Remote Working and Cybersecurity Considerations for Plan Sponsors

With the surge in remote working amid the coronavirus pandemic, employers are rightly focused on strengthening cybersecurity protocols to protect the sensitive information that employees access as part of their daily jobs. Plan sponsors also need to think about protecting retirement plan information.
In this volatile market environment, employees may be checking their 401(k) or other retirement plan balances more frequently—and doing so from less secure home internet connections. The remote working environment may leave employers vulnerable to cyberattacks if they don’t have proper protocols in place and educate employees on how they can do their part to limit cyber threats.
Phishing attacks—emails sent by hackers to obtain sensitive information—increased 600 percent in the first quarter, according to Forrester Research. Hackers may be highly motivated to access 401(k) portals because they provide access to cash as well as sensitive information that may be used to exploit plan participants and organizations even further.
Employees’ online behavior is cited as the cause of many cyber vulnerabilities, so employers should be thinking about strategies to prevent digital attacks. These include taking action within their information technology (IT) departments to protect information sent to remote devices and developing educational tools to improve cybersecurity awareness for employees.


Strengthening IT Security

The average cost of a cyber data breach is $8.2 million, according to a 2019 IBM report. But most organizations typically spend well below what may be necessary to build the proper information security systems. Companies with remote workers should run advanced diagnostic tests to determine their current level of vulnerability and determine the appropriate budget to help minimize the risk of a cyberattack.
At a minimum, companies should implement the following best practices to enhance their cybersecurity:

  1. Ensure that all communications are encrypted properly. While most employers are using virtual private networks (VPNs) while working from home, it is advisable to go a step further by using Layer 2 Tunneling Protocol (L2TP), a higher level of encryption that can protect the activity of remote workers.
  2. Establish multi-factor authentication processes for gaining access to company systems and information. These processes make it significantly more difficult for a hacker to access company systems simply by stealing an employees’ password.
  3. Use cyber intrusion detection systems on company networks to identify any intrusions or unauthorized exfiltration of data.

Other ways to thwart hackers include time limits for employee device usage (leaving a device on and idle for extended periods increases opportunities for hackers to gain access) and using employee clearance levels (essentially internal firewalls) to limit broad access to company information.
Check in with service providers, such as recordkeepers and plan administrators, to ensure their protections are in line with best practices. Remember, as a fiduciary, plan sponsors are required to act in the best interests of their participants, and examining service providers’ cybersecurity protocols is part of that responsibility.

Educate Employees About Information Security

When employees log into their 401(k) plans or access company information from home, they may unknowingly expose sensitive information, such as addresses, bank accounts, Social Security numbers, and private company data. Most employees know they should use secure WiFi networks instead of public networks; they may not realize, however, that their favorite password can be an easy puzzle for hackers to solve. Passwords that are at least 20 characters long and include a combination of letters, numbers, and symbols are exponentially more difficult for hackers to guess than shorter, simpler passwords. 
Hackers increasingly are using spear phishing, a sophisticated approach that targets a specific person using personal information to gain access to more valuable data. Employers need to educate employees about these schemes. Many companies are combatting this threat by sending fake cyberattack emails to employees and then rewarding employees who report these emails—or providing further training for employees who fall for these pseudo attacks.


Your BDO representative is available to review potential gaps in your organization’s cybersecurity approach, offer diagnostic tools, as well as discuss the latest hacking schemes to help you better understand the most critical threats to your organization’s data.


Have Questions? Contact Us