There are plenty of reasons to be alarmed these days, and we want our clients to remain safe and healthy throughout this crisis. We believe that the massive increase in “work from home” users, shifts in user behavior, fear and confusion will prove to be fertile hunting grounds for cyber criminals.
A cyber breach is the last thing anyone needs right now, so please take care and follow these guidelines.
Make sure MFA is enabled on every account
According to the 2019 Verizon Data Breach Investigations Report almost 80% of all breaches are still related to compromised passwords. Multi-factor Authentication is the simplest and most critical defense to avoid this. At an absolute minimum, we implore you to have it configured on Microsoft Office 365 or the G-Suite, but you should extend MFA to all banking, file sharing, social media, marketing, and shopping.
Why is this so important right now? Because cyber criminals are opportunistic. They will be preying on sloppy password practices. For instance, the National Cyber Security Alliance reported in 2019 that 51% of all users share passwords between personal and professional systems. Now that people are dispersed, disorganized and often frantic, it will be an opportunity for criminals to infiltrate accounts .
Use verbal or cross-reference protocols for all financial transactions
We anticipate that cyber criminals will use phishing attacks and compromised passwords to conduct fraud. How? Here is one example:
Wire transfer requests- Using phishing or account spoofing, criminals will impersonate business owners and managers and ask subordinates to wire money, buy gift cards or change account information. Without physical proximity and with people being scared and often frantic, subordinates will unfortunately fall for it.
We recommend that for ALL banking account changes, wire transfers, special financial requests like gifts (maybe all requests for some businesses) that there is a verbal “handshake” between the parties to authorize the change. As a business leader, we strongly advise that you implement a control to ensure every request is verified and nothing is accepted at face value in writing only.
File management protocols
Unless there is a corporate mandate (often called Acceptable Use Policy) on what systems can be used for file management, there is a risk that users will stray into bad habits that risk corporate data. One of the greatest will come from users on Personal or home machines, accessing company data then saving it locally or on a personal file system like their own DropBox account.
This greatly increases the risks because personal or home machines and accounts typically have less security.
The risk is that corporate files will be compromised and breached or lost if anything happens to the personal machine or accounts. Some companies will write this off as the least of their worries in this time, but any personally identifiable information (PII) or Business Identifiable Information (BII) that is compromised is required by law to be self-reported to the Federal Government. You can find more info on this here .
We think that having to figure out how to self-report compromised data from a breach right now is the last thing most businesses should be thinking about. Engage your IT vendor to discuss prevention measures; they aren’t complicated or expensive!
Password Management systems
In the absence of a password manager, companies either:
- Leave it up to their employees to use their own systems for password management
- Use spreadsheets
- Use a password gatekeeper who sets up accounts and disperses passwords to staff
Without easy access, emails, phone calls and texts will invariably be used to provide user access to accounts. The simplest and easiest way to resolve this challenge is a password management solution like Keeper. This will allow companies to set up corporate and user-level vaults and provide privileged access for users. When a user is terminated, you can revoke their access to all their passwords from one place, and quickly ascertain which corporate passwords ought to be changed.
Good cyber hygiene and caution is more important than ever right now. If you would like to discuss how to protect your firm during this tenuous time, please reach out to Upward Technology for further discussion.