7 Actionable Steps to Reducing Cyber Vulnerabilities

Cybersecurity breaches are in the news daily, and as forensic investigation and incident response practitioners, we have seen several common themes among victim companies. Attackers often pass over larger companies with robust cybersecurity measures and instead prey upon small to mid-sized businesses that are softer targets with weaker security postures. These seven steps to reducing your cyberattack surfaces will help to strengthen your defenses.

  1. Raise Cybersecurity Awareness and Hold Employees Accountable

    The weakest link in any cybersecurity program is the human workforce operating within it. Phishing attacks–in which users are tricked or deceived into opening an unsafe email attachment or visiting a fraudulent website–are among the strongest weapons in an attacker’s arsenal because they work against people, not software. Institute a regular cybersecurity awareness program that includes not only instruction but also random testing throughout the year. Repeated failures of such random testing should be considered a notable area for improvement for employee progression. If your company lacks the resources or abilities to perform such training, several outsourced providers have these training and awareness platforms at the ready.
  2. Use Strong Passwords and Password Managers

    An attack known as “credential stuffing” is extremely effective at helping attackers gain access to multiple systems at once by taking valid username and password combinations (called “credentials”) stolen from one computer system or website and trying them against others such as corporate logins, online banking, and more. As people often reuse passwords across platforms to make remembering passwords easier, this also leaves systems—including the computers and accounts they use for work—vulnerable to compromise.

    To combat credential stuffing, an organization’s best defense today is the combination of strong passwords (long passwords with a mix of capital letters, lower case letters, numbers, and symbols) and password managers—secure programs designed to generate strong passwords and store them for easy recall, to make using unique strong passwords on every account and website easy. This also assists with “corporate memory” of shared or administrative passwords, as particular entries can be made accessible to a certain group of users. Password managers such as 1Password, LastPass, and Dashlane also have web browser extensions that make it extremely easy to have a different strong password for each website visited. They often also have the capability to provide for personal and professional password vaults to ensure that users have a common experience to improve the likelihood that they will adhere to using a password manager and not using only “password123.”
  3. Patch and Update Regularly

    Software developers—including those who write operating systems, office platforms, and even security software—are human, and bugs or vulnerabilities can exist in even the most secure computing platforms. As these issues are discovered, software manufacturers will fix and release new versions of these products. It’s critical that you have a regular cadence for updating the operating systems, applications, and security tools that your company depends upon. When responding to incidents, it’s not uncommon for responders to find several “critical” systems to an organization that are running on long outdated and unsupported versions of Windows or Linux servers. Outdated and unsupported operating systems often have several vulnerabilities and wide-open attack surfaces which serve as open doors for attackers.

    Needless to say, always make sure your organization’s antivirus (you do have an organization-wide antivirus in place already, yes?) is regularly updated to receive the freshest definitions and algorithms, but remember, antivirus only helps with malware-based attacks.
  4. Tighten Existing Controls

    In nearly every operating system, network, file system, and application, user accounts have varying degrees of permissions to accomplish tasks or access data. Administrators tend to have the most and standard users tend to have the least. Ensure that each user account, including system accounts used for handling automated tasks, has the amount of authority and permissions necessary to complete the job at hand—but no more. For example, while a company’s CEO might drive the policy and agenda for the entire organization, he or she doesn’t necessarily need access to detailed engineering plans or code repositories; they won’t use that data as a course of normal business, but it expands their attack surface tremendously and increases the potential for a catastrophic breach should their credentials be compromised by clicking on a nefarious link in an email message.
  5. Use Two-Factor Authentication Whenever Possible

    Operating systems, application platforms (such as Microsoft’s Office 365), and many websites provide enhanced security and authentication through “two-factor authentication.” Two-factor authentication often combines something you know (such as a password) with something you have (such as a one-time randomized key) to authorize credentials. At a minimum, two-factor authentication should be a requirement for any Office 365 Administrator account, and it’s no less recommended for standard user accounts as well.

