The COVID-19 pandemic has certainly turned everyone’s lives upside down. The virus has reached virtually everyone across the globe and is still spreading. Right before this virus took over the news, another type of “virus” was causing major disasters worldwide: computer viruses leading to a record number of cybersecurity breaches and ransomware attacks.
For companies to survive the COVID-19 pandemic, many businesses needed to implement changes very quickly. One critical change meant providing a functional, remote work environment for employees. Although the creation of a remote work environment was meant to facilitate business, many remote work environments were left lacking in robust computer security protocols since businesses were left operating in reactionary mode.
Unfortunately, hackers realized this and saw new opportunities to exploit remote workers by deploying fictitious emails and websites mimicking sites providing information on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). According to the FBI’s 2019 Internet Crime Report, Business Email Compromise (BEC) is the costliest crime for businesses, with approximate losses of $1.77 billion in 2019 alone. A common email hacking tactic that has recently been on the FBI’s radar is hackers pretending to be known contacts, particularly targeting financial institutions. Hackers would email employees, pretending to be the CEO of the company or an overseas client with very believable email addresses, in order to initiate a fraudulent money transfer.
Threat actors are also taking advantage of platforms that are booming as a result of remote work and education, such as Zoom or Google Chat. According to the New York State Office of Information Technology Services, they would utilize these programs to obtain sensitive information, eavesdrop on meetings, and conduct other malicious activities.
It is an unfortunate reality that with so many employees working from home, hackers are betting on weak security controls and phishing schemes to get them the access they need so they can do the damage they want. It’s like putting salt on a wound.
Although many employees moved their office to their home, they couldn’t take their office’s security protocols with them. The security protocols in some home routers may not have the latest upgrades or firmware installed when compared with those at an employee’s business. One of the biggest concerns with working remotely is that employees may be using their own devices to access the company’s network and applications. These devices may not have the latest anti-virus and anti-malware protection installed. Further, employees may be accessing the office network through an unsecured home Wi-Fi network, and/or may not have adequate firewall protection. Bitdefender, a popular antivirus software, recently announced that attackers seem to be using brute-force methods to figure out the name and password of home and small business routers, thereby allowing them to change the settings and steer the user to websites so they can steal information. This presents a big risk to the employer. Additionally, employees working remotely have become ideal targets for hackers since some employees are not adept at working remotely providing hackers more opportunities to compromise a network and obtain access to personal data, financial data, and other sensitive data.
Below are some steps you can take to ensure your remote employees are working securely:
- Keep training your employees:
- Yes, you have heard this numerous times, but phishing attacks are one of the biggest threats. Many organizations are releasing materials for free including the SANS institute, which can be used to increase awareness.
- We are all getting bombarded with emails related to COVID-19 claiming to have useful information and have a spot to “click to learn more” or “download the document” or “please refer to our guidance attached”. Remind employees: DON’T CLICK, even if it looks like it comes from your own company.
- Remind your employees to remain skeptical; if there is any doubt about the veracity of the email, verify the source of that email by clicking on the option in your email application to view the detailed sender information, sending/starting a new email thread to your company contact, or making a phone call to confirm the authenticity of the email.
- Be on the lookout for certain red flags such as unexplained urgency or any last-minute changes, such as to wire instructions or methods of communication.
- Go to legitimate websites, making sure the secure lock is visible, and even then, be cautious. Really look at the name of the site to make sure it is spelled accurately. Be suspicious.
- Take extra precaution on teleconferencing platforms:
- If the platform is downloadable, make sure you have the most up-to-date version.
- Do not click on meeting invitations from unknown senders. If the recipient is known, double-check if the email address is correct. Carefully inspect for any misspellings in both the email address and any links provided.
- Keep meetings private. Require a strong password and make sure to change it for every meeting. Also, make sure not to share meetings publicly, such as on public websites or in social media forums. Lock the meeting as soon as all the attendees have joined.
- Do not allow attendees to join the meeting before the host. The host should be first and individually verify people before they enter the meeting.
- Do not use other applications (e.g. Facebook) to sign into teleconferencing meetings to limit the amount of personal data that the platform has access to.
- Update your computer access use policies:
- Many acceptable user policies are geared for when the user is using company-owned devices on company-owned networks. Now, your employees are using their own devices on their own networks. Ensure that your policy describes the protocols for using your own device. Specifically, the policy should prohibit:
- The storage or download of business information on personal devices;
- Using unsecured internet connections (like public Wi-Fi); and
- Discarding sensitive company information improperly.
- Many acceptable user policies are geared for when the user is using company-owned devices on company-owned networks. Now, your employees are using their own devices on their own networks. Ensure that your policy describes the protocols for using your own device. Specifically, the policy should prohibit:
- Assess remote access security protocols:
- Ensure remote users are working in a secure environment and confirm they are using effective and up-to-date anti-virus and email-filtering software.
- Make sure employees have secured their Wi-Fi access point and have changed their default settings and passwords. Personal Wi-Fi wireless networks should have WPA2 encryption which makes it harder for a hacker to see the data.
- Make sure employees install updates and patches in a timely manner, including mobile devices. Determine if your company can provide up-to-date anti-virus software for employee personal devices.
- Implement multi-factor authentication on critical and sensitive applications.
- Use endpoint protection on all company laptops and mobile devices, including VPN tools with encryption.
- Be prepared:
- Test your backup and recovery processes to make sure they work, and inform the necessary management if they are not. It is better to verify that the processes work ahead of time.
- Make sure your security breach response plan is up to date and covers when employees work remotely.
Useful references:
- The National Cyber Security Alliance created a website, that has free and updated information on current scams, cyber threats, remote working, disaster relief, and much more.
- SANS Institute has tons of online trainings including a free cybersecurity community resources and programs page.
- The Cybersecurity and Infrastructure Security Agency (CISA) has an information and awareness sharing webpage.
These are unprecedented times and being proactive is paramount. Stay safe, sane, and healthy.
Shari Diamond, CIA
Partner
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.