We need to talk about Covid-19 cyberfraud.
Robert Capps wrote about how there has been a rise in cybercrime due to the pandemic. There are more phishing emails coming from the CDC or WHO, and that with employees working from home, they are getting calls that ask for various passwords and they are giving them out. For all the people who say they wouldn't do that, keep in mind that if you get a call from someone claiming to be in the IT department at your organization, you don't have the benefit of seeing whether they are who they are. They aren't coming by your desk wearing a company badge. They're a voice on the phone and you can't verify their credentials. But they're sure asking you for your credentials!
A lot of people are predicting that work from home is here to stay. I don't think so, but I'm willing to be wrong. If it is here to stay, we need to get serious about security. You can institute all of the clean desk policies at the office that you want. You can require multi-factor authentication, and floors are monitored by security guards and accessed with keycards. A large chunk of that goes out the window the second you set people out on their own. They may be incredible workers but not understand the point of the policies. And even if they do, there's not a security guard or keycards allowing access to their homes. You have lost some of your security right off the bat. Those calls that were previously getting screened by a menu or receptionist are now being routed to your cell phone and may have lost something in the security. Your organization is weaker. Accept that's true. If you want your workers to continue to work from home, figure out what to do about it. Humans are always the weakest link and if you are running the organization and failed to properly train your staff to avoid these scams, guess which human is to blame... (hint, it's not your employees).
One other thing the article addresses that helps explain why cyberfraud is on the rise during the pandemic is that policies are constantly changing. My own personal firm which I run had to move very quickly from conducting business in the office to doing it remotely across the country. We're digitizing everything because we needed to access it from anywhere, not just a filing cabinet. One of my law clerks left to spend the pandemic with his mom in California, so he was a very different time zone than the rest of us. As we needed to make calls, it became evident that his clocking in around 5pm wasn't going to work because he couldn't make those calls. That switched. We had to have communication software and a process for assigning tasks because yelling across the office did not work anymore. That took trial and error. For my attorney that had already been struggling to bring in clients before the pandemic, he certainly had a hard time adjusting to the new changes when he already hadn't figured out the old process. We parted ways. Although it was almost certainly always headed down that path, the pandemic meant I couldn't give him any help or advice when he couldn't get with the software and had a hard time walking through it with me remotely. So it hastened it.
All of the changes all throughout were a result of, "the world is in a red level panic, I have to either fire everyone and abandon my office or figure this out and I'm rather tenacious so I guess I have to figure it out." But that didn't mean I knew what I was doing. Nobody did. If I went back in time and told employers to get their BYOD device policies and security in order because they'd need them, I would have been ignored and told they are NEVER going BYOD so this is useless advice to them. We're now at the stage of the pandemic where if somebody told me I need to keep a pair of running shoes at my office, ready at all times, I'd believe them. I don't know why I'd need them, but I can analyze a scenario where I'm going to need to run and I won't want to do it down stairs in heels.
Apart from the mess-ups, an intelligent employer should see this as a golden opportunity. I don't want to pull an ego trip and pretend I'm an absolute genius, fantastic business card aside. :) But I used this as an opportunity to improve. What am I lacking? Why is all this stuff only accessible on paper? I like to travel- what if I'm in Japan and I need a document right now? Digitize that stuff. Adopt this as a standard practice. I've given serious thought (and even had to low-level implement a few times) the action plan for what happens if I cannot access the written or digital copies? Or what if my power goes down? What is my contingency plan for various scenarios? As much as I dread it and try to prevent it, I know what I'd do if a computer got locked down with ransomware. I don't like it- I don't like any of this- but I've got a plan for it. I even have a contingency plan for if I get sick and a different one if I die from that illness. It's hard enough doing it in a personal way, but I've confronted my own mortality in a business sense and determined here's who gets my data, business, and assets; why that person gets it; how it should be handled; etc.
If you are a company owner reading this, have you asked yourself how you can improve security? Assume your employees don't know how.
If you are an individual reading this, first, please understand that businesses aren't throwing meaningless policy and security changes at you for no reason. We're doing the best we can as the situation evolves. Some are doing better than others. But second, ask yourself what you can do. Assume you know nothing and everyone is trying to steal your info. Well, you've heard you need strong passwords- start there. Find out why. You've heard not to write them down or share them. Again, follow that info and learn why. A) You don't want to be the fool that gets disciplinary action for giving out your password over the phone. B) You DO want to look like a cybersecurity hero when you walk back in the office and you have personally adopted some good habits that you can share with others. C) Even if someone else in your company did reveal their password, you might have done enough to keep your stuff sequestered, which REALLY makes you look like a hero. They might not give you a raise since they're paying millions to clean up so-and-so's mistake, but you might get a promotion out of this.
Capps, R. (2021, February 19). Fight back against covid-19 cyberfraud. Retrieved February 20, 2021, from https://securityboulevard.com/2021/02/fight-back-against-covid-19-cyberfraud/
No comments:
Post a Comment