That moment you thought would never come has just arrived. Your company’s systems have been compromised, and hackers have stolen a significant amount of money. As you race to secure your systems and try to recover the funds that were stolen, you become distracted from your core business strategy of serving customers. How did this happen? Could it have been avoided? Where do you go from here?
This scenario is becoming all too real for companies as they face an increasing risk of financial losses from cybersecurity attacks. According to IBM’s 2019 U.S. Cost of Data Breach Report, the average cost of a breach is $3.92 million, with 67% of the costs occurring the same year, 22% in year two and 11% in year three. Additionally, on average, it impacts 25,575 records and is only discovered a staggering 279 days after the breach has occurred. So what should companies be doing now to sleep better at night? This article will explore the top strategies for protecting your business from cybersecurity threats.
Employees are the Weakest Link
While employees are the lifeline of your company, when it comes to cybersecurity, unfortunately, they are your greatest security risk. The most common exploit used against employees continues to be phishing. Phishing is the fraudulent practice of sending emails purporting to be reputable companies, customers, vendors or company employees (e.g., IT administrators, finance and treasury managers, or other executives) in order to convince your employees to reveal sensitive information, such as passwords, company banking or credit card information, or even to execute a business transaction with the phisher. Phishing attacks have become more sophisticated, where attackers will obtain your password through a bogus email and take no immediate action. You remain unalarmed, as the attacker lies unnoticed, reading your emails and learning your interaction and communication styles. The attacker can then:
- Send out invoices to your customers with updated payment instructions.
- Send out requests to management to initiate urgent wire transfers.
- Request payroll or ask human resources to update an employee’s direct deposit information.
- Exfiltrate proprietary company, customer and other information by leveraging access to historical emails and linked access to other Office 365 applications (i.e., Microsoft SharePoint, Teams).
You may remain oblivious to the above scenario as the attacker puts email rules in place to redirect all incoming emails to a hidden folder in your mailbox or another email address. With these rules in place, you will never see the replies on the bogus requests. You may notice a quick flicker in your inbox or your number of unread emails going from 10 to 11, and then back to 10 almost instantly. This indicates you should immediately stop, notify your IT department and check your email rules to identify any suspicious items.
To combat these phishing schemes, we recommend the following best practices:
- Implement two-factor authorization for email accounts.
- Provide and require employees to complete cybersecurity and phishing training on at least an annual basis.
- Perform test phishing exercises to identify which employees are most vulnerable to these attacks. Companies can publish these results to their employees to provide increased accountability.
- Deliver praise and other awards for employees that pass phishing exercises or otherwise identify suspicious emails.
- Provide employees a way to report suspicious emails.
- Implement an email cloud service that sits in front of your email server and can filter for spam and phishing. These services are reasonably priced and can also provide email link validation to reduce the impact of employees clicking on “bad” links.
- Request that employees review their inbox rules for any unknown items on a quarterly basis or when they see a “flicker.”
- Ensure that anti-virus and anti-malware solutions are deployed on each employee’s computer.
Once a hacker has gained access to an employee’s email, another common attack is to implement a wire request. Even without gaining direct access to your email, attackers can still attempt to initiate a wire on your behalf by sending a spoofed email or one that uses an email address very similar to your domain (i.e., email@example.com vs. firstname.lastname@example.org).
We would suggest companies ensure they have the following internal controls in place and reinforce them frequently to prevent a fraudulent wire transfer from being perpetrated:
- Up-to-date policies on wire processes that all finance and accounting employees review and sign.
- Consider requiring verbal confirmation of the wire recipient’s details.
- Consider verifying all email signature contact information by performing a web-based search.
- Consider requiring email confirmation from the wire recipient upon receipt of funds.
- Consider training and acknowledgment of policies for all new finance or treasury hires and annual confirmation of policies by existing employees.
- Implementation of two-factor authentication with your banks via software or hardware solutions.
- Policy that all wires require a separate initiator and approver.
- Consider a third segregation of duty for a preparer that pulls together the details of the wire, including confirmation of wiring instructions.
Secure the Perimeter
The best way to protect your company is to “secure the perimeter,” making it difficult for attackers to infiltrate your environment. This is your first line of defense and one of the most important. To identify potential weaknesses in your IT infrastructure, companies should have external penetration testing performed on at least an annual basis. Once completed, ensure that any identified findings from the test are addressed by IT and executive management in a timely manner.
Next, it’s time to perform an internal vulnerability analysis of your network’s configuration to identify devices (e.g., switches, routers, firewalls, servers, laptops) that are subject to exploitation. Similar to the external penetration test, we recommend that this internal analysis is also performed on at least an annual basis and that findings are addressed timely by management.
Finally, with the increased use of multiple cloud solutions and other incoming connections to the company’s network, such as employees working from home, it is essential to require two-factor authentication on all cloud solutions and incoming connections to the company’s network.
Practice Good Hygiene
Similar to the advice we are receiving related to health practices with the COVID-19 pandemic, practicing good hygiene in IT terms is a key component to keeping hackers out of your network. One of the simplest, yet most effective practices, is requiring employees to utilize lengthy, complex passwords. Encouraging the use of phrases or sentences as part of a password to maximize password strength is strongly recommended.
