Articles | August 17, 2023

Key Challenges in Maintaining Strong Cybersecurity Defenses

Cybercriminals want to steal your valuable assets and the confidential data and information you retain. A particularly desirable target is personal information about employees, plan participants and beneficiaries.

Cyberattacks are growing more sophisticated, yet tried-and-true methods of breaching your organization’s defenses still work. That’s why defending your organization against today’s cybersecurity threats is increasingly difficult — you need to foil both old and new methods of stealing your organization’s data and information.

Asian Woman Discussing New Software With Colleague

If your organization is small or midsize, it’s likely you face these five key challenges related to cybersecurity, while going about the business of your business:

  1. Staying on top of more sophisticated cybersecurity threats
  2. Knowing what improvements are critically important to your organization (not just any organization)
  3. Addressing emerging threats and broader security issues
  4. Performing required and recommended governance, risk and compliance activities to reduce risk overall and satisfy regulators, third parties (e.g., insurance carriers) and others
  5. Creating a more predictable cybersecurity strategic plan and associated budget

This article discusses each of these challenges. It also addresses what you can do to meet them.

About the key challenges you face

At the heart of most of these challenges are insufficient staffing and lack of expertise. Uncertainty related to the fast-evolving nature of cyber risk is also a factor.

Challenge 1: Staying on top of more sophisticated cybersecurity threats

Being vigilant about cybersecurity requires understanding the latest risks. For examples, see the box at the end of this article, “Today’s Advanced Cybersecurity Threats.”

That is difficult given how busy your IT team is serving your organization’s tech needs. Small IT teams compound the challenge.

Cybersecurity professionals, who have specialized expertise, are in short supply.

There are multiple methods to try and mitigate this. You can use one or all of them:

  • Train existing staff and get them certified.
  • Rely on a technical partner, like a managed security service provider (MSSP) to offload key technical monitoring and administration.
  • Look to outside cybersecurity risk experts to perform a comprehensive risk assessment and to help you ensure these training and outsourcing efforts are consistent with your overall cybersecurity strategy.

Challenge 2: Knowing what improvements are critically important to your organization (not just any organization)

Because your IT team is already stretched, it’s tough for them to know how best to defend your organization against advanced cybersecurity threats. To ensure your defenses are strong, you need to make the latest software updates and follow best practices on processes and training on how to keep data secure.

Effective cybersecurity also requires a regular review of vulnerabilities. Revisions to address new threats and/or fix gaps in technology and/or administrative practices are ongoing, can be time consuming and are both mentally demanding and labor intensive.

In addition, it’s helpful to be aware of the latest tools and techniques, as well as specialized service providers that can help you with cybersecurity.

Challenge 3: Addressing emerging threats and broader security issues

Agility can help ensure effective cybersecurity. If you don’t respond quickly to cybercriminals’ latest techniques, your organization is vulnerable.

As is the case with the first two challenges, a full plate of daily IT responsibilities is the enemy of agility. Establishing a relationship with an MSSP can help you keep knowledgeable and up to date on the ever-evolving technical aspects of cybersecurity threats (e.g., malware and its derivative, ransomware and evolving phishing tactics). Having an annual risk assessment of your own operations and your third parties’ operations ensures a more comprehensive look (as administrative and physical risks and threats change, too).

Challenge 4: Performing required and recommended governance, risk and compliance activities to reduce overall risk and satisfy regulators, third parties (e.g., insurance carriers) and others

Laws, rules and regulations require certain security activity.

For almost 20 years, sponsors of health plans, healthcare providers and their business associates have performed regular HIPAA security assessments to ensure they comply with HIPAA’s security rule requirement that they protect the confidentiality of electronically protected health information.

More recently, as part of fulfilling their fiduciary responsibility, sponsors of employee benefit plans subject to ERISA are following cybersecurity best practices published by the DOL a couple of years ago. For details about that guidance, see our April 21, 2021 insight, “DOL Guidance on Cybersecurity Covers Best Practices and Tips.” My December 9, 2021 article, “Vendor Cybersecurity Best Practices for Plan Sponsors,” outlines three steps plan sponsors should consider taking to ensure their cybersecurity efforts are aligned with the DOL’s recommendations.

Although following sub-regulatory recommendations for cybersecurity activities is, by definition, optional, it’s strongly encouraged. The National Institutes of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a more widely used framework in North America. It’s much more comprehensive than the DOL’s best practices. For example, NIST CSF covers five core components — with 21 different areas of activity for an organization to know and manage its cybersecurity risk, whether inside the organization or with a third (or fourth) party vendor. From training to techniques to policies and procedures, among other topics, it is both broad and deep. To learn more about our training recommendation, see our January 8, 2021 insight, “Cybersecurity Training for Employees: Know Your Role.”

Keep in mind that insurers offering cyber liability coverage consider the insured’s cybersecurity practices when they price policies (or even evaluate renewing, at all).

