In a montage world cyber security threats, it is not enough for a plan sponsor’s IT function to implement best practices. Participants and vendors also play a critical role in preventing catastrophic attacks.
Here is four strategies that can help protect highly sensitive information.
Make multi-factor authentication mandatory
Multi-factor authentication (MFA) is a method of granting access to a system that requires the user to verify their identity with two or more pieces of information. They can include knowledge-based factors that only the user knows, such as a password or PIN; possession-based factors that only the user owns, such as a key fob or smart device; inherently based factors such as fingerprints or facial recognition; or location-based factors like the user’s IP address.
Read more: Small businesses make themselves vulnerable to cyberattacks
Because MFA effectively prevents more than 90% of password-related cybercrimes, it’s an essential first line of defense in protecting attendee finances and personally identifiable information (PII). Even though MFA is now required for compliance under many information privacy laws, including the Health Insurance Portability and Accountability Act and the General Data Protection Regulation, we still occasionally see plan sponsors and third-party benefit administrators (TPAs) allowing participants to choose whether to activate MFA.
It’s high time that plan sponsors and their providers make MFA mandatory every time a member logs in or changes their details, no matter how grumbling they may be. And MFA isn’t just for attendees; Suppliers should also require employees to authenticate each time they access systems containing sensitive information.
The good news is that the advent of facial recognition technology has made MFA a frictionless process that only takes seconds longer than logging in with a simple password. With the Pew Research Center estimating that 87% of adults always keep their smartphone handy, receiving an MFA code by text or email has also become easy.
Don’t Feed Phishing
Phishing attacks are the king of cybercrimes. According to IBM’s X-Force Threat Intelligence Index, approximately 33% of all enterprise cyberattacks in 2021 stemmed from phishing attacks, in which cybercriminals pose as legitimate institutions to obtain sensitive information from people. Unlike cybersecurity threats that target vulnerabilities in an organization’s IT infrastructure, phishing attacks exploit something much harder to control: their employees, partners, and participants.
Read more: Why you should encourage “mini” pension plan audits
Education is the best line of defense against phishing attacks — and since criminals continually evolve their phishing schemes, training must be ongoing. Ask your suppliers if they cover phishing in their employee training. An effective phishing prevention program should include not only training, but also frequent simulations that test employees’ actual ability to identify and avoid phishing schemes.
Participants also need training. If your organization does not cover phishing prevention as part of its own IT security training, ask your TPA if they can provide training for attendees. Free courses are also available through the US Department of Health and Human Services.
Watch for warning signs
Although cybercrimes cannot always be prevented, early detection can help limit the impact of an attack. Confirmation notices play an important role in detecting significant account changes made by unauthorized users. For example, sending a confirmation postcard to the original registered mailing address may reveal a fraudulent change of address or other suspicious activity.
Yet these early detection measures are only effective when plan members read them, and it’s all too common for plan members to dismiss them as inconsequential. It can also be difficult to verify the veracity of confirmation notices, which criminals have been known to spoof in an effort to phish the credentials of unwitting participants. As always, training is essential to ensure that these communications achieve their purpose.
Read more: What should you do when a relationship with a supplier deteriorates?
We also advise plan sponsors to encourage plan members to log into their benefits portals frequently, at least once a month or even once a week. Just as checking your bank account transactions can reveal a fraudulent debit, checking your retirement savings accounts can help you spot unexpected activity, like an unauthorized 401(k) loan or change, much sooner. of address.
Expect the inevitable
No matter how advanced a plan sponsor is Computer security protocols are – and no matter how many TPA questionnaires or audits are required during due diligence – plan sponsors and providers remain vulnerable to cyberattacks. Data Breaches in particular are a fatality that has been experienced by such well-known organizations as the Pentagon, NASA and the Federal Reserve. Often these breaches are not the result of negligence, but of circumstances beyond the control of a plan sponsor or provider, such as zero-day exploits (i.e. software vulnerabilities discovered by criminals before the software makers or their customers know about them).
To prepare for this unfortunate business reality, plan sponsors need to focus on what really matters: ensuring that when – not if – criminals breach a provider’s database, they can’t cause real damage.
For starters, all plan and participant data must be encrypted, whether at rest or moving between systems or individuals. A popular metaphor illustrates the difference: encryption at rest is like storing your data in a safe, while encryption in transit is like putting it in an armored vehicle for transport. When data is sufficiently encrypted both at rest and in transit, cybercriminals may be able to destroy a provider’s system, but they won’t be able to do anything malicious with the plan or participant data it contains. .
A vendor’s disaster recovery plan should also demonstrate the existence of daily offsite backups that are encrypted, protected, and regularly tested. The same goes for a “hot site” or backup facility with all the hardware, software, and network connectivity that vendors need to get back up and running in case they get locked out of their primary system by a cybercriminal. With daily backups and a full hot site, vendors can be up and running within a day or two after a data breach, without having to play the ransomware game.
The main takeaway here is that IT security is no longer the job of just one department or one individual. Instead, plan sponsors, members and providers need to work together to thwart today’s increasingly savvy cybercriminals. The recommendations presented here are only the starting point for a regular dialogue that engages all parties in the ongoing task of protecting sensitive information.