Are your timesheets really secure?
Secure timesheets are important for your business or organization. Timesheets contain sensitive data including customer, project, and employee details as well as cost rates, recharge rates, and competitive commercial information which can be damaging to your business if it is compromised. There’s also the possibility of fraud through falsified timesheets. These can lead to monetary loss, reputational damage, widespread organizational disruption, and delays in billing.
How to know if your timesheet is secure
- Your software provider is ISO 9001 or SOC2 certified. Be aware that many low-end systems claim compliance through a hosting provider but that doesn’t mean the timesheet is certified.
- Your software provider has ISO 27001 or SOC2 certification. Again, beware of providers that claim compliance through a hosting provider.
- Your software provider is independently PEN Tested. This certification ensures software security has been tested by an independent specialist testing organization.
- Database encryption is not required for many installations but it may be for your organization or industry or for compliance with other industry standards like HIPAA in the United States.
- Your hosting provider is ISO 9001 or SOC 2 certified.
- Your hosting provider is ISO 27001 or SOC 2 certified.
- Your software includes the necessary controls to ensure employee timesheets are accurate and authorized.
- Choose cloud mobile apps rather than downloadable apps rather which are a common security risk.
Why a hosting provider having ISO or SOC2 certification is not enough for your security
Many providers claim ISO or SOC2 compliance because a hosting provider they use is ISO or SOC2 compliant. Hosting provider compliance is important to cover the servers that your cloud software is hosted on. Hosting compliance is a small part of the overall security measures needed and does not cover any of the other important areas: security of the software; development of the software; staff management. The company that develops and maintains the software must also be certified, the software should be PEN tested, the security of mobile software should be scrutinized, databases may need to be encrypted, customers may need a certain period of retention of backups, audit trails, and more. All too many systems – especially low-end options – claim certification through their hosting provider but this is not enough for robust security.
Why ISO and SOC2 certification for a company and software provider is important
Companies that supply cloud software must be certified. Businesses need to know that cloud software developers have proper documented and tested procedures to maintain their technology, the software they develop, and the way they manage the hosting provider they use if they do not use their own servers. ISO 9001 is the company certification. ISO 27001 is the certification for the way in which software is developed and maintained. SOC2 is a standard for the US only. ISO certification is more stringent and is internationally recognized.
Want to know more about the difference between Soc2 and ISO27001? Read this related article: SOC 2 vs ISO 27001 certification. What’s the difference?)
Why PEN testing is important
Knowing the cloud software you run is ISO or SOC2 certified and has been developed by an ISO or SOC2 certified company and runs on servers from a company that is also certified should give you confidence but it says nothing about how secure the software is and whether it passes any security tests. Independent and ongoing penetration testing (PEN testing) ensures this. PEN tests should be carried out continually as new threats are discovered all the time. Bad actors are always looking for new ways to attack software. Ideally, you should ensure your software has an A or A+ PEN test certification. Anything less requires scrutiny as non-compliance issues may be important. When issues do arise it is how fast providers resolve issues that is important.
Why are mobile timesheet apps a security risk?
- An app downloads company data to be stored on a device. The device is often not covered by company security policies. That is a problem.
- Mobile apps risk stability issues. An app needs to be updated and is also at the mercy of the next version of iOS or Android. If it gets super buggy – there’s no trusted IT department to help. You are at the mercy of the app developer. That is a problem.
- If the device is lost or stolen, your organization’s data is still on the phone or tablet and vulnerable to being accessed and exploited. That is a big problem.
Mobile apps download data to a device that offers a back door into company data, particularly where employees use a personal device – like a phone or tablet. Security is based on the person’s password or facial recognition. Relying on an employee’s personal device to host organization data is a security liability for your business.
Mobile phone use is more secure where the company provides corporate mobile devices to employees but is still a risk. Cloud apps are recognized as being more secure than downloaded applications. Choose a provider that does not provide an app downloaded from Apple or Android (Google Play) stores. Choose software that uses the same secure technology for mobile apps as for desktop apps – responsive cloud apps that support mobile devices.
