On July 19, a software glitch live for only 78 minutes led to global turmoil. The incident, eventually traced back to an early-morning software update by cybersecurity firm CrowdStrike, led to outages for some 8.5 million Microsoft Windows systems running the company’s Falcon threat detection and prevention platform, Cybersecurity Dive reported.
Organizations worldwide were affected. Airports effectively came to halt, while a number of major banks faced disruptions ranging from employees being unable to access their work stations to consumers being locked out of digital accounts. By extension, the outage also disrupted payroll operations for some employers.
Tsvetta Kaleynska, founder and CEO of RILA Global Consulting, said that moving money across bank accounts became “impossible” during the day of the outage, leaving her temporarily unable to pay employees of her small business. The glitch also affected software vendor Docusign, which RILA uses to complete contracts; RILA lost out on a “huge, huge contract” with a client that could not be signed due to the outage, Kaleynska said.
RILA eventually got employees paid on the morning of July 20, she continued, but the outage served as a reminder of the tangible effects that result when things go wrong in a business world heavily dependent on software.
“It highlighted the huge dependence on systems and software for operations and revenues for small business leaders like myself,” Kaleynska said of the CrowdStrike incident. “It felt like a huge blow to small businesses.”
A case for business continuity planning
In some ways, it may take time for businesses to assess the full damage of the CrowdStrike incident, said U.K.-based payroll consultant Ian Giles. Organizational pay cycles vary widely depending on factors such as geography and pay frequency, and Giles said Friday is a popular day for businesses to make payments to workers.
Add in the fact that more and more employers choose to schedule payroll transactions days in advance, leaving the process to occur more or less automatically on payday, and “there’s every eventuality that people did not get paid” on the day of the outage, which fell on a Friday, Giles added.
Organizations including the Global Payroll Association and PayrollOrg — the latter of which formed last year as a merger of the American Payroll Association and the Global Payroll Management Institute — have raised this exact possibility. Even organizations who don’t use CrowdStrike may have been affected if their vendors do, said Curtis Tatum, in-house counsel and senior director of federal payroll compliance at PayrollOrg.
Unlike previous cyber incidents affecting payroll, such as the late 2021 Kronos outage, the CrowdStrike outage does not appear to be the result of a targeted cyberattack — a potential silver lining, Tatum said. Major U.S. payroll service providers have not reported any service disruptions publicly, he added, but the situation is still fluid. Giles likewise said that the situation “seems to be very quiet” as far as payroll providers are concerned, but he also said that this could change within the coming weeks and months.
However, one takeaway is that employers should have stress-tested business continuity plans for cyber incidents that include every single person who is involved in the payroll process, Giles said.
“Don’t just make sure you have a plan in place,” he continued. “Make sure it is regularly tested.”
In some cases, payroll vendors themselves may have their own versions of such plans, and employers can incorporate those directly into their continuity planning. “If what they have is already written, get it,” Giles said. “Make it a chapter of yours.”
Tatum said he also recommended that employers work collaboratively with vendors to ensure preparation for similar incidents and to build relationships with vendors that allow for such information exchange if they have not already done so.
Employers also might want to consider having a physical backup of their payroll, he noted, a strategy that helped some employers during the Kronos outage. While this approach can be expensive, “it’s good to have” in the event that employers are unable to access an electronic backup altogether, Tatum said.
‘It becomes serious stuff’
Beyond business continuity, employers also may need to consider how they will keep employees informed in the event of a payroll glitch.
“The overriding lesson to me is a reminder of the need for communication with employees to let them know what’s going on,” Tatum said. He added that HR teams can work with management and any outside organizations involved in payroll “just to have all the information you can provide to allay fears as best you can.”
Giles said the incident is a reminder that contingency planning may be more complicated in a hybrid or remote work environment, which could mean that employers need to take additional steps to make their contingency plans accessible.
“What would have happened Friday to one of these top businesses if their business continuity plan was on a server that was inaccessible?” he said. “It’s okay having it, but consider printing it or having it offline somewhere.”
Employers should also ensure as much as possible that employees and teams are attuned to potential technology issues, whether the fault lies with server errors, malfunctioning laptops or uncharged batteries, Giles added.
“Payroll is the absolute epicenter of every business,” Giles said, as errors can cause damage both for employees who are unable to afford their bills as well as for employers who suffer reputational damage for missing pay days. “It becomes serious stuff.”