Hackers are Seeking Easy Targets: Protect Your Business from Phishing and COVID-19 Threats

by JON POWELL, CISA, CPA/CITP, CHRIS ARNONE, CPA AND JOURNET GREENE, CISA 

That moment you thought would never come has just arrived. Your company's systems have been compromised, and hackers have stolen a significant amount of money. As you race to secure your systems and try to recover the stolen funds, you become distracted from your core business strategy of serving customers. How did this happen? Could it have been avoided? Where do you go from here?

This scenario is becoming all too real for companies as they face an increased risk of financial losses from cybersecurity attacks. According to IBM's 2019 U.S. Cost of Data Breach Report, the average cost of a breach is $3.92 million, with 67 percent of the costs occurring the same year, 22 percent in year two and 11 percent in year three. Additionally, on average, it impacts 25,575 records and is only discovered a staggering 279 days after the breach has occurred. So, what should companies be doing now to sleep better at night? Explore the top strategies for protecting your business from cybersecurity threats.

EMPLOYEES ARE THE WEAKEST LINK

While employees are the lifeline of your company, when it comes to cybersecurity, unfortunately, they are your greatest security risk. The most common exploit used against employees continues to be phishing. Phishing is the fraudulent practice of sending emails purporting to be reputable companies, customers, vendors or company employees (e.g., IT administrators, finance and treasury managers, or other executives) to convince your employees to reveal sensitive information, such as passwords, company banking or credit car information, or even to execute a business transaction with the phisher. Phishing attacks have become more sophisticated, where attackers will obtain your password through a bogus email and take no immediate action. You remain unalarmed, as the attacker lies unnoticed, reading your emails and learning your interaction and communication styles. The attacker can then:

  • Send out invoices to your customers with updated payment instructions.
  • Send out requests to management to initiate urgent wire transfers.
  • Request payroll or ask human resources to update an employee's direct deposit information.
  • Exfiltrate proprietary company, customer and other information by leveraging access to historical emails and linked access to other Office 365 applications (i.e., Microsoft SharePoint, Teams).

You may remain oblivious to the above scenario since the attacker puts email rules in place to redirect all incoming emails to a hidden folder in your mailbox or another email address. With these rules in place, you will never see the replies on the bogus requests.

You may remain oblivious to the above scenario since the attacker puts email rules in place to redirect all incoming emails to a hidden folder in your mailbox or another email address. With these rules in place, you will never see the replies on the bogus requests.

To combat these phishing schemes, we recommend the following best practices:

  • Implement two-factor authorization for email accounts.
    • Provide and require employees to complete cybersecurity training annually.
  • Perform test phishing exercises to identify which employees are most vulnerable to these attacks. Companies can publish these results to their employees to provide increased accountability.
  • Provide employees a way to report suspicious emails.
  • Implement an email cloud service that sits in front of your email server and can filter for spam and phishing. These services are reasonably priced and can also provide email link validation to reduce the impact of employees clicking on "bad" links.
  • Request that employees review their inbox rules for any unknown items monthly.
  • Ensure that anti-virus and anti-malware solutions are deployed on each employee's computer.

We would suggest companies ensure they have the following internal controls in place and reinforce them frequently to prevent a fraudulent wire transfer from being perpetrated:

  • Up-to-date policies on wire processes that all finance and accounting employees review and sign.
    • Consider requiring verbal confirmation of the wire recipient's details.
    • Implementation of two-factor authentication with your banks via software or hardware solutions.
  • A policy that all wires require a separate initiator and approver.
    • Consider a third segregation of duty for a preparer that pulls together the wire details, including confirmation of wiring instructions.

SECURE THE PERIMETER

The best way to protect your company is to "secure the perimeter," making it difficult for attackers to infiltrate your environment. This is your first line of defense and one of the most important. To identify potential weaknesses in your IT infrastructure, companies should have external penetration testing performed on an annual basis. Once completed, ensure that any identified findings from the test are addressed by IT and executive management in a timely manner.

Next, it's time to perform an internal vulnerability analysis of your network's configuration to identify devices (e.g., switches, routers, firewalls, servers, laptops) subject to exploitation. Like the external penetration test, we recommend that this internal analysis is performed on at least an annual basis and that findings are addressed timely by management.

Finally, with the increased use of multiple cloud solutions and other incoming connections to the company's network, such as employees working from home, it is essential to require two-factor authentication on all cloud solutions and incoming connections to the company's network.

PRACTICE GOOD HYGIENE

Similar to the advice we are receiving related to health practices with the COVID-19 pandemic, practicing good hygiene in IT terms is crucial to keeping hackers out of your network. One of the simplest, yet most effective practices, is requiring employees to utilize lengthy, complex passwords. Encouraging the use of phrases or sentences as part of a password to maximize password strength is strongly recommended.

