Employers need to prepare W-2 security plans

The FBI and the Cybersecurity & Infrastructure Security Agency recently issued an alert to critical infrastructure companies warning them of a new ransomware attacker. The agencies’ advice was to:

  1. Secure remote access tools.
  2. Restrict Remote Desktop Protocol and other remote desktop services.
  3. Secure PowerShell and/or restrict usage.
  4. Update software to the latest version and apply patching updates regularly.

Even if you’re not operating in the critical infrastructure sphere, it’s good advice.

And since we’re rapidly approaching W-2 time, it’s also a good idea to assess your cybersecurity measures and to reinforce your W-2 security protocols to your staff, HR, employees and the C-suite.

For your staff and the C-suite

Payroll pros scored a huge success when they quickly shut down the W-2 phishing scam where a phisher poses as an occupant of the C-suite and asks for employees’ W-2 information to be emailed to them.

But old scams don’t die, they just slumber. Two employees who worked in North Carolina sued their employer under state law for negligence, breach of implied contract, and violation of the state’s Unfair and Deceptive Trade Practices Act related to the theft of their personal identifying information after the company’s W-2s were phished. A federal trial court granted the employer’s motion for summary judgment on most of the claims.

Payroll Handbook D

While this employer dodged liability, other employers haven’t been as lucky. The difference: Different state laws afford plaintiffs multiple opportunities to sue and win.

The case is Savidge v. Pharm-Save, Inc.

Fortunately, the fix is easy.

  • Retrain your staff to contact the C-suite before they honor such a request, to ensure it’s authentic.
  • If it’s a legitimate request, politely remind the C-suite to expect this information to be faxed to their computer. If the C-suite objects, an assistant can pick up a hard copy from the payroll department.

For HR and employees

After the W-2 scam tanked, phishers turned to employee self-service portals. ESS portals are common now, and the trove of information that resides there is catnip to scammers. The scam works because employees receive an email, purportedly from HR, telling them there’s a problem with their ESS portal.

These fixes aren’t so difficult, either.

  • Inform employees that any communication from HR or Payroll regarding their ESS portal will be authenticated by the sender.
  • Inconvenience aside, now is a good time to introduce multi-factor authentication and require all employees to change their ESS portal passwords.

For your third-party providers

The SEC now requires public companies to identify their cybersecurity measures. Some of what the SEC requires works just as well for interactions with your third-party providers, like payroll providers and 401(k) third-party administrators.

These are the questions you should ask of any third party who can access employees’ PII:

  • How are your cybersecurity processes integrated into your overall risk management system or processes?
  • To what extent do you engage assessors, consultants, auditors or other third parties in connection with your cybersecurity processes?
  • Who oversees and identifies risks from cybersecurity threats associated with your third-party providers?
  • What risks from cybersecurity threats, including any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect your business strategy, results of operations or financial condition?

If you want the whole shebang from the SEC, point your browser here.