Not all hackers take what they need and leave. Many hackers may continue to access your account to either monitor your data or steal additional information over time. Just like you are encouraged to wash your hands frequently in the current health climate, it is important to change your password on a regular and ongoing basis. Increasing the frequency of updating passwords will reduce the risk of a hacker continually monitoring and accessing your account, keeping your IT systems safe and healthy.
Have a Backup Plan
Having a robust off-site backup solution in place is critical to provide the ability to restore your data and IT operations in the event of an incident (e.g., ransomware attack, disk failure, data breach). Replication is needed for high availability in case the primary data center/server room becomes unavailable for use.
Consider a review of your current backup and replication configuration – and yes – you should have both!
- Replication configuration should include notification of any failures to replicate data.
- Backup and replication configurations should be defined separately for each core application.
- Backups should be stored separately from both the source data and the replicated data.
- Backups should be tested quarterly via restore procedures.
- This doesn’t require a full system restore but could simply restore a single application server, database or directory to confirm that data is readily readable and available.
- Disaster Recovery testing should be considered on an annual basis to ensure systems can be brought back “from scratch” in the event of an incident.
Now that you have locked the door on cybercrime and dead bolted it with a secure perimeter, good hygiene and a backup plan — below, we explore a couple of additional areas to consider as you navigate the COVID-19 crisis and its effect on your business.
Combating COVID-19 IT Threats
As the COVID-19 pandemic continues, businesses are considering different strategies on how to mitigate financial impacts to ensure overall financial health. In doing so, many companies are implementing furloughs, reductions-in-force (RIFs) and layoffs. If that difficult decision is made, businesses should consider these important security steps as part of their termination process to protect their organizational, financial and customer data.
- Disable the employee’s access to all relevant systems, including cloud systems (e.g., Salesforce, QuickBooks Online, Office 365).
- Ensure the employee returns any company-owned property (e.g., laptops, tablets, manuals, USB drives).
- Change the employee’s voicemail and email passwords.
- Set an automatic email reply on their email account that lets incoming emailers know they are no longer with the company.
- Grant another employee direct access to their account or forward all incoming emails to that employee so they can respond accordingly.
- Require staff who worked closely with this employee to change any shared passwords.
- Contact customers and/or vendors who worked with the employee, alerting them of the employee’s change in status and providing a new company contact.
Web Conferencing and Meetings
Virtual meeting security has likely not been top of mind prior to the flood of companies now being forced to leverage this platform for daily team communication. While the necessity of virtual meetings is paramount in this current environment, there are related security risks with the use of web conferencing technologies that should be understood and managed.
Meetings, whether conducted in-person or via web conferencing, often include the discussion of sensitive and confidential information. The risk of that information being compromised could result in the loss of proprietary company information, customer data or even a loss of revenue.
Whether using third-party web conferencing technology or a system that has been developed in house, it is essential to consider not only its ease of use but also the security of the tool and those using the technology on a daily basis.
Consider the following to help stay secure while using web conferencing technologies:
1) When creating a new web conference meeting, select an option to require a password. This will prevent those without the password from joining the meeting.
Note: Remember to provide the password to meeting attendees in a separate email, phone call or text message.
2) If hosting the web conference, continue to monitor those who have joined. To assist with this, most solutions allow the meeting host to replace phone numbers with the caller’s name. Consider also using a notification chime to inform of new attendees.
3) While in a web conference, do not click on any links that may appear in the chat window. If one of the presenters or attendees wants you to follow a link, this is a red flag, especially if you do not recognize them.
Weathering the Storm
This is a difficult time for businesses. When a crisis hits, it can be overwhelming to prioritize all that needs to be done. However, if you are uncertain of the strength and security of your IT systems, this belongs on your priority list as hackers will, unfortunately, capitalize on vulnerable times. If you need help, IT/Cybersecurity risk assessments, as well as vulnerability and penetration testing, can be done remotely by cybersecurity experts. This allows you to continue your business operations, ensuring you are not only protected during this challenging time but are also prepared for the next disruption.
How Moore Colson Can Help:
Moore Colson has extensive experience in providing financial and IT guidance to many companies across a variety of industries. You can learn more about our Cybersecurity Practice on our website or by contacting us. Also, be sure to subscribe here to get our news and alerts as they are released as we are committed to keeping you updated on how to navigate financial challenges associated with the COVID-19 pandemic.
Excerpts from this blog post will be featured in the upcoming September / October issue of Current Accounts magazine, a publication by The Georgia Society of CPAs.
Jon Powell, CPA, CITP, CISA, is a Partner in Moore Colson’s Risk Advisory & Compliance Services Practice. In addition to assisting with cybersecurity initiatives, Jon leads Sarbanes Oxley initiatives, internal audit co-sourcing partnerships, SOC audits and other compliance engagements.
Chris Arnone, CPA, is a Partner and Business Assurance Practice Leader at Moore Colson. Chris has over 20 years of experience providing audit, accounting and consulting services for companies in the transportation, manufacturing, distribution, staffing, private equity and venture capital industries.
Journet Greene is a Director in Moore Colson’s Risk Advisory and Compliance Services Practice. She leads Sarbanes-Oxley initiatives, internal audits, SOC audits and other compliance engagements for the firm’s many large IT and consulting engagements.