Ensuring Cybersecurity in a Remote Work Environment

Extra measures need to be taken for HR and benefits staff working from home to keep employee and retirement plan data secure.

The rapid shift from office to remote work over the past month has left employers questioning their cybersecurity practices.

“There’s a sudden need to test all those tools, in addition to adding a lot of cyber hygiene security and protocols from the home environment that weren’t always as easily emphasized in the workplace,” says Ben Taylor, senior vice president at Callan, an institutional investing firm in San Francisco.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

Because human resource (HR) professionals are working online, past HR processes completed in a paper format are now done through the computer. This adjustment is one of the principal impacts, as workers are rapidly adapting to the swift change. “There’s a need to rapidly adapt the paper processes that otherwise can’t be done as easily in this environment,” Taylor says.

While some companies may be in good shape using secure virtual private networks (VPNs), virtual desktops and multi-factor authentications, the reality is that many have not implemented those same practices, says John Jurik, area executive vice president at insurance, risk management and consulting firm Gallagher. “Others may not have those systems in place or have not worked through de-risking employee remote access from personal devices over home networks and Wi-Fi that may not be secured like their corporate networks,” he adds.

This unexpected and abrupt move in these workforces, without much training on preventative cyber-hack measures, can thus produce multiple hacking attacks such as spear-phishing and on personal devices, Taylor notes in his report on the cyber risks in working remotely. To combat the threat of hacks, the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security (DHS) released insights on avoiding cyber issues that arise from the effects of COVID-19, including how to protect privacy during virtual meetings, telework and email.

Cyber threats aren’t limited to those without security measures, however. Companies that have incorporated even the most sheltered practices are still under threat, as employees are now working in their homes with weaker Wi-Fi security systems. “Hackers know people are working remotely and therefore are on networks that are less heavily secured and less robust from a redundancy standpoint than the traditional corporate or government networks that they’re normally on,” Taylor adds.

For benefits and providers’ staff, including HR, prevention should be the first imperative task, Jurik notes. He explains how phishing—the practice of sending fraudulent emails while masking as reputable companies to gain personal information—and other social engineering techniques can easily fool workers. One of the best protections is implementing training for both HR staff and employees, eyeing suspicious emails that ask for password renewals and login credentials, and applying secure network connections to access company information, Jurik says. Employees should not be logging into their accounts or emails through personal devices. “As a plan sponsor, you should implement processes and controls to restrict access to plan systems, applications, data and other sensitive information,” he recommends.

Plan sponsors can also look to their financial advisers and providers for support, especially those well-versed in cybersecurity practices, to develop a retirement plan-specific cybersecurity risk management strategy. Should a breach occur, having a plan in place with appropriate notices and remediation efforts can secure confidential information related to the retirement account, while allowing employers and team members to move swiftly, Jurik says. Reviewing the retirement plan providers’ cybersecurity approach and any updates being made in light of COVID-19 could add further clarity. “Communication between plan sponsors, recordkeepers, and advisers and ultimately participants has never been more important,” Jurik stresses.

The most important concept to note about data protection is that most networks are at risk of being compromised and strained, Taylor contends. The fear over the current state of news allows opportunities for hackers to intrude networks, so enhancing cybersecurity practices is vital. Keeping up with cybersecurity best practices, such as using a VPN, multi-factor authentication and password protection, reminds workers to be vigilant, while keeping their employee and retirement plan data secure.