Alex Moshinsky, CPA
5.4.2020 – VISION2020 – COVID-19 Update
During pandemics, just as during natural disasters, cybercriminals become even more opportunistic for a number of reasons, including the following:
- Cybercriminals exploit uncertainty and fear of knowns and unknowns related to the pandemic
- Spending extensive time online can make individuals less vigilant in practicing cyber “hygiene” which leads to increased vulnerability to cyber attacks
- Businesses are becoming even more dependent on the Internet and, if not prepared to defend against cyber attack, even minor mistakes can produce major negative consequences
Navigating through the COVID-19 pandemic is challenging but remote working might present an optimal opportunity to test and improve your company’s cyber behavior by following these best practices:
Passwords: Effective passwords should contain a complex combination of at least 3 upper and/or lowercase letters, punctuation, symbols, and numerals and should be a minimum of 8 characters in length. Require that passwords be changed at fixed intervals and make sure these rules are automatically enforced.
Multi-Factor Authentication: It is most critical to have a secure connection between employees and the organization’s network. Multi-factor authentication security requires multiple means of identification at login, and it is widely recognized as the most secure software authentication method for verifying access to data and applications. This type of authentication ensures that a user is who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.
Training: Proper cyber training is more critical than ever. It is crucial to maintain proper cyber security practices by both end users and IT staff with policies and practices communicated and reiterated to all. Note that the best tools and technologies are ineffective unless all employees understand their roles and responsibilities. Some best practices to implement are:
- IT should send emails periodically to warn against potential IT- related security threats.
- Educate employees on current scamming methods including “social engineering”, “ransomware”, “spoofed accounts and names” among others.
- Regularly test employees to help ensure that their theoretical knowledge is applied in practice.
- Do not allow administrative access for the end-users’ devices, which can facilitate the introduction of malware or viruses if the user makes a mistake and clicks on a malicious link.
Access Controls/Recertifications: Better late than never. If there hasn’t been some form of access controls/recertification to ensure that every user has appropriate system access, start now. Without periodic reviews (strong control environments perform this activity every 90 days), access rights and/or user roles may become obsolete and incompatible with job responsibilities — increasing the risk of misappropriation and financial statement misstatement. For access to all critical files, applications and hardware access rights should be regularly recertified.
Vulnerability and Penetration Testing: How secure are you? When was the last time your organization was certified by an outside independent penetration testing firm to ensure the systems and networks are properly configured to prevent and detect security breaches and avoid potential losses and corruption of critical proprietary data? If it has been awhile, now might be the right time to conduct such a review.
Remote Access Applications: Working from home (telecommuting) requires reliable and secure means, processes, and tools. This includes both, VPN (Virtual Private Networks) and/or VDI (Virtual Desktop Infrastructure), applications, as well as other tools for robust teleconferencing. Bandwidth and security factors should be strongly considered when choosing a remote access application.
Firewalls: In normal times as well as under extreme circumstances, companies and their respective network administrators should maintain well-functioning firewalls. Firewalls are important elements in layered security for every IT network. Only traffic controlled by the firewall rules, as set by network administrators, should be allowed through firewalls. Effective firewalls require periodic reviews to ensure proper configuration for scanning, logging, and reporting traffic flowing in and out of a company’s network and blocking unauthorized external attempts to access the network. It is also most critical to apply the relevant security patches to ensure effective firewall operation.
Intrusion Prevention and Detection: Risk management models with multiple layers of defense provide a cohesive and coordinated approach to cybersecurity and information assurance. In case firewalls fail, organizations are recommended to have Intrusion Prevention (IPS) and Intrusion Detection (IDS) systems prepared as they are considered the next lines of defense.
IPS monitors networks and systems for malicious activities. Contrary to firewalls, which permit or block traffic in accordance with port and protocol rules, IPS monitor the contents of data looking for traffic anomalies.
IDS monitor networks and systems for malicious activities that possibly may have already breached the system. If detected, the activity or violation is reported to a network administrator.
Software Patching: Patch management is critical. Just as with firewalls, security patching for all applications should be mandatory. Keeping application software and operating systems up to date with the most recent patches will protect the company from malware attacks due to unseen software deficiencies and other vulnerabilities.
Incident Response Plan: Not all cyberattacks can be successfully deterred. As such, each organization should have a formally documented Incident Response Plan. Test the plan to ensure it is fully operational and includes defined steps for employees and IT personnel if a breach is suspected. Identify individuals who are responsible for containing the intrusion, mitigating the harm, and collecting and preserving vital information that will help determine the nature and scope of the damage and the potential source of the threat.
Third-Party Service Providers: If companies outsource some or all IT operations, requiring outsourced providers and contractors to have cyber controls and policies in place and ensuring they are regularly monitored is a must. When providing remote access to third-party vendors, login and password credentials are often shared. This practice should be discouraged, and each user should operate under their own username and password. If deemed necessary, network administrators may share passwords for certain privileged accounts. If managed incorrectly, this practice presents significant security and compliance risks from intentional, accidental, or indirect misuse of shared privileges. In these situations, consider implementing an integrated privilege management solution. In addition, confirm that third parties’ business continuity plans are in place and can sustain their own operations.
Encryption: To ensure the highest protection, all personal, private, and sensitive data both “at rest” and “in motion” should be encrypted.
Home-office Network Environment – As with any change, introducing a new environment can create new risks. Employers typically do not exercise control over employees’ virtual home office cyber environment. However, the following recommendations should be made to the employees:
- Create “guest” and “private” Wi-Fi network segments
- Ensure vendor default passwords are changed on Wi-Fi networks
- Ensure that they have the most updated router firmware
- Suggest that they exercise best security practices, including physical and logical access for personally owned mobile devices, desktops, and laptops
For more information on this topic or any other matter related to the COVID-19 pandemic, please contact Alexander Moshinsky at 212.331.7448 | email@example.com or your Berdon advisor and visit Berdon’s COVID-19 Information Center.