Technology and ‘safer at home’
April 7, 2020
By Martha Sullivan, CPA, CVA/ABV, CM&AA, CEPA
Partner, Succession Planning Practice Leader
Martha leads HK’s succession and exit planning services division and is a regular contributor to Wisconsin’s InBusiness digital magazine.
The concept of working from home (WFH) is new to many of us, even those of us who already had the capability to do it. For example, in my line of work, the ability to work remotely was already second nature given travel schedules and being on site at client businesses (way back in the “olden days” of February). Now I find myself with a five-second commute, sequestered in a spare bedroom that has also become my workout zone and hobby area. I continue to “dress for my day,” particularly when I know I’ll be on camera in virtual meetings. However, other daily routines are more casual and relaxed.
The whole COVID-19 experience has slowed us all down, like those Fourth of July gapers that block traffic on I-90. We don’t want to look, but we can’t help but stare, crawling in a surreal slow-mo through the routines we are able to maintain. My foot is on the brake when I know I need to remain vigilant and moving. Inertia like this, when combined with the isolation, feels like a recipe for unintended sloppiness. This is particularly true when it comes to our best practices around security and business risk management. While we are all focused on keeping our employees and customers safe, fulfilling customer demands, and managing cashflow like hawks, we can’t neglect other critical aspects of keeping our companies safe.
The announcement of the most recent data hack, announced on March 31, on Marriott and its loyalty awards membership database is a healthy reminder of why we must stay vigilant. True, the breach reportedly occurred in mid-January before all the COVID-19 wheels went flying off. Yet the details of the hack demonstrate how important technology risk management is, whether in the office, on the plant floor, or WFH. Sure, Marriott is a big company and a likely target purely due to its size. However, the specifics of the Marriott breach are humbling regardless of your company’s size:
- The incident was the result of an indirect attack;
- It was initiated at a franchise unit, not “corporate”; and
- The hack was committed by two employees who were then able to access the corporate systems.
Indirect attacks are increasingly common as the perpetrators navigate from the remote systems into the bigger systems to access the mother-lode data they seek. Whether it be franchise employees raiding corporate, a supplier’s system feeding into a customer’s system (or vice versa), or a WFH employee clicking on the wrong thing, the cybercrime artists have long enjoyed WFH-type safer-at-home scenarios. The fact that the rest of us have joined them in this pandemic sequestration has got to be like Santa, the Tooth Fairy, and the Easter Bunny all arriving at the same time, giving them the perfect presents for honing their craft.
Today, WFH and on-site staff are squarely in the gapers block. We are bored, distracted, overwhelmed, or all the above. Soulless cybercriminals are more than willing to scam us when we’re most vulnerable. Already increased scam activity is being reported during the pandemic.
In addition to your vigilance around physical health and safety issues, it’s critical to step up your personal and staff’s efforts to:
- Double down and watch for phishing expeditions designed to get you to click on an infected link or attachment.
- Recognize that phishing and scams have evolved from phone calls and emails to texts and can take the form of links, files, videos, etc.
- Verify all requests for payment or sensitive information, whether via email or phone. Common fake requests come from people in “high places” such as a CEO, CFO, the Internal Revenue Service (IRS), Centers for Disease Control (CDC), World Health Organization (WHO), Small Business Administration (SBA), charities, and others. Sometimes it could be someone posing to work with someone of authority for these organizations. Use a phone number you can independently verify, not the one provided by the person making the request.
- Remind employees to watch for “tailgaters” — those individuals who seem like they belong and gain unauthorized access to an area by following a legitimate party into a restricted area. While many of our business facilities are closed right now, some are surging. Both scenarios still offer opportunities for someone wanting access to data or goods to hang out, wait, and tailgate. (All other more fun tailgates have been officially canceled until further notice.)
- Engage your company’s IT resources to ensure that your antivirus and other security tools are current and fully deployed. Monitor and ensure that the security tools are updated on remote devices (laptops, phones, etc.).
- Use this opportunity to require mandatory IT security training for everyone in your organization on a regular basis. Perform “drills” to identify those staff members who may need additional training. If you don’t have an in-house IT department, contract with a reputable IT consulting firm to help you with this. Create a heightened awareness as a part of this new normal.
- Engage your IT team to understand the implications of using ZOOM for your online meetings. Reports of hacking and “Zoombombing” are real. Changes, such as requiring passwords on meetings and not posting links via Facebook, may be appropriate.
While we’re abiding by the safer-at-home order, we are striving to flatten the curve of the virus. The same is true for your information systems, devices, and communications. Protect yourself and your business to flatten your cybercrime risk curve. Engage your employees, customers, and suppliers.
We can do this.