Small businesses are struggling with remote work, as exemplified by their rising vulnerability to cyberattacks.
In a survey by the Cyber Readiness Institute (CRI), half of the 412 small businesses interviewed shared concerns that remote work will lead to more cyberattacks. For companies with fewer than 20 employees, only 22% had offered additional cybersecurity training prior to commencing remote work operations. Just 33% provided “any cybersecurity training.”
The Securities and Exchange Commission (SEC) states organizations are expected to know where sensitive data exist and restrict access to systems and data to only authorized users. Additionally, the SEC lists employee training and awareness as key components of cybersecurity practices. At the same time, the Employee Retirement Income Security Act (ERISA) requires any fiduciary serving retirement plans to treat plan assets with care and diligence. Attorneys increasingly agree that plan data can be considered a plan asset under ERISA.
Steve Pfundstein, chief technology officer and director of information technology (IT) at Summit Financial, says high monitoring costs and a lack of IT expertise are typically to blame for a lack of cybersecurity among smaller businesses.
“These employers are going to have much smaller and tighter budgets generally,” he says. “They’re often going to lack the expertise in house and aren’t likely to have people specifically focused on cybersecurity.”
Whereas large companies dedicate specific lines on their annual budget to cybersecurity practices, smaller companies may barely be able to afford basic anti-hacking systems. And the unexpected economic downturn caused by COVID-19, along with the overnight shift to remote work, made businesses with few resources even more vulnerable. According to the CRI survey, 59% of small business employers have allowed employees to use personal devices when working from home.
Pfundstein notes that many small employers have had to allow use of personal remote devices, as employees in their offices left their desktop computers during the rapid shift.
“A lot of companies didn’t have remote workers, so when they suddenly had to go remote, they were scrambling to find a solution,” Pfundstein says. “They just thought it would be a few weeks, but it’s turned into months.”
Even before the pandemic, a combination of factors made small businesses more susceptible to cyberattacks. A 2018 Ponemon Institute study found 67% of small and medium-sized businesses had experienced a cyberattack, while 58% had been victims of data breaches.
Brad Hering, client executive in the executive liability division at Marsh & McLennan Agency LLC, a firm specializing in risk prevention and insurance needs, notes that while all companies with a digital presence are vulnerable to cyberattacks, the limited resources associated with smaller businesses makes them an easier target.
“They are considered low-hanging fruit by cybercriminals,” he explains. “Any organization that has a digital presence or stores some volume of data is potentially exposed. Those with fewer resources or ability to protect themselves may be targeted even more.”
While it may be expensive to implement cybersecurity practices, the cost of handling a cyberattack can put a company out of business. A Hiscox Cyber Readiness Report released last year found that a hacking incident could cost businesses of all sizes an average of $200,000. As almost half of all online attacks are aimed at small businesses, according to data compiled by SCORE, a small business coaching and mentorship partner, experts say applying cybersecurity measures not only saves money, but offers some peace of mind.
“You don’t have to blow your whole budget on cybersecurity—you have to be able to balance the risk,” says Reiko Feaver, partner and attorney at Culhane Meadows. “But it’s key to get expert advice.”
As plan sponsors search for new advisers, recordkeepers, and service providers, more are including cybersecurity questions in the request for proposal (RFP) process. For advisers interested in adding cybersecurity to their RFP process, the SPARK Institute published a list of best practices in 2019 that it recommends when discussing cybersecurity capabilities to plan sponsors and consultants. The American Institute of Certified Public Accounts’ Employee Benefit Plan Audit Quality Center also released guidance in 2019 on protecting employee benefit plan records.
Advisers can also assess the procedures of all vendors serving in a plan, paying attention to what kinds of investments they are making in their cybersecurity technologies, says William Byron, southeast regional managing director with advisory practice NFP. The industry is seeing an increased trend in using voice print technology, he says, where an individual’s voice is treated like a fingerprint in unlocking devices or accounts.
Pfundstein notes that remote work may amplify cyberattack anxieties among small business employers, especially if employees are using personal computers and phones. Enabling multifactor authentication, encrypting sensitive company data, encouraging strong passwords and applying phishing tests strengthen internet safety—and it’s all possible from home.
“Enabling multifactor on any system, talking to the vendors and seeing what their options are can help minimize cyberattacks,” he says.