On Friday July 19, a major IT crisis hit businesses and organizations all over the world. A bug in an update issued by the cybersecurity company CrowdStrike had a serious impact on Microsoft Windows systems, locking machines into an endless cycle of booting up and displaying the dreaded ‘blue screen of death’. The following day, Microsoft estimated that around 8.5 million devices were affected worldwide.
The headlines around the world underlined the scale of the disruption this caused, particularly as CrowdStrike supplies security services to many big players in retail, banking and the public sectors. Among many areas of disruption, flights were delayed and cancelled, banking systems and card payments failed, and emergency services were unable to function properly.
But behind the headlines – and despite the fact that CrowdStrike were able to deploy a workaround for the global tech outage relatively quickly – the impact of the outage will be felt for some time to come. In this blog, we’ll take a look at the situation from a payroll and HR perspective, what you should do if your organization has been affected, and what you can do to prepare for potential future incidents.
How is the CrowdStrike outage affecting payroll?
While things are gradually getting back to normal following the outage, this will take time. As a result, many payroll teams may face a backlog of processes and workloads to deal with, which could have consequences on the timeliness of upcoming payroll runs.
Melanie Pizzey, the chief executive of the Global Payroll Association, told the Independent:
“Depending on the length of this outage, it could have very serious implications for businesses across the nation, particularly those who process payroll on a weekly basis. Furthermore, we could see a backlog with regard to processing payrolls for the coming month end which may delay employees from receiving their monthly wage.”
If employees are paid late, then this can have serious implications on their personal finances, which has knock-on effects on their overall wellbeing, both in and out of the workplace. But there are implications for employers, too, because failing to make payments on time – even if it’s for reasons out of their control – renders them in breach of employment contracts. In the worst-case scenario, this could lead employees to sue their employers and seek compensation for late payment, with the added financial burden of legal fees involved.
CloudPay’s situation and what you should do now
CloudPay relies on Linux servers for its core services, and we use a different endpoint solution for the small number of Windows servers we use. This means we are, as yet, unaffected by the CrowdStrike issue which primarily affected Windows systems – although we are conscious there maybe longer term impacts. Nonetheless, we’ve been proactively reaching out to our payment service providers to understand if they are experiencing disruption relating to the outage to try and minimise any wider impact on our customer base.
Even though we haven’t yet been affected, this incident highlights the importance of diversifying operating systems within an organization’s technology stack. This can mitigate the risk of widespread outages caused by vulnerabilities in a single platform. And while third-party updates carry a potential risk of introducing bugs or compatibility issues, the importance of timely security updates often outweighs this risk. Security updates are crucial for patching vulnerabilities that could be exploited by malicious actors. Failing to apply these updates leaves systems exposed to potential attacks, data breaches, and other severe security incidents.
Melanie Pizzey suggests that confirming contingency plans and submissions deadlines is an essential first step for payroll teams: “This will give them a clear timeframe to work to when rectifying any issues,” she adds. “They also need to communicate any issues to key stakeholders so that they are both aware of the problem and the process in place to solve it and consider faster payment options if needed.”
Other key steps at this stage include:
- Assessing the extent of the damage: understand exactly how your organization and/or employees are affected by the incident, and gain clarity on exactly what has gone wrong.
- Communicating with employees: timely, transparent and empathetic responses to all employees affected are critical. Ideally, employees will receive a clear, concise explanation of what has gone wrong, and what you intend to do to mitigate any negative impacts.
- Ensuring payments are still made: every effort should be expended to make sure employees still get paid – if not on time, then with as little delay as possible. Accessing financial reports or payments made in the last cycle can help you work out what payments should be made when, even if access to payroll data remains unavailable.
- Watching out for phishing scams: It’s also important to remain vigilant for phishing scams which have emerged in the wake of the outage, seeking to take advantage of employers that have been disrupted. This is an ideal moment to review guidelines and security measures, to ensure protections against phishing are in place and that employees are alert to suspicious emails or messages.
In summary: preparing for the future
The chances of a similar event occurring in the future is considerable, and the CrowdStrike outage has underlined the need to have a solid recovery strategy in place. That way, whatever happens, payroll can run with minimal disruption and with data and documentation secured, helping reduce the risk of non-compliance, severe disruption and employee dissatisfaction.
Ideally, this plan should include:
- Backing up the payroll system, and being able to access it on at least one other device (a cloud-based solution makes this easier and more secure)
- Alternative forms of payment that can be spun up quickly, such as cash, cheques or direct deposits
- Documentation of payroll policies, ideally into a handbook that can be used as a guide to keep payroll running smoothly when unforeseen events occur
- A strong and easily accessible contingency plan, that can be rolled into said handbook and that outlines who should do what and how
- Testing of emergency processes and contingency plans regularly, to ensure they’re fit for purpose, even as business and payroll needs change
Your business should have a plan in place long before any kind of disaster strikes. If this isn’t something you’ve developed from day dot, then you may have to take several paces back. But getting this preparation right will pay dividends in the long run.
Partnering with CloudPay gives you access to a cloud-based platform with robust security at its core, as well as strong compliance services. Find out more here.
