Bill Renninger, Chief Product Officer
No longer the sole responsibility of the IT Department, cyber security is now part of the lexicon of every company in every industry. The most advanced systems and processes can be thwarted by an employee clicking on what they thought was a harmless meeting invitation. For TPAs, an industry that up until a few years ago was still largely using spreadsheets to manage their core business, the idea of having state of the art cyber security might seem like overkill - but it's actually the price of admission.
With that said, I don’t believe that TPAs should panic or become frozen by the complexity of the task ahead. At PensionPro, our cyber resiliency goes beyond security and is ingrained into our business ethos. The business world is different now and we must prepare accordingly.
We believe that there are three elements to becoming cyber resilient; culture, education, and technology. Culture depends on how serious your owners, leaders, and managers take the subject. It is important for everyone to demonstrate through both words and actions that they not only comply with the standards but that they believe in them as well. Management must be willing to devote time and resources to security initiatives. It isn’t a once-and-done deal, but an ever-changing environment.
Education of all staff helps reduce fear and build great habits. We regularly hold meetings, briefings, and planned activities to help us share knowledge and solve problems, test each employee’s understanding, and evaluate the processes that we have in place. In fact, through discussion in our security meetings, our IT staff discovered that some departments were using email delivery of faxes or documents through DocuSign never realizing that the email component left them vulnerable. The convenience of an email attachment is not worth the risk, so our policies and procedures were updated to require users to log in to any third-party vendor site and download the files. Security professionals need to understand and educate staff on their day to day activities.
With regards to technology, there are many tools available such as LastPass for password and user management, Alert Logic for intrusion detection and even transparent data encryption within the Microsoft suite that can help you. If you don't have a tech savvy in-house resource for IT, outsource it to one of the many good tech companies who specialize in both general and niche elements of cyber security. However, before you invest in high priced technology and consultants make sure that you are doing the basics well first. Education and communication are key.
Finally, in addition to prevention, it is essential to put a plan in place for a response if a breach happens. From technical responses to communications plans and responsibilities, a simple plan can alleviate many fears of the unknown. If a breach does occur, your clients will likely judge you - not on the fact that you had a breach but how you responded to it. How quickly did you identify and remedy the situation? What was your communication like? Did it convey calmness and preparedness?
Don’t wait, start working on your plan right now.