    Two-factor authentication is often accomplished through a program that runs on one’s mobile phone, providing “one time passcodes” that rotate every thirty seconds with a unique number that will provide an additional verification your user credentials. Common two-factor authentication programs include Google Authenticator, Authy, and Microsoft Authenticator, and many password manager programs also can generate authentication passcodes as well.
  6. Have an Incident Response Plan, Even Minimally

    Due to the growth in cyberattacks and cybercrime, organizations are beginning to understand that it isn’t about if they’ll face a data breach, but when. As a result, the difference between catastrophic organizational damage and cyber resiliency can be the manner and speed in which an organization responds to a breach when it happens, along with the programs, procedures, and processes in place beforehand to best position the organization for recovery.

    While a full incident response plan with trained, dedicated staff at the ready is great, this is definitely an area where perfect shouldn’t be the enemy of good. Critical days or even weeks can be lost after a breach while a company looks for an incident response contractor, negotiates contracts (at panic pricing), and waits for the contractor to begin their response in an unfamiliar network belonging to an unfamiliar company. When you don’t have an active incident is the time to contract with an incident response and/or managed security services firm, because you can set fair pricing, reasonable retainers, and the contractor will have time to learn what’s “normal” in your company and network before a crisis happens. Even if your plan is to “call our account rep at our incident response contractor,” that can be enough to stop a security incident from becoming a security breach.
  7. Encrypt Data at Rest and In Transit

    Most desktop and server operating systems can encrypt the contents of their hard drives right out of the box. From a single user’s laptop to the information stored in your corporate-wide databases, encryption should be the standard, not the exception. Before a computing device is provided to an employee, activate the on-board disk encryption to reduce exposure to loss or theft, and ensure that your cloud computing platforms, corporate databases, and email servers are also covered by their encryption capabilities. Emergency decryption keys can be stored within the safety of your password manager for cases when an employee leaves suddenly, but not providing encryption on that employee’s laptop can be a disaster if it’s lost or stolen in an airport café.

    Speaking of travel, when employees are on the road, they should connect to the Internet through a Virtual Private Network (VPN), preferably one provided by and running through the corporate network to maintain control and assure data security. Open Wi-Fi access points may be a boon to travelers, but they’re also a goldmine for data thieves who may listen-in on unencrypted connections. In a pinch, commercial VPN services are also available on an individual basis, and computing enthusiasts can set-up their own using open-source platforms such as AlgoVPN for the price of a cup of coffee.

In summary, while there is no one end-all, be-all to cybersecurity, there are a number of simple, practical steps that organizations can take to dramatically improve their cybersecurity posture. Many of these options are free or come with the software you’ve already purchased. Others, while they do charge a fee, cost significantly less than the amounts associated with a data breach in loss of customer confidence, loss of intellectual property, incident response costs, fines, penalties, legal fees, and more. Cybersecurity should be another risk that needs to be quantified, monitored, and managed by your C-suite and Board, and policies must be drafted and enforced accordingly.

Returning To Work In Society’s New ‘Normal’

How companies should plan to return to work and emerge from COVID-19 stronger and smarter.

As the response to the COVID-19 pandemic progresses, many companies have established operational crisis management teams and adjusted to global restrictions on work and movement. Executives are now beginning to ask the question: How are we going to return to work?

As of April 2020, some countries are starting to ease restrictions, allowing for more freedom of movement and the reopening of specific industries. In the United States, The White House has announced guidelines for re-opening the nation in a three phased approach. These guidelines include thresholds for states to satisfy in the following areas: trajectory of reported symptoms; trajectory of reported cases; and ability for hospitals to care for patients and provide ongoing testing.

Additionally, multiple groups of governors have formed regional coalitions to coordinate reopening their states in a unified way. While it is challenging to predict when each country and U.S. state will begin to return to the workplace, many predictions point toward restrictions being lifted gradually over the next few months, depending on your location.

Regardless of precisely how governments decide to ease their restrictions, companies need to plan for an orderly and thoughtful approach to returning to work. There are three crucial steps to accomplishing this:

  1. Build a return-to-work plan.
  2. Work through the stages of partial and full operations.
  3. Increase resilience through monitoring for possible virus resurgence, completion of after-action reports, and program enhancements.

