Articles | August 17, 2023
Cybercriminals want to steal your valuable assets and the confidential data and information you retain. A particularly desirable target is personal information about employees, plan participants and beneficiaries.
Cyberattacks are growing more sophisticated, yet tried-and-true methods of breaching your organization’s defenses still work. That’s why defending your organization against today’s cybersecurity threats is increasingly difficult — you need to foil both old and new methods of stealing your organization’s data and information.
Share this page
If your organization is small or midsize, it’s likely you face these five key challenges related to cybersecurity, while going about the business of your business:
This article discusses each of these challenges. It also addresses what you can do to meet them.
At the heart of most of these challenges are insufficient staffing and lack of expertise. Uncertainty related to the fast-evolving nature of cyber risk is also a factor.
Being vigilant about cybersecurity requires understanding the latest risks. For examples, see the box at the end of this article, “Today’s Advanced Cybersecurity Threats.”
That is difficult given how busy your IT team is serving your organization’s tech needs. Small IT teams compound the challenge.
Cybersecurity professionals, who have specialized expertise, are in short supply.
There are multiple methods to try and mitigate this. You can use one or all of them:
Because your IT team is already stretched, it’s tough for them to know how best to defend your organization against advanced cybersecurity threats. To ensure your defenses are strong, you need to make the latest software updates and follow best practices on processes and training on how to keep data secure.
Effective cybersecurity also requires a regular review of vulnerabilities. Revisions to address new threats and/or fix gaps in technology and/or administrative practices are ongoing, can be time consuming and are both mentally demanding and labor intensive.
In addition, it’s helpful to be aware of the latest tools and techniques, as well as specialized service providers that can help you with cybersecurity.
Agility can help ensure effective cybersecurity. If you don’t respond quickly to cybercriminals’ latest techniques, your organization is vulnerable.
As is the case with the first two challenges, a full plate of daily IT responsibilities is the enemy of agility. Establishing a relationship with an MSSP can help you keep knowledgeable and up to date on the ever-evolving technical aspects of cybersecurity threats (e.g., malware and its derivative, ransomware and evolving phishing tactics). Having an annual risk assessment of your own operations and your third parties’ operations ensures a more comprehensive look (as administrative and physical risks and threats change, too).
Laws, rules and regulations require certain security activity.
For almost 20 years, sponsors of health plans, healthcare providers and their business associates have performed regular HIPAA security assessments to ensure they comply with HIPAA’s security rule requirement that they protect the confidentiality of electronically protected health information.
More recently, as part of fulfilling their fiduciary responsibility, sponsors of employee benefit plans subject to ERISA are following cybersecurity best practices published by the DOL a couple of years ago. For details about that guidance, see our April 21, 2021 insight, “DOL Guidance on Cybersecurity Covers Best Practices and Tips.” My December 9, 2021 article, “Vendor Cybersecurity Best Practices for Plan Sponsors,” outlines three steps plan sponsors should consider taking to ensure their cybersecurity efforts are aligned with the DOL’s recommendations.
Although following sub-regulatory recommendations for cybersecurity activities is, by definition, optional, it’s strongly encouraged. The National Institutes of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a more widely used framework in North America. It’s much more comprehensive than the DOL’s best practices. For example, NIST CSF covers five core components — with 21 different areas of activity for an organization to know and manage its cybersecurity risk, whether inside the organization or with a third (or fourth) party vendor. From training to techniques to policies and procedures, among other topics, it is both broad and deep. To learn more about our training recommendation, see our January 8, 2021 insight, “Cybersecurity Training for Employees: Know Your Role.”
Keep in mind that insurers offering cyber liability coverage consider the insured’s cybersecurity practices when they price policies (or even evaluate renewing, at all).
It’s important to budget for a regular cybersecurity maintenance program. Managing risk is an ongoing process. Good risk management helps you mitigate risks, while allowing your organization to provide the products or services that define its mission. That’s the point: to manage security risks today, tomorrow and in the future so you can fulfill your organizational mission!
The above being true, keep in mind that the cost of a data breach will far surpass good security risk management expenses.
The evolving nature of cybersecurity threats makes budgeting difficult, true, yet expenses can be intentionally planned and rationally executed.
Seek expertise from third-party IT professionals who can inform you about the latest risks, as well as tactics and protocols to mitigate them. Cybersecurity professionals who are well versed in administration will be able to assist with your governance, risk and compliance activities.
You can stay agile by requesting ad-hoc assistance from cybersecurity experts who are able to step in without advance notice and become a temporary part of your team to address issues as they arise.
Relying on expert cybersecurity advice allows you to stay focused on your organization’s goals and your IT team to continue doing what they do best: serving your organization.
You should perform certain cybersecurity activities annually. Examples include training staff on cybersecurity awareness, conducting phishing tests and reviewing your cyber liability insurance coverage. Consider creating a cybersecurity calendar that schedules other activities to regularly occur over a period of multi-year cycles. Those activities include assessing third-party vendor cybersecurity risk as well as network penetration testing (a simulated cyberattack) and vulnerability testing (looking at internal and/or external vulnerabilities). Considering how much you need to accomplish and the pace of change, three years is a reasonable period.
This approach allows you to prioritize cybersecurity needs and create a predictable budget for allocating resources effectively during a multi-year cycle. It also makes what can seem like an overwhelming task much more manageable.
Relevant experience and objectivity are important, so before you hire an IT cybersecurity consultant, be sure to get answers to questions like these:
We can help.
Get in Touch
Recognizing that people, who are inherently trusting, are the weakest cybersecurity link, cybercriminals impersonate a trusted colleague or contact via email (phishing) or text (smishing) to trick someone on your team into voluntarily giving up confidential, sensitive and/or non-public data or information.
Cybercriminals break into the systems of organizations you work with, like vendors and business partners, to attack you by taking advantage of that trusted relationship.
Cybercriminals use phishing or smishing to install malware that enables them to control and lock your IT system and demand a ransom to restore your access.
Now that many people are working remotely from home, cybercriminals have more opportunities to steal devices that are the endpoints into your IT system: smartphones, laptops and tablets.
Phishing and smishing attacks increased 61 percent between 2021 and 2022, according the SlashNext State of Phishing Report for 2022. The emergence of generative AI has made it easier for cybercriminals to create thousands of phishing and smishing messages.
Unfortunately, no activities, tools, techniques or technologies can eliminate cybersecurity risk. That’s why you should have a defined, up-to-date and actionable incident-response plan, one of the “critical three” plans you should regularly review. The other two are your disaster-recovery plan and your business-continuity plan.
The incident-response plan, in particular, should guide you in a step-by-step response because an emergency is not a good time to “figure out” what to do (e.g., Who should you call? In what order? Should you shut systems down, or not? Why?)
Although cybersecurity perfection is not attainable, diligent, ongoing efforts to mitigate cyber risk — both within your organization and your service providers — are worthwhile.
Multiemployer Plans, Technology
Technology, Cybersecurity consulting
Technology, Cybersecurity consulting, Benefits Technology
This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.
© 2024 by The Segal Group, Inc.Terms & Conditions Privacy Policy California Residents Sitemap Disclosure of Compensation Required Notices
We use cookies to collect information about how you use segalco.com.
We use this information to make the website work as well as possible and improve our offering to you.