At Workforce PayHub, we are dedicated to providing our clients with comprehensive security solutions that mitigate the risk of cyberattacks and keep sensitive data and accounts protected.
Here, we’ll discuss some recent updates we’ve made to our client security requirements – each designed to enhance security protections for your business and employees. We’ll also offer suggestions and resources to help you further strengthen your credentials security, prevent phishing attacks, and identify suspicious communications when they occur.
Multi-factor Authentication and Password Requirement Upgrades
To support cybersecurity for our clients, we are now requiring multi-factor authentication (MFA) for all user accounts, as well as more robust password requirements. Multifactor authentication significantly reduces the likelihood of a cybercriminal accessing your email account due to the additional device (and unique code) required to authenticate any login attempt.
Similarly, creating strong and distinct passwords with a range of character sets safeguards your accounts from hacking and eliminates the possibility of multiple accounts being compromised simultaneously.
New Password Requirements for All Client Accounts
To keep our clients protected, our new minimum password requirements are as follows:
- Passwords must be 15-64 characters in length.
- Passwords must use three-character sets (uppercase, lowercase, symbols and/or numbers) and may only use up to 4 repetitive characters.
- Passwords can remain active for 1-180 days, after which they must be changed/updated. A client can update their password at any time (limited to once a day).
- Clients must login within the first 30 days of their password update. After 60 days of inactivity, an account is suspended.
- Any account will be locked out/restricted for 30 minutes following five consecutive unsuccessful login attempts.
For users with multiple accounts, we recommend using a Password Manager tool, which can help with generating complex passwords and storing them securely for easy user access. Any of our clients are entitled to modify their password protocols for themselves and their employees as long as the above minimum requirements are met.
For more information on how to protect your login credentials across multiple accounts and devices, please explore our related article.
New Multi-factor Authentication (MFA) Requirements for All Client Accounts
Many of our clients are already familiar with multi-factor authentication as it is an increasingly used security measure used to prevent email/account compromise and other breaches of sensitive data.
Broadly speaking, it requires users to first enter their login credentials on one device then receive a distinct and one-time security code on another device before they can gain access to their account. MFA functions as a second layer of protection in the event that login credentials are compromised – preventing a cybercriminal from successfully commandeering an account.
Our new multi-factor authentication (MFA) requirements are as follows:
- All clients are required to use MFA
- Each time you use MFA, it remains valid on each given device (desktop, smartphone, tablet) for seven days before you must authenticate again.
- After five consecutive unsuccessful login attempts, an account will be suspended for 30 minutes and you will need to contact an administrator to reset your password.
- Users can authenticate their login by text, email, voice, Google Authenticator or another authenticator app, depending on which WFPH solution they are using.
The mandatory login requirements we’ve discussed (MFA- and password-oriented) must be implemented by June 22, 2023 for our clients who use our HCM solution, and by March 9, 2023 for those using our EverythingBenefits solution.
Additional Steps
To complement these new policy changes, we encourage employers to remain proactive in training their employees to identify suspicious emails and account activity. Synchronizing HR cybersecurity efforts and training with your IT department is also essential, as they can be a valuable and complementary resource in evaluating and addressing potential threats as they arise.
Our related article offers a broad range of suggestions and resources on how to identify and prevent phishing attacks, especially those targeting payroll through business email compromise (BEC) and other payroll diversion scams. Staying up to date with antivirus, anti-spam, antivirus software, as well as important security and OS updates, can also boost the overall security of your digital business accounts and business banking.
Simplify Payroll and Cybersecurity with Workforce PayHub
Remaining up to date with software, security protocols, and best practices that keep your payroll running safely and efficiently can be a challenging process. As cyber criminals adapt their methods to target small and mid-sized businesses, Workforce PayHub is here to help you learn all of the actionable steps you can take to mitigate risk, avoid phishing scams, and process payroll effortlessly for your business and employees.
From multifactor authentication to encrypted software and trained HR experts who treat your business’ security as a top priority, we’re here to provide a comprehensive payroll solution that grants you lasting peace of mind.
Subscribe to our newsletter today to receive the latest updates on HR best practices, labor law regulations, and other news that impacts Great Lakes businesses.
