Information Technology (IT) security is a never-ending race to keep pace with defending against what the “Bad Guys” are trying to exploit. Your IT needs to be vigilant for all kinds of threats. Some of the most common include:
Malware – Software intended to cause havoc or harm systems, such as viruses.
Ransomware – Also known as “crypto locker” software, it is malware that intentionally locks an organization’s files and makes them useless until you pay an extortion fee to unlock them. It can be weeks or months from initial infection to the date that the files lock rendering your infected backups useless. (Note: We advise that you never pay a ransom to get your files unlocked as this just encourages more attacks globally.)
Faked (or “Spoofed”) Websites/Emails – Financial fraud like bogus invoices made to appear like internal emails asking Accounting to pay them to a false vendor – or emails and websites designed to fool you into thinking a legit action is needed to gather your information (a.k.a., “phishing”).
Most of us will be familiar with the standard ways to protect your organization from these attacks. The strongest protection will include layers of technology like firewalls, anti-virus solutions, or newer classes of comprehensive endpoint threat analysis. It is wise to include DNS filtering as well as email filter rules in this set of protection tools.
However, just relying on the technology will not completely protect you. Despite the technology available to protect our systems, alone it is not enough to stop all exploits. This is because the “Bad Guys” know how to manipulate human behavior and get people to do things that they might not normally do. Therefore, any mitigation strategy must account for the greatest vulnerability:
The Human Element.
It starts with creating skeptics at your workplace. Train your users to spot these scams and distrust all unsolicited incoming messaging regardless of the method. Scammers will use email (phishing), text messages, voice calls (vishing), even social media for their exploits; no communication method is safe. Here are common traits that could indicate a scam:
They arrive unexpectedly. A sudden request for payment for a company or service you are not familiar with.
They ask the receiver to do something unusual or outside of normal procedure.
Sense of urgency to act often to avoid penalties by acting immediately.
While I have been discussing this in the context of your organization, these traits also apply to scams that are directed at individuals in their homes. Your training regimen should make sure the people are using these skills in all aspects of their life, not just at work.
For training, I would recommend using a service. There are many companies out there that offer training for users, including some innovated firms that first evaluate your users and then provide an adapted training based on the results. The best practice in this area is to both evaluate your users regularly and to offer recurring training often. If your organization performs third party security audits (as is required of HIPAA covered entities and companies that must comply with SOC or SOX), you should also ask the vendor to test your users with phishing and/or vishing attempts.
The last thing I want to discuss is how to best protect your firm if, despite all the efforts above, your company becomes a victim of one of these scams.
Number One: Invest in cyber and fraud insurance to protect your company. Most companies are aware of this insurance and have an active policy. However, given the huge rise in ransomware and crypto-locker style attacks, these premiums are rising fast to account for the new threats. It would be wise to review this with your accounting or finance department.
Number Two: Make sure your Disaster Recovery (DR) plan is up to the job. Are your backups immutable, meaning that they cannot change after saving? Having true offline and offsite tape storage is one way to do this. However, this can be done with some backup software and appliances that use AWS or Azure storage for cloud backup. Testing and validating the restoration process must be something that your IT Department practices. This validation goes beyond the simple occasional file recovery that the IT department will manage. Has your IT Team tested their ability to perform a “bare metal” restore of major systems? If not, ask them to!
Number Three: Imbed a Communications Plan in your Disaster Recovery/Business Continuity Plan. It is important to plan how to communicate any breach internally as well as externally. Depending on the industry, there may be disclosure requirements that need to be followed. Engage with legal and communication departments during your planning and testing sessions.
Disaster Recovery and Business Continuity Planning is a subject that your IT Team must be able to articulate to your organization’s leadership, as well as have a planned process that is tested annually for recovering and continuing normal business operations. Ideally, they will have a playbook or some other sort of documented process that they can follow in case of a major incident. While the IT Team cannot account for every type of contingency, you want to minimize the need to problem-solve during the incident.
By approaching IT Security as a collection of systems and understanding how scammers exploit ‘The Human Element’, you can build resilient and recoverable systems to protect your organization.
Today’s technology offers greater connectivity and mobility than ever before. In response, organizations across nearly every industry are finding opportunities to empower some, most, or even all of their staff to work remotely, whether exclusively or for part of their work.
Telecommuting can be beneficial both as a staff perk (and therefore a selling point when recruiting new staff or retaining existing staff) and for increased productivity for the company. Beyond that, there is a positive environmental impact to be had with reduced carbon emissions and decreased traffic congestion. It can also be a savings for the company that would otherwise have to provide equipment, furniture, and consumables for in-office staff. When done correctly, telecommuting is truly a win for all involved. But certain precautions should be taken to avoid pitfalls along the way:
Check with an attorney who has experience with telecommuting policies and practices; be sure that you have addressed any potential legal snares related either to your industry specifically (e.g. HIPAA compliance) or to all workplaces (e.g. FLSA or OSHA compliance).
For healthcare organizations with remote workers, they must ensure that a remote workplace has safeguards in place against the inadvertent sharing of protected health information by a data analyst. For example, mobile staff likes to work in a coffee shop and sip on a cup of their favorite brew. This could create problems for protecting private information. Consider showing a reminder message upon a VPN login or remote desktop session to check one’s surroundings to ensure that the data on the screen is safe from peering eyes.
Be sure to have written policies that cover the opportunity and responsibilities of telecommuting.
For organizations with non-exempt staff, it is important to strictly specify how and when telecommuting can be used. Organizations that provide carte blanche access to work systems may be on the hook for additional compensation to hourly staff, including overtime and possible labor violations. Good policies are a must!
Ensure that end-to-end technology infrastructure can adequately support the needs of a telecommuting workforce. Extending connectivity through a virtual private network (VPN) down to a remote user’s laptop or tablet via an internet connection can severely limit the data flow. Furthermore, even if your corporate internet connection has been able to meet the needs of your in-house staff, it could be adversely impacted by the introduction of a telecommuting workforce competing for limited bandwidth with in-office staff.
Consider the following when exploring a telecommuting strategy:
How many staff would you like to have operate on a telecommuting basis? How many will be connected at any given time as a result?
As staff connect and operate remotely, does your IT department have the tools necessary to monitor the impact this has on your company’s internet connection?
If your company hosts its servers in-house, consider using a remote desktop client for your remote workers. This poses two key benefits:
Remote desktop is basically a screen refresh to the remote desktop server. The bandwidth utilization through remote desktop protocol (RDP) is typically much less than it would be using a data-intensive desktop application on the remote computer.
Some applications are sensitive to the connection state to the server. In other words, if the client running the application becomes disconnected, this could result in lost data within the application. If the application is running on a remote desktop server, and the session becomes disconnected, the application can remain active without the risk of lost data.
If your company hosts servers in-house and the introduction of a telecommuting workforce would saturate your company’s internet connection, it may be worth considering a move of some of your server infrastructure to a cloud-based service provider like Microsoft Azure, Amazon AWS, or Google Cloud. In these scenarios, your remote workers would be connecting to these service providers over their internet connections rather than over your company’s internet connection.
What internet connectivity options exist for your proposed remote staff?
Despite the fact that we live in the second decade of the twenty-first century, there are still many rural areas that do not have adequate internet connectivity. It is important that your remote staff have a connection that will be reliable and fast enough to meet their telecommuting demands. In some cases, cellular connectivity (either 3G/4G/LTE) can be an option, but these can be costly and have hard bandwidth limits.
Consider whether you would need video conferencing ability as this can significantly increase bandwidth needs.
If telecommuting is new to your company, consider the impact this may have on staff and the support that IT may need to provide these staff. Less tech-savvy staff may have a difficult time with telecommuting and may require additional training and practice; it may be important to have one or more of these staff in a pilot phase in order to “stress test” the support system.
Be prepared to be able to demonstrate to senior management, your company’s board, or perhaps even the general public that telecommuting is a beneficial endeavor for your company. Be able to demonstrate how staff productivity is not negatively impacted in this new work sphere—or, if there is a dip in productivity as staff acclimate to the challenges and the overall learning curve, be able to show a return to an upward trend over time.
If yours is a rural organization, you may be able to recruit highly talented urban-residing staff that don’t need to make the long trek to your office on a regular basis. Work with your Human Resources team to identify staff recruitment and retention outcomes, and develop sound telecommuting practice.