As the threat of ransomware reaches new heights, plan and trust administrators should be aware of risk mitigation strategies that can help protect their organizations, plans and participants.
Ransomware, which involves a cybercriminal locking computer content and then asking the user for payment in exchange for a decryption key, has surpassed phishing schemes, business email compromise, insider threats and fraudulent transfers as “the front line of the elusive adversaries threatening everything and everyone,” wrote Catherine Bertheau in “The Ransomware Deluge: How to Navigate the Perfect Storm” in the March/April issue of Plans & Trusts.
“Risk professionals have not seen such a dynamic and widespread menace to enterprise and personal well-being in a long time. Perhaps ever,” according to Bertheau, vice president, cyber solutions business development lead, Eastern Canada for Aon Risk Solutions in Montreal, Quebec.
Ransomware Risk Mitigation Strategies for Plan and Trust Administrators
No organization is outside the realm of ransomware. Cybercriminals seek easy targets, and the return on investment can be worth their efforts even when they target small organizations. The following five risk mitigation strategies recommended by Bertheau can help organizations ramp up their cybersecurity.
1. Identify your crown jewels.
Administrators have a fiduciary duty to care for personally identifiable information (PII) and protected health information (PHI). With many plans making use of proprietary or cloud-based platforms and multiple outside providers—including actuaries, auditors and recordkeepers—the attack surface for PII and PHI greatly increases. The first step for an organization would be to map its digital assets and sensitive information (crown jewels) and create contractual language to evaluate/mitigate vendor risk—especially as it relates to breach management and notification.
2. Educate your employees.
Training employees on phishing emails and general cyberawareness is an effective way to encourage participants to actively defend against ransomware attacks. Helping participants learn lessons like hiding information from computer cameras, locking video conferences and changing default passwords can be even more important with work-from-home arrangements.
3. Keep your systems up to date.
Cybercriminals commonly use free tools to scan the internet and locate vulnerable systems. With an increase in remote workforces and the continued adoption of new systems, applications and vendors, it’s all too easy to overlook the release schedule of patches and updates. Attackers focus on vulnerabilities in personal computers, software and operating systems as well as weaknesses that may be found on the infrastructure of service providers.
4. Employ multifactor authentication.
Participants should use unique, lengthy and complex passwords, and plans should make use of multifactor (or two-factor) authentication. Second factors can include a token, SMS code or phone call at the time a user connects. When properly implemented for access and log-in protocols, multifactor authentication is an effective, easy way to further deter attackers.
5. Prepare for the “when” rather than the “if.”
Plan management should have an incident response plan and possibly a third-party response team to reduce the potential negative impact of a ransomware incident on participants and the organization. Incident response plans should consider the administrator’s current contractual, legal and regulatory obligations, especially as it relates to breach notification. Contact information for each member of the response team should be readily available in an offline format. Cyberinsurance should also be considered, given the expenses (cybersecurity vendors, breach notification expenses, ransom, etc.) associated with a successful ransomware attack.
Ransomware Safety Protocols Are More Important Than Ever
Our dependence on technology is only increasing, and the COVID-19 pandemic will likely alter the business world for years to come—making ransomware protocols all the more important.
“Ransomware is and will continue to be a key concern for all types of organizations, irrespective of size and industry, because of the simple fact that it works,” Bertheau writes. “It is a crime in its simplest form: It is easily and highly replicable, it is clean and leverages a currency that is hard to trace, and its payouts are increasing not only in size but also in frequency.”
Robbie Hartman, CEBS
Editor, Publications, for the International Foundation
The latest from Word on Benefits:
- New Mental Health Parity Guidance: More Clarity, But More Compliance Obligations
- Legal & Legislative Reporter: Medical Provider May Not Bring Claim on Behalf of Participants and Beneficiaries
- Five Steps to Nurture Belonging in the Workplace
- Navigating Uncertainty
- DOL Guidance on Mental Health Parity: Proposed Rules for NQTL Comparative Analyses