Timesheet security should protect against falsified and fraudulent timesheets
Your business budgets can be affected by timesheet fraud when timesheets are intentionally falsified and a worker is paid for time they have not worked. Your organization’s timesheets should be easy to use and have clear instructions and policies for completion, submission, and authorization of timesheets.
Timewatch timesheets include the following measures to combat fraudulent data entry:
- Minimum hours can be set by day and by week to ensure employees meet company minimum hours.
- Non-chargeable work can be entered to allow employees to make up their timesheet to minimum hours.
- Timewatch can utilize data from systems such as Outlook, Google, and Teams – this increases timesheet accuracy and saves employees time.
- Timesheets can be reviewed and authorized by a manager.
- Audit trails should be available to show all timesheet entries and changes detailing the date, time, and who made them should be included.
- Auto notifications keeps employees and managers informed of tasks from entry and submission of time, to manager review and authorization.
Timewatch secure timesheets screenshots
Timewatch’s web app, Outlook timesheet add in and mobile app meet all tick all secure timesheets boxes.
Why Timewatch timesheets are secure timesheets
Timewatch timesheet systems tics ALL the boxes for timesheet security
Timewatch uses ‘storeless’ cloud apps for mobile devices. We believe they are the best option for everyone within your organization. There’s nothing to install and no data is stored locally. This improves security for your business and it is much easier (and, arguably, cheaper) to host as no IT department is required to solve problems – not least because problems with cloud apps are rare.
- Timewatch is ISO9001 certified.
- Timewatch software is ISO27001 certified.
- Timewatch software is independently PEN tested.
- Timewatch offers database level data encryption.
- Timewatch uses the highest security level SSL certificate.
- Timewatch hosting is ISO 9001 and 27001 certified.
- Timewatch does not use downloadable mobile or desktop apps.
- Timewatch only uses secure, certified, PEN tested cloud apps.
- Timewatch provides facilities to ensure timesheet accuracy, procedures to deter and detect fraud and auditing of timesheet entrys and changes.
- We tick all the security boxes.
Timewatch cloud apps are the right choice for your business and your mobile devices
Timewatch uses and endorses cloud apps for mobile devices. Users simply access our systems through their device via a mobile responsive browser. It’s easy. There’s nothing to download. It is secure as nothing is stored on the device and there is no corporate data security issue. There are no support issues as all that’s needed for the device to function and access our systems is a browser.
Who is Timewatch?
Timewatch are specialists professional services solutions including secure timesheets, time tracking, resource scheduling and professional services automation software. Timewatch is ISO 9001 and 27001 certified, we provide public cloud, private cloud and on-premises solutions.
To see how Timewatch® secure timesheets can improve time tracking speed, ease, accuracy, integrity, analytics, and security in your organization, book a free call or live product walk through with a product specialist using the form to the right.
Other posts you may be interested in:
When using third-party software it is important that the software provider has the same – or better – security standards as your own organization. How can you know if a software provider carries a certification that meets your standard?
Article from RSM Ltd on timesheet fraud prevention and detection and the processes and measures organizations can take to mitigate issues.
ISO 9001 is the International Standard for Quality Management Systems, addressing the principles and processes surrounding the design, development, and delivery of products or services. By participating in certification, Timewatch demonstrates its commitment to delivering quality products and services.
Following an announcement in March that Timewatch is certified to ISO 9001 standard, we can now announce the company is also certified to ISO 27001 standard – meeting the three pillars of cyber security: people, processes and technology.
Timesheet apps are a corporate security risk. Scary Fact: Research by Arxan, experts in mobile security, found that it took less than 10 minutes to hack into the top 30 financial sector apps, and they discovered 180 vulnerabilities! Demonstrating the vulnerabilities exposed by downloadable mobile apps. Timesheet apps risk your customer, employee, project and billing data. In this article we explain how, and why Timewatch does not suffer from this security risk.
Timewatch develops plugins and apps for Teams and has experience in what data software can access. In this article we explore how your meetings, calls and chat activity can be monitored by your employer, how transcripts can be automatically generated, what you can do about it and even how this data can be used to actually help employees.