Not all hackers take what they need and leave. Many hackers may continue to access your account to monitor your data or steal additional information over time. Just like you are encouraged to wash your hands frequently in the current health climate, it is essential to change your password regularly. Increasing the frequency of updating passwords will reduce the risk of a hacker continually monitoring and accessing your account, keeping your IT systems safe and healthy.

HAVE A BACKUP PLAN

Having a robust off-site backup solution in place is critical to provide the ability to restore your data and IT operations in the event of an incident (e.g., ransomware attack, disk failure, data breach). Replication is needed for high availability in case the primary data center/server room becomes unavailable for use.

Consider a review of your current backup and replication configuration - and yes - you should have both!

Replication configuration should include notification of any failures to replicate data.

  • Backup and replication configurations should be defined separately for each core application.
  • Backups should be stored separately from both the source data and the replicated data.
  • Backups should be tested quarterly via restore procedures.
  • Disaster Recovery testing should be considered on an annual basis to ensure systems can be brought back "from scratch" in the event of an incident.

 

COMBATING COVID-19 IT THREATS

EMPLOYEE TERMINATIONS

As the COVID-19 pandemic continues, businesses consider different strategies on how to mitigate financial impacts to ensure overall financial health. In doing so, many companies are implementing furloughs, reductions-in-force (RIFs) and layoffs. If that difficult decision is made, businesses should consider these vital security steps as part of their termination process to protect their organizational, financial and customer data.

Disable the employee's access to all relevant systems, including cloud systems (e.g., Salesforce, QuickBooks Online, Office 365).

  • Ensure the employee returns any company-owned property (e.g., laptops, tablets, manuals, two-factor "fobs").
    • Change the employee's voicemail and email passwords.
    • Set an automatic email reply on their email account that lets incoming emailers know they are no longer with the company.
    • Require staff who worked closely with this employee to change any shared passwords.
  • Contact customers and vendors who worked with the employee, alerting them of the employee's change in status and providing a new company contact.

WEB CONFERENCING AND MEETINGS

Virtual meeting security has likely not been top of mind before the flood of companies now being forced to leverage this platform for daily team communication. While the necessity of virtual meetings is paramount in this current environment, there are related security risks with the use of web conferencing technologies that should be understood and managed.

Whether conducted in-person or via web conferencing, meetings often include the discussion of sensitive and confidential information. The risk of that information being compromised could result in the loss of proprietary company information, customer data, or even a revenue loss.

Consider the following to help stay secure while using web conferencing technologies:

  1. When creating a new web conference meeting, select an option to require a password. This will prevent those without the password from joining the meeting. Note: Remember to provide the password to meeting attendees in a separate email, phone call or text message.
  2. If hosting the web conference, continue to monitor those who have joined. Most solutions allow the meeting host to replace phone numbers with the caller's name. Consider also using a notification chime to inform of new attendees.
  3. While in a web conference, do not click on any links that may appear in the chat window. If one of the presenters or attendees wants you to follow a link, this is a red flag, especially if you do not recognize them.

WEATHERING THE STORM

It is a difficult time for businesses. When a crisis hits, it can be overwhelming to prioritize all that needs to be done. However, if you are uncertain of your IT systems' strength and security, this belongs on your priority list as hackers will, unfortunately, capitalize on vulnerable times. If you need help, IT/Cybersecurity risk assessments and vulnerability and penetration testing can be done remotely by cybersecurity experts. This allows you to continue your business operations, ensuring you are protected during this challenging time and prepared for the next disruption.

JON POWELL, CISA, CPA/CITP, is a partner in Moore Colson's Risk Advisory & Compliance Services Practice. In addition to assisting with cybersecurity initiatives, Jon leads Sarbanes Oxley initiatives, internal audit co-sourcing partnerships, SOC audits and other compliance engagements. Contact: jpowell@moorecolson.com or 678-631-3027.

CHRIS ARNONE, CPA, is a partner and business assurance practice leader at Moore Colson. Chris has over 20 years of experience providing audit, accounting and consulting services for companies in the transportation, manufacturing, distribution, staffing, private equity and venture capital industries. Contact: carnone@moorecolson.com or 678-385-6033

JOURNET GREENE, CISA, is a director in Moore Colson's Risk Advisory and Compliance Services Practice. She leads Sarbanes-Oxley initiatives, internal audits, SOC audits and other compliance engagements for the firm's many large IT and consulting engagements. Contact: jgreene@moorecolson.com or 770-674-8704.