Data breaches are on track to reach a record number this year of over 1,000 breaches, across all industries. With the Ponemon Institute reporting that the average total cost of a data breach in the U.S. has increased 5% in 2017, up to $7.35 million, cybersecurity is a major concern for many employers. Additionally, the growing prevalence of these cyberattacks has contributed to a major shift in which many organizations are no longer classifying cybersecurity readiness as a strictly IT responsibility, but are now viewing it as a shared one across multiple departments, including Human Resources.
To help make sense of looming cybersecurity threats for professionals across multiple areas of an organization, we’ve listed some key issues all employers should consider addressing and recommendations for how to approach them.
Employee Activities Causing Accidental Exposure
The Identity Theft Resource Center has reported that the majority of data breaches this year were caused by employees accidentally falling victim to hacking, skimming, or phishing attacks. One of the leading types of these attacks – accounting for up to 91% of them – is spearphishing, in which targeted emails are sent to an employee or manager to lure them into providing various types of employee personal information, such as tax or payroll information. These emails are more dangerous than the usual phishing emails because they are highly specific to the recipient and usually appear to come from a legitimate and trusted source. When employee activities do cause companies to fall victim to these common attacks, the financial fall-out can be crippling to some companies – the Ponemon Institute estimates such attacks cost businesses $3.8+ million on average! Considering this, it’s no wonder concerns about employee activities leading to accidental exposure is a top concern.
What Employers Can Do to Mitigate Risk & Fall-Out
As we’ve reported in previous blogs, although accidental insider exposure causes the majority of data breaches, less than 1% of cybersecurity training is spent on cyber awareness training for employees. We share this stat so often because we still can’t believe it ourselves! Creating a culture of cyber awareness; one in which cybersecurity training for employees occurs year-round and the employer demonstrates their commitment to cybersecurity (by offering identity protection as an employee benefit, for example) is key in not only reducing their employees’ risk of falling victim to phishing scams in the office, but in their personal online use as well. These positive effects are win-win for employees and employers alike, as they not only reduce businesses’ risk but can increase employees’ loyalty as well.
Malicious Employee Activities
Although less than 10% of global breaches are reportedly caused by malicious insiders, headline making incidents have still put them at the top of over 60% of employers’ minds. The main reasons these attacks are of concern to employers is the ease with which they can be committed and the difficultly of detecting them. Employees are trusted to have access to some of an employers’ most sensitive data and networks. In fact, over 60% of companies believe employee activities of privileged users, such as managers with access to sensitive information, pose the biggest insider threat to organizations; whereas 20% reported they think business partners are their biggest threat. One such recent case involving two of the biggest brands in the U.S. – Google and Uber – highlighted one of the frightening outcomes such an attack can have. Google’s parent company Alphabet, filed a lawsuit against its former engineer, who is now working with Uber. The company accused the employee of copying more than 14,000 internal files and taking them directly to his new employer. For companies who are less stable, the financial and reputational fall-out from a breach caused by malicious employee activities can be business-ending.
What Employers Can Do to Mitigate Risk & Fall-Out
These types of attacks are unfortunately difficult to notice because employees are often the last group an employer would expect to commit malicious activities. However, it’s important that employers trust but verify in this regard, by monitoring employee use of networks to help identify anomalies and suspicious behavior. Having access controls, so that employees and business partners can only access the files and systems they need is also an excellent best practice that can help organizations mitigate risk. It can also reduce the potential damage of recently terminated employees’ retaliation by minimizing the number of systems, and therefore amount of time it takes, to remove their access from. Such processes may have helped Twitter avoid a recent controversial enterprise incident. However, with organizations across all industries being affected by a record number of data breaches this year, it’s more important than ever for businesses to consider not just how to reduce their chances of falling victim to a breach, but how to minimize fall-out from a breach if they do fall victim to one. Proactively offering identity protection and resolution services as an employee benefit and/or value-added service is one effective way for businesses to reduce such fall-out.
Meeting the Fiduciary Duty to Protect Benefit Plan Assets
In 2017 alone nearly two million records had reportedly been compromised prior to the Equifax breach, and following it nearly 44% of Americans had their information compromised. The staggering number of Americans affected by breaches has heightened many employers’ concerns about the security of the assets in their benefits plans and raised questions about what would satisfy their fiduciary duty to protect those assets. Plan fiduciaries understand they must act reasonably and prudently to protect plan participants and beneficiaries from such attacks. However, there has been uncertainty as to whether or not plan fiduciaries would be personally liable be to restore any losses to a plan caused by a cyberattack – and a recently published report by the Employee Retirement Income Security Act (ERISA) Council, in which the federal Council refused to clarify that point, has added to the ambiguity. One high-profile example that has many employers on edge is when the deferred compensation accounts of municipal employees of Chicago were breached. The hacker accessed secured personal information and used it to withdraw loans from the retirement accounts – totaling more than $2.5 million. The plan sponsor, the City of Chicago, returned the funds to the breached accounts and offered two years of credit monitoring to affected employees. Enterprise incidents like the one suffered by the City of Chicago, and a lack of clarity on the possible implications of such an attack, have employers understandably nervous.
What Employers Can Do to Mitigate Risk & Fall-Out
The same 2016 ERISA Report mentioned above included some federal recommendations to reduce a plan sponsor’s liability. It suggested employers consider implementing some of the same frameworks for protecting data that financial institutions have found effective in reducing risk. In addition, the FBI has proposed sponsors establish a culture of information security within sponsors’ companies, as well as among plan participants and beneficiaries. However, the ERISA Council has not released details on which steps an organization could implement to fully satisfy their fiduciary responsibility and as such, eliminate their liability from a cyberattack. For this reason, employers sponsoring benefit plans can best mitigate the potential repercussions of falling victim to a cyberattack by broadly adopting the FBI’s advice to take steps make cybersecurity awareness a cornerstone of their culture – for current and retired employees. One such way to do this is through offering identity protection either as a voluntary or complimentary benefit.
To learn more about how your company can address these concerns and strengthen your cybersecurity by offering identity protection as an employee benefit, from a provider consumers have trusted for over 30 years, request a demo.