Ghost kitchens and virtual brands represent an exciting new trend in the restaurant industry. By totally reimagining their business models, some intrepid operators have embraced a creative, nimble, an...
Information risk to your organization is not a new topic for business leaders. The COVID-19 pandemic amplified the challenges to protect a company’s assets. Security controls have had to evolve to meet new and well-known threats and adapt to how and where people use technology.
As organizations and their employees continue to adjust to changing threats and work environments, even more vigilance is required as cybercriminals try to take advantage of new and old vulnerabilities. What can business leaders do to help protect their companies, employees, and clients from exposure?
Here are some timeless tips to keep in mind:
Tip #1: Beware of Social Engineering
Attackers continue to use social engineering to target organizations and individuals. Attacks that may affect your business may be directed at your employees’ business or personal online personas and perpetrated through your business partners and vendors.
For example, an attacker may attempt to compromise a vendor’s email account to target your employees. Also, an employee’s personal email account accessed from your company’s device may include links to malware that could infect your company’s resources. Your security controls and awareness campaigns should consider both direct and indirect social engineering attack vectors.
- Prepare your organization to resist and recover from an attack–especially from ransomware attacks
- Implement technical controls to enforce your company’s acceptable use policy; such controls may limit or restrict access to personal email, social media, chat, non-business internet sites, and the use of personal devices in the workplace
- Implement multifactor authentication to prevent account compromise
- Backup all of your important information and test your restoration procedures
- Evaluate third-party technology carefully to identify any security risks you are unwilling to accept
- Ensure devices are updated with security patches and use only supported software and devices that receive security updates and patches to prevent malware from exploiting any flaws
Tip #2: Keep Web Conferencing Secure
Many organizations and employees have turned to web conferencing and virtual platforms for meetings and other communication. Predictably, there are a number of security issues that can stem from using collaboration tools such as Zoom, Slack, Microsoft Teams, and others.
- Define company-approved web conferencing programs and tools
- Avoid continued reuse of access codes for meetings
- Use a one-time meeting PIN or multi-factor authentication for meeting entry when discussing sensitive information and to prevent “meeting crashers”
- Ensure meetings can only begin once the meeting host has arrived
- Only record virtual meetings when necessary and remove recordings when they are no longer required
- Disable any features you will not need (i.e., file sharing, screen sharing, etc.)
- Educate employees to make risk-informed decisions using trusted content from sources
Tip #3: Beware of Payment Lures
Payment lures, often initiated through Business Email Compromise (BEC), are used to trick employees into transferring money to an account controlled by an attacker. Also, attackers will trick consumers into believing they are due to receive money, and all that is needed from them is some additional information to receive the money. For example, email payment lures related to the pandemic include a link for the recipients to click on to provide information, but the links are actually connected to phishing scams or credential harvesting sites.
- Implement and enforce strong protocols for wire transfers, employee payroll changes, and the use of corporate credit cards
- Educate employees to not disclose sensitive information, such as account numbers or passwords, through email, websites, text messages, or over the phone.
- Use security tools to identify and block known malicious links in email and an internet proxy to only allow access to websites consistent with your company’s acceptable use policy
- Keep your devices clean by installing security patches and software updates
- Use out-of-band controls such as contacting a company directly (using contact info from billing statements) with questions about whether email communication is legitimate.
Tip #4: Remember Physical Security
The pandemic response was a catalyst for workforce transformation that allowed technology assets to physically move outside of company-owned facilities. In fact, many companies have more end-user technology assets located outside of their facilities in private residences than in their own facilities. Moreover, remote access to technology services is more prevalent than ever. The hybrid workforce must now also help you physically protect your company’s assets.
- Dedicate resources to manage technology assets within a strong asset management program
- Ensure your incident response plan is ready to deal with lost/stolen assets and data leaks
- Test your incident response plan and data loss prevention controls to identify gaps and improvements
- Adjust corporate policies and remote work agreements to outline acceptable use and the user’s responsibility to protect your assets and report security incidents
- Implement technical controls to prevent the unauthorized use of your assets and limit what data may be stored on the device
- Educate employees on how to minimize the security risk of working remotely and the protocols they should follow when working remotely using trusted content
While the tips above are not an exhaustive list of actions you should take to protect your organization’s assets and reputation, they are important areas to consider as you manage your cybersecurity risk. Remembering the aforementioned tips can be key in keeping your business and employees safe from cybercrime. Make sure to remain vigilant and adjust your controls to meet evolving threats to your business.
Jeffrey Julig is Vice President and Chief Information Security Officer (CISO) for SWBC. In this role, he leads a team of security professionals to protect SWBC’s diverse lines of business from internal and external cyber threats. Jeffrey is passionate about information security and privacy and belongs to numerous international, national, and local professional and community organizations. He has a Bachelor of Science degree in Cybersecurity from the University of Maryland University College and earned several of the information security industry’s most respected certifications, including the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Law of Data Security and Investigations (GIAC-GLEG) certifications. Jeffrey attended the Department of Defense Cybercrime Investigations Training Academy (DCITA) and is a certified digital forensics examiner.