By Steve Bates, Global Leader, KPMG’s CIO Center of Excellence, KPMG International and Principal, KPMG in the US
In today’s remote working culture, CISOs, CIOs, and business owners are tasked with keeping their organizations safe from security threats. We see six risk areas to focus on in these challenging times.
- CEO fraud exploiting social distancing:
Knowing who to trust in challenging times is crucial. Be aware that there could be people posing as a CEO, CFO or another senior company figure looking to transfer corporate funds to other bank accounts. It is important to advise staff with appropriate access to continue following all proper company money transfer protocols as well as encourage them to follow the incident management process and escalate any irregular communications.
- Insecure remote connections to the office:
When time is of the essence, organizations still need to ensure secure remote connectivity. In our video on standing up a remote environment, we discuss the recommendation of multi-factor authentication for access to company data, along with securely configured and reputable cloud solutions for collaborations wherever possible.
- Increased personal use of company devices:
Working from home with company devices has brought new temptations to use company equipment for personal use. This opens up the possibility and increases the risk for these devices to become infected with a virus or malware. To be on the safer side, we recommend, updating browsers and related third-party software such as PDF readers, Flash players and JAVA.
- Employees under financial stress or job uncertainty may pose a risk as insider threat:
The stress of uncertainty in a time of a pandemic can cause employees financial concern as well as concern over loss of employment. That concern has been known to be exploited by competitors to lure them into giving away corporate data. In our People and Communication video, we discuss the importance of transparent messaging, and reaching out to workers to keep lines of communication open.
- Confidentiality at home:
When your personal space is no longer just yours, but, now your households, confidentiality brings a whole new challenge into play. Whether you’re surrounded by family, friends or children, we advise that you have your staff work in separate rooms as much as possible, not leave out any confidential materials, and use privacy screens and headsets, rather than speaker phones.
- Phishing attempts specifically related to COVID-19:
Since mid-February, we have seen a rapidly increasing number of cybercriminals using COVID-19 themed spear-phishing attacks. These cybercriminals are looking to bait targets to fake websites and collect Office 365 credentials.
One example is phishing emails sending targeted users to fake Center for Disease Control (CDC) websites or comparable sites in other countries, which solicit user credentials and passwords.
As you coordinate your response across all three lines of defense – operational management, risk oversight, and internal audit – consider these steps to help reduce risk to both your organization and employees working remotely:
- Raise awareness of the heightened risk of COVID-19 themed fraud and phishing attacks. Emphasize the existing protocols and encourage employees to voice concern if something seems out of place
- Lean on your Internal Audit function to provide guidance on where controls can be modified to accommodate changes in decision making or risk tolerance
- Stay in touch with your employees and share regular updates on how your organization is handling the COVID-19 pandemic
- Ensure all company provided technology has up to date anti-virus and firewall software
- Add a dedicated hotline, service desk menu, or portal to report any security concerns including potential phishing
- Encrypt data-at-rest on laptops and add data loss prevention software to detect data breaches and leaks
- Offer employees an alternative to transfer data, such as secure collaboration tools, and disable USB drives to avoid the risk of malware
With a few of the immediate and near-term considerations of key risk and security-related areas laid out above, keep in mind, technology can only go so far in protecting your most critical assets. Supporting changes in human behavior, particularly around generating awareness, providing easily accessible support, and avoiding a sense of fear and retribution are equally important.