Challenge 5: Creating a more predictable cybersecurity strategic plan and associated budget

It’s important to budget for a regular cybersecurity maintenance program. Managing risk is an ongoing process. Good risk management helps you mitigate risks, while allowing your organization to provide the products or services that define its mission. That’s the point: to manage security risks today, tomorrow and in the future so you can fulfill your organizational mission!

The above being true, keep in mind that the cost of a data breach will far surpass good security risk management expenses.

The evolving nature of cybersecurity threats makes budgeting difficult, true, yet expenses can be intentionally planned and rationally executed.

Strategies for meeting the challenges

Seek expertise from third-party IT professionals who can inform you about the latest risks, as well as tactics and protocols to mitigate them. Cybersecurity professionals who are well versed in administration will be able to assist with your governance, risk and compliance activities.

You can stay agile by requesting ad-hoc assistance from cybersecurity experts who are able to step in without advance notice and become a temporary part of your team to address issues as they arise.

Relying on expert cybersecurity advice allows you to stay focused on your organization’s goals and your IT team to continue doing what they do best: serving your organization.

You should perform certain cybersecurity activities annually. Examples include training staff on cybersecurity awareness, conducting phishing tests and reviewing your cyber liability insurance coverage. Consider creating a cybersecurity calendar that schedules other activities to regularly occur over a period of multi-year cycles. Those activities include assessing third-party vendor cybersecurity risk as well as network penetration testing (a simulated cyberattack) and vulnerability testing (looking at internal and/or external vulnerabilities). Considering how much you need to accomplish and the pace of change, three years is a reasonable period.

This approach allows you to prioritize cybersecurity needs and create a predictable budget for allocating resources effectively during a multi-year cycle. It also makes what can seem like an overwhelming task much more manageable.

What to Ask Potential IT Cybersecurity Consultants

Relevant experience and objectivity are important, so before you hire an IT cybersecurity consultant, be sure to get answers to questions like these:

  • Do your experts have experience in all facets of cybersecurity (i.e., software, hardware, procedures, training and testing)?
  • Are they available to provide ad-hoc assistance?
  • Can you develop the “critical” plans for us to follow in the event of a breach, including an incident response plan, a disaster recovery plan and a business continuity plan?
  • How many like organizations in our industry have you advised on cybersecurity?
  • Do you have a business relationship with a software developer, a hardware manufacturer and/or another vendor? (You’re not “selling” for them, are you?)

Don’t have the staff to properly defend your organization from a breach and mitigate its impact?

We can help.

Get in Touch

Today’s Advanced Cybersecurity Threats

phising icon

Social Engineering Attack

Recognizing that people, who are inherently trusting, are the weakest cybersecurity link, cybercriminals impersonate a trusted colleague or contact via email (phishing) or text (smishing) to trick someone on your team into voluntarily giving up confidential, sensitive and/or non-public data or information.

handshake icon

Trusted Organization Attack

Cybercriminals break into the systems of organizations you work with, like vendors and business partners, to attack you by taking advantage of that trusted relationship.


laptop lock icon

Ransomware Attack

Cybercriminals use phishing or smishing to install malware that enables them to control and lock your IT system and demand a ransom to restore your access.

house laptop icon

Endpoint Attacks

Now that many people are working remotely from home, cybercriminals have more opportunities to steal devices that are the endpoints into your IT system: smartphones, laptops and tablets.

Phishing and smishing attacks increased 61 percent between 2021 and 2022, according the SlashNext State of Phishing Report for 2022. The emergence of generative AI has made it easier for cybercriminals to create thousands of phishing and smishing messages.

Be prepared for a data breach

Unfortunately, no activities, tools, techniques or technologies can eliminate cybersecurity risk. That’s why you should have a defined, up-to-date and actionable incident-response plan, one of the “critical three” plans you should regularly review. The other two are your disaster-recovery plan and your business-continuity plan.

The incident-response plan, in particular, should guide you in a step-by-step response because an emergency is not a good time to “figure out” what to do (e.g., Who should you call? In what order? Should you shut systems down, or not? Why?)

Although cybersecurity perfection is not attainable, diligent, ongoing efforts to mitigate cyber risk — both within your organization and your service providers — are worthwhile.

See more insights

ATC IT Summit 2023

What's NExT? Networking and Exploring Technology

The IT Summit addressed the greatest technology and operational challenges facing multiemployer benefit funds today.
Group Of Business Persons Talking In The Office

Segal Launches Cyber Advisor Subscription Service

The Cybersecurity Risk Mitigation Subscription Service developed to increase organizations’ cybersecurity protection.
Young African Woman Using A Laptop In A Server Room

Vendor Cybersecurity Best Practices for Plan Sponsors

Cybersecurity is an increasingly critical issue. Protect your plans and take steps to reduce risks.

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.