In a world of mounting cybersecurity threats, it’s not enough for a plan sponsor’s information technology function to implement best practices. Participants and vendors also play a critical role in warding off catastrophic attacks. Here are four strategies that can help protect highly sensitive information.
Make multi-factor authentication mandatory
Multi-factor authentication (MFA) is any method for granting access to a system that requires the user to verify his or her identity with two or more pieces of information. They may include knowledge-based factors that only the user knows, like a password or PIN; possession-based factors that only the user has, like a key fob or smart device; inherence-based factors like fingerprints or facial recognition; or location-based factors like the user’s IP address.
Since MFA effectively prevents more than 90% of password-related cybercrimes, it’s an essential first line of defense for protecting participants’ finances and personally identifiable information (PII). Even though MFA is now required for compliance under many information-privacy laws, including the Health Insurance Portability and Accountability Act and the General Data Protection Regulation, we still occasionally see plan sponsors and third-party benefit administrators (TPAs) allowing participants to choose whether to enable MFA.
It’s long past time for plan sponsors and their vendors to make MFA mandatory every time a participant logs in or changes their contact information — no matter how much they may grumble. And MFA is not just for participants; vendors should also require employees to authenticate themselves each time they access systems that contain sensitive information.
The good news is that the advent of facial recognition technology has made MFA a frictionless process that takes only seconds longer than logging in with just a password. With the Pew Research Center estimating that 87% of adults always keep their smartphone within reach, receiving an MFA code via text or email has become easy, too.
Don’t feed the phish
Phishing attacks are the king of cybercrimes. According to IBM X-Force’s Threat Intelligence Index, an estimated 33% of all enterprise cyberattacks in 2021 stemmed from phishing attacks, in which cybercriminals posed as legitimate institutions to obtain sensitive information from individuals. Unlike cybersecurity threats that target vulnerabilities in an organization’s IT infrastructure, phishing attacks exploit something that’s much harder to control: their people, partners and participants.
Education is the best line of defense against phishing attacks — and since criminals are continuously evolving their phishing schemes, training must be ongoing. Ask your vendors if they cover phishing in their employee training. An effective phishing prevention program should include not only education, but also frequent simulations that test employees’ real-world ability to identify and avoid phishing schemes.
Participants need training, too. If your organization does not cover phishing prevention as part of its own IT security training, ask your TPA if they can provide participant training. Free courses are also available through the U.S. Department of Health and Human Services.
Watch for warning signs
While it’s not always possible to prevent cybercrimes, early detection can help limit the repercussions of an attack. Confirmation notices play an important role in detecting when significant account changes are made by unauthorized users. For instance, sending a confirmation postcard to the original mailing address on file can expose a fraudulent address change or other suspicious activity.
Yet these early detection measures are only effective when plan participants read them, and it’s all too common for participants to dismiss them as inconsequential. It also can be difficult to ascertain the veracity of confirmation notices, which criminals have been known to spoof in an attempt to phish credentials from unwitting participants. As ever, training is key to ensuring these communications serve their purpose.
We also advise plan sponsors to encourage participants to log into their benefits portals frequently — at least monthly, if not weekly. Just like checking your bank account transactions can reveal a fraudulent charge, checking your retirement savings accounts can help you catch unexpected activity, such as an unauthorized 401(k) loan or change of address, much earlier.
Plan for the inevitable
No matter how advanced a plan sponsor’s IT security protocols are — and no matter how many questionnaires or audits are required of TPAs during due diligence — both plan sponsors and vendors remain susceptible to cyberattacks. Data breaches in particular are an inevitability that has been experienced by such well-known organizations as the Pentagon, NASA and the Federal Reserve. Oftentimes these breaches result not from negligence, but circumstances beyond a plan sponsor or vendor’s control, such as zero-day exploits (i.e., software vulnerabilities discovered by criminals before software makers or their customers know about them).
To prepare for this unfortunate business reality, plan sponsors need to focus on what is truly meaningful: verifying that when — not if — criminals breach a vendor’s database, they can’t do any real damage.
For starters, all plan and participant data should be encrypted whether it’s at rest or moving between systems or individuals. A popular metaphor illustrates the difference: encryption at rest is like storing your data in a vault, whereas encryption in transit is like putting it in an armored vehicle for transport. When data is sufficiently encrypted both at rest and in transit, cybercriminals may be able to wreck a vendor’s system, but they won’t be able to do anything malicious with the plan or participant data it contains.
A vendor’s disaster recovery plan also should demonstrate the existence of daily, off-site backups that are encrypted, protected and regularly tested. The same applies to a “hot site” or backup facility with all the hardware, software and network connectivity vendors need to get back up and running in the event they are locked out of their primary system by a cybercriminal. With daily backups and a comprehensive hot site, vendors can get up and running within a day or two of a data breach — without having to play the ransomware game.
The key takeaway here is that IT security is no longer the job of any single department or individual. Rather, it takes plan sponsors, participants and vendors working together to thwart today’s increasingly savvy cybercriminals. The recommendations outlined here are just the starting point for a regular dialogue that engages all parties in the ongoing task of protecting sensitive information.