employees (and others?) after a data breach.

Thus, what should you be doing?

  1. Implementing reasonable security measures, which includes encryption, firewalls, secure and updated passwords, and employee training on how to protect against data breaches (such as how not fall victim to phishing attacks).
  2. If (or more accurately when) you suffer a data breach, timely advising employees of the breach as required by all applicable state laws.
  3. Training employees on appropriate data security.
  4. Drafting policies that explain the scope of your duty as an organization to protect employee data.
  5. Maintaining an updated data breach response plan.

Remember, data breaches are not an if issue, but a when issue. Once you understand the fact that you will suffer a breach, you should also understand the importance of making the issue of data security a priority in your organization. The average cost to a company of a data breach in 2018 is $3.9 million (and increasing annually). While I generally don’t work in the business of guarantees, I will guarantee that any expenses you incur to mitigate the potential cost of a data breach is money well spent.