With the surge in remote working amid the coronavirus pandemic, employers are rightly focused on strengthening cybersecurity protocols to protect the sensitive information that employees access as part of their daily jobs. Plan sponsors also need to think about protecting retirement plan information.
Phishing attacks—emails sent by hackers to obtain sensitive information—increased 600 percent in the first quarter, according to Forrester Research. Hackers may be highly motivated to access 401(k) portals because they provide access to cash as well as sensitive information that may be used to exploit plan participants and organizations even further.
Employees’ online behavior is cited as the cause of many cyber vulnerabilities, so employers should be thinking about strategies to prevent digital attacks. These include taking action within their information technology (IT) departments to protect information sent to remote devices and developing educational tools to improve cybersecurity awareness for employees.
Strengthening IT Security
The average cost of a cyber data breach is $8.2 million, according to a 2019 IBM report. But most organizations typically spend well below what may be necessary to build the proper information security systems. Companies with remote workers should run advanced diagnostic tests to determine their current level of vulnerability and determine the appropriate budget to help minimize the risk of a cyberattack.
At a minimum, companies should implement the following best practices to enhance their cybersecurity:
- Ensure that all communications are encrypted properly. While most employers are using virtual private networks (VPNs) while working from home, it is advisable to go a step further by using Layer 2 Tunneling Protocol (L2TP), a higher level of encryption that can protect the activity of remote workers.
- Establish multi-factor authentication processes for gaining access to company systems and information. These processes make it significantly more difficult for a hacker to access company systems simply by stealing an employees’ password.
- Use cyber intrusion detection systems on company networks to identify any intrusions or unauthorized exfiltration of data.
Other ways to thwart hackers include time limits for employee device usage (leaving a device on and idle for extended periods increases opportunities for hackers to gain access) and using employee clearance levels (essentially internal firewalls) to limit broad access to company information.
Check in with service providers, such as recordkeepers and plan administrators, to ensure their protections are in line with best practices. Remember, as a fiduciary, plan sponsors are required to act in the best interests of their participants, and examining service providers’ cybersecurity protocols is part of that responsibility.
Educate Employees About Information Security
When employees log into their 401(k) plans or access company information from home, they may unknowingly expose sensitive information, such as addresses, bank accounts, Social Security numbers, and private company data. Most employees know they should use secure WiFi networks instead of public networks; they may not realize, however, that their favorite password can be an easy puzzle for hackers to solve. Passwords that are at least 20 characters long and include a combination of letters, numbers, and symbols are exponentially more difficult for hackers to guess than shorter, simpler passwords.
Hackers increasingly are using spear phishing, a sophisticated approach that targets a specific person using personal information to gain access to more valuable data. Employers need to educate employees about these schemes. Many companies are combatting this threat by sending fake cyberattack emails to employees and then rewarding employees who report these emails—or providing further training for employees who fall for these pseudo attacks.
Insight: Information Security is Worth the Investment
The coronavirus pandemic has increased our dependence on digital transmissions and created more points of attack for cyber criminals. Plan sponsors need to rise to the challenge and realize that their employees play an important role in protecting the company’s data as well as their personal information.