Cybercrime And Remote Work: Tools For Waging The War
The pandemic has been with us for about 18 months. While most aspects of life seem to be returning to some semblance of normal, many companies have determined that work from home (WFH) options — if even just part time — are advantageous for both their employees and for their organization. However, when the pandemic hit and nearly every business was forced to shut their office doors and set at least a portion of their employees up for remote work, IT teams knew how complicated — and how fraught with risk — the situation would be. They were right.
Ransomware attacks have skyrocketed during the past year, between the ease of using cryptocurrency for payments, and WFH settings making computers more vulnerable. Just last Friday, for example, more than 200 U.S. businesses — mostly supply chain companies — were affected by a ransomware attack on major managed service provider Kaseya, whose VSA tool, which reaches into corporate networks across the United States, was hacked.
In the July/August issue of Media Financial Management Association’s (MFM’s) member magazine, The Financial Manager, Mary J. Hildebrand’s article, “Rising Crime, Rising Response?” lays out the very real and frightening result of the growing WFH environment: WFH settings make companies more vulnerable to cyberattacks, and they’ve often failed the test. Hildebrand, a partner, founder and chair of the privacy and cybersecurity practice at Lowenstein Sandler LLP, puts it bluntly: “Hackers had a field day when companies went into remote-worker mode.” Fortunately, she also offers a road map to give companies their best odds against cyberattacks and data breaches.
First, the bad news: When COVID-19 first reared its ugly head in the U.S., the disruption to our personal lives was awful, but the toll it took on the complex technology infrastructures that were suddenly required to accommodate massive traffic volumes was astronomical. In fact, Shira Ovide, The New York Times’ technology columnist, recently explained why the internet didn’t melt down altogether—and why we’re very lucky it didn’t — as a result of the pandemic. It has to do with interconnectedness, which is both a strength and a weakness.
Hackers went to work, quickly, to take advantage of less-than-robust networks and other weaknesses in the technology infrastructure supporting the newly decentralized workforce. According to the Information Systems Audit and Control Association (ISACA), cyberattacks rank as the fastest-growing crime in the U.S. Globally, ISACA estimates that cybercrime damages will reach $6 trillion by 2021.
Financial losses from cyberattacks are just part of the fallout, according to Hildebrand. Businesses also are required to comply with the applicable data-breach laws of every state and country where the affected individuals reside. That means companies in the U.S. may be forced to notify individuals, law enforcement and governmental authorities around the world — a massive drain on resources, particularly for smaller companies.
ISACA reports that the top cyber fraud incidents are social engineering, phishing, data security lapses, ransomware and patch management. Companies ranging from Big Tech to mom-and-pop businesses are grappling with some or all of these challenges, with differing degrees of success. Trying to prevent such intrusions by increasingly organized and tech-savvy criminals may seem daunting, but Hildebrand offers a number of proven best practices.
The top recommendation is to engage strategic leaders, making sure key stakeholders are involved and accountable as soon as the planning and risk-mitigation processes are underway. Among these stakeholders are top executives from IT (operations, security, data analytics); legal and compliance; marketing and business operations; human resources; finance; the C-suite; and even the board of directors.
Second, vet vendors. Realize that working with third-party vendors that support remote working comes with some risk, so the organization needs to have a security diligence process. Also know that companies are responsible under applicable data breach laws (and typically as part of commercial contracts) for the consequences of security incidents that third-party vendors engaged in processing their data may sustain.
Hildebrand’s third recommendation is to engage employees. While it’s painfully obvious to company leaders, employees may be less aware of the greater cybersecurity risks involved in the remote work environment. Provide ongoing training, and frequently remind staff about phishing, social engineering, and other scams meant to disarm workers into opening doors to data and/or privacy breaches.
Next, update company policies. Remote work places the company onto a new playing field; internal security practices should reflect a heightened awareness. Vigilance around employees’ use of personal devices is particularly important — even those that were previously approved. Personal hardware and accounts often don’t have security measures in place that are comparable to those in many companies’ primary IT system. Security methods should include information on installing applications to either protect or delete business data from a device.
Fifth, revise emergency strategies. That entails updating plans for incident response, disaster recovery, and other data security issues. Remote employees are literally alone; it’s critical they know exactly what to do — or not to do — if a security incident occurs. Pay special attention to including these staff when conducting remote-work tabletop exercises with the cybersecurity team.
Lastly, revisit insurance coverage. Most companies (and people) don’t think about insurance until they need to use it. If the business suffers a cyberattack and its insurance doesn’t cover its remote workforce and the third-party vendors used to support them, it could be in deep trouble. Make sure the company is protected before an event happens.
Hildebrand mentions some additional factors that companies should be aware of and diligent around as they wage their cyberattack defense. She warns that companies’ IT teams may be stretched and depleted as they are forced to wage a 24/7 battle against hackers. Organizations that were struggling to acquire enough hardware — particularly laptops — to properly set up remote workforces, are taking chances by allowing employees to use their own equipment. Finally, she’s aware of so many stories of companies not taking the time to properly vet third-party vendors, that she included it in her sidebar list of “The Weakest Conditions” that make companies vulnerable to a cyberattack.
Hildebrand’s conclusion sums up the current situation nicely: “As we move toward, releasing restrictions on business and other activities, the vulnerabilities associated with remote work infrastructures still remain. In 2021, it’s more important than ever for companies to prioritize protection of their data assets.” With cyberattacks only expected to increase, it would be wiser to act on solid advice than to learn from mistakes.
If you are interested in reading the July/August 2021 issue of TFM, which includes Mary Hildebrand’s thoughtful article, it is now available on the MFM website.
As our Media Finance Focus 2021 conference continues through July 29, tackling the topics of most interest to the media industry’s finance and accounting professionals, there are a couple of sessions relevant to this column you should consider attending.
- The first, on July 20, is “How to Go Back to Working in the Office, After Working Remotely,” with panelists Ed Ienner and Christine Lipani of Meredith Corporation, and Ellen Lehr of Audacy.
- On July 27, tune into “Data Acquiescence to Data Activism: Why Legislation & Technology Must Work Together to Provide Data Protection and Monetization,” with Brittany Kaiser of the Own Your Data Foundation and the Digital Asset Trade Association and Lou Kerner of BIGtoken.
Check out the complete conference agenda on our conference website to learn more about these and the other remaining conference sessions.
Mary M. Collins is president and CEO of the Media Financial Management Association and its BCCA subsidiary, the media industry’s credit association. She can be reached at [email protected] and via the association’s LinkedIn, Facebook, Instagram and Twitter accounts.