The U.S. Department of Labor (DOL) recently updated its cybersecurity guidance to cover all Employee Retirement Income Security Act (ERISA) employee benefit plans. https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity/compliance-assistance-release-2024-01
One concern is disgruntled employees. Disgruntled employees pose a significant cybersecurity risk as they may misuse their access to company systems. According to the Verizon 2022 Data Breach Investigations Report, internal threats account for 20 percent of security threats.
Common motivations from internal threats (which would include employees and former employees) include revenge, financial gain, or dissatisfaction with the organization. https://www.plansponsor.com/insider-threats-are-disgruntled-employees-a-cybersecurity-risk/ (Oct. 01, 2024).
Commentary
The DOL's concern is that a disgruntled employee would abuse their access to take personal identifiers from ERISA plan participants.
However, other risks include employees accessing employee records, including health, payroll, and financial records.
Quoting from the above cited source:
… certain employees, such as those in human resources, information technology or treasury, may have access to plan information or other personally identifiable information.
Executive, managers, and anyone with access to employee records also pose a potential risk.
Steps organizations can take to prevent internal threats are regular audits and employing advanced monitoring tools to detect suspicious activities early.
Additional steps to consider include:
- Limit access
- Control access
- Monitor employee behavior
- Cut-off credentials prior to a termination or layoff
- Foster a positive work environment
