Benefit advisers should brace for hack attacks and phishing scams as larger corporations fortify their IT systems and digital thieves look for the next soft target.
“The crooks are going to start going down market,” says William A. (Tinker) Kelly, president and CEO of Voluntary Employee Benefits Advisors (VEBA).
“The Fortune 500 and Fortune 1000 companies are spending money like crazy to defend themselves. The crooks are getting smarter and going underneath and [plan to] do the same thing” to the smaller firms,” says Kelly.
So far, no major benefit adviser firm has gone public with news of a hack attack, ransomware incident (where a system is disabled until the victim pays a to regain stolen data or control of their hijacked system) or a DDOS or dedicated denial of service attack that cripples all computers inside a firm.
Also see: “
Although there is no news of such an attack, Kelly says this doesn’t mean it has not happened. After the high-profile hacks of Sony Entertainment and Target, Kelly says firms tend to avoid going public with such news.
“The breaches are still going on — you’re just not reading about them. They are not grabbing headlines like they once had been,” says Kelly.
Don’t take a number
Advisers should take steps to avoid collecting and storing Social Security numbers, if possible. “You better know what you’re taking, how you are receiving it and how you are storing and how you are going to protect it,” says Kelly. “If you don’t know how to do it, you’re in trouble.”
In attempts to reduce exposure of this hacker bait, employers and advisers should consider limiting the use of employees’ Social Security numbers as much as possible in favor of issuing a custom ID number to workers and insurance clients. In some cases, the adviser shouldn’t even handle the social security numbers.
“One thing is: Don’t take it and don’t receive it. Have the employer send it directly to the insurance carrier or vendor,” advises Kelly. “But if you receive it, you better know what you are doing.”
Shut your basement windows
Benefit advisers and insurance brokers are ripe targets thanks to their cache of sensitive client information besides Social Security numbers. Employee passwords, e-mail addresses and in some cases employee health records are luring hackers mostly from Eastern Europe, says Kelly. Plus, hackers are smarter about exploiting small openings in IT systems and weak connections to third-party vendors.
“Being a holder of private information, IT systems used by advisers are, by their very nature, a potential target for such attacks,” says Mike de Waal, president and founder of Global IQX, a software provider of web-based sales and service solutions to employee benefit insurers. “It's not a matter of choosing if those systems are targeted, but more a matter of protecting them.”
Hackers are looking for “any kind of private information or any information that could be used to reveal private information,” says de Waal.
Also see: “
Kelly points to the massive Target data breach in 2013. Hackers were able to steal roughly 40 million credit and debit card numbers by targeting a small heating and air-conditioning servicing contractor in Ohio that had contracts to service two Target stores in the state.
Digital thieves “hacked into this small mom-and-pop firm in the middle of nowhere and they got into Target through the vendor payment system and cost hundreds of millions of dollars and the CEO got fired,” he says. The retail giant also had to pay a fine of nearly $40 million to the bank and credit card issuers and settled settled with Visa to the tune of $67 million for the data hack.
Point of vulnerability
De Waal adds that benefit advisers have various “attack vectors” that could be exploited by hackers, but “there are a number of ways or best practices to protect an IT system.”
“Some advisers will follow some best practices and others will implement some specific protective solutions, but many will rely on a third-party security solutions,” he says.
Each IT system has its weakness and a successful hacking is always based on finding such weakness. Data storage solutions like the Cloud might seem more secure assuming that the cloud provider has a dedicated department for security solutions, but that is not necessary a guarantee, says de Waal.
“Not to mention that some companies could choose to hide a security breach for a long time [such as] the most recent security incident at Yahoo,” says de Waal.
The loss of laptops, mobile devices and their security, as well as stealing of information by colleagues or disgruntled employees by copying information by DVD or flash drives is also a point of failure that advisers must address.
“It's important that advisers secure their mobile devices,” says de Waal.