By doing this carefully and methodically, businesses can begin the process of restoring operations while also ensuring that they do not take one step forward and two steps backward in returning to work.


Build a return-to-work plan

Companies first need to consider the structure in which a return-to-work plan will be created. That structure will need to include identifying stakeholders; outlining authorities and decision trees; defining critical information requirements; identifying assumptions and variables; and, of course, creating detailed execution checklists for individual business units.

It’s essential to examine each part of the return-to-work program in detail:

  • Identifying stakeholders: Most of the critical stakeholders may already be members of the Crisis Management Team. Members should include representatives from major business units and support functions.  
  • Outlining authorities and decision trees: As your company prepares to make return-to-work decisions, it is important that a decision tree is outlined in advance and that the company agrees on who has the authorities to make those decisions. At a minimum, a company will need to answer three basic questions before returning to work. Those questions are:​
    • Can we do it? Is physical access possible through government easing of restrictions or landlord policies?
    • Should we do it? Is it safe for staff to commute to and occupy a given work site? Additionally, are there supplemental government restrictions like the required use of personal protective equipment (PPE) that the company must provide for occupants?
    • How will we do it? Who within the company makes the final decision to open a work site, and what are the steps (checklist items) the business units will need to follow? 
  • Defining indicators: Sometimes referred to as triggers or critical information requirements, these indicators will likely come in the form of the lifting of government orders or easement of agency (e.g., Centers for Disease Control and Prevention, World Health Organization) guidance. This type of information will indicate a country, state, city, or region is ready to begin the process for considering reopening non-essential work sites.
  • Identifying variables: Any lifting of work and movement restrictions will likely occur in a phased approach. Governments and agencies will closely monitor infection cases and use that information to determine next steps to further ease restrictions or revert to prior levels. Some of the variables companies will need to consider are:
    • Countries will only begin to ease work and movement restrictions when they see consistent reductions in new infections and are comfortable that they have available medical capabilities and hospital beds to handle any potential resurgence.
    • In the U.S., individual states will start to return to work in segments (coastal states first with interior states to follow). Additionally, state governors are likely to extend restrictions beyond federal government deadlines due to the differences in when peak infection cases are reached.
    • Restrictions are likely to remain in the workplace, and it is possible to see government orders that could require a reduction of in-person workforce by half, staggered work schedules, or some other measures to keep occupancy low while the effects of returning to work are measured in any potential new infection cases.
    • Guidance or government orders may include parameters around which segments of the population can work first (e.g., low-risk and immune persons may be allowed to return first, while higher-risk populations will be required to remain at home).
    • Some governments are requiring PPE for employees (e.g., China, France, and, in the U.S., New Jersey, New York, and some counties in California and Florida). In these cases, companies will need to prepare for and provide the required equipment before staff are allowed back into the work site. Lead times for this equipment can be very long, so advanced planning is required.
    • Manufacturing and pharmaceutical equipment may require re-calibration and, in some cases, re-certification by the Food and Drug Administration (or local equivalent). Lead times for these processes could extend many weeks or months.
    • Finally, companies will need to determine what other government regulations are required of them prior to opening a work site. For example, in Alameda County, California, there is currently a regulation requiring employers to post notifications to the buildings informing staff of the potential dangers that may still exist.
  • Creating detailed execution checklists: For individual business units, both business unit and support function checklists will need to be created to help ensure proper steps are completed prior to staff returning to a work site. Additionally, critical third parties must be accounted for when preparing to return to work.

Working through the four stages

A return-to-work plan should account for four main stages and allow for a clear roadmap in moving from a (1) current state, to a (2) partial or limited opening, to a (3) full resumption of operations at capacity. The fourth stage accounts for the need to continue to monitor for virus resurgence. This allows for a diagnosis of how the company performed during the crisis and how it will improve going forward.

The situation, objectives, indicators, and actions should be clearly defined for each of the four stages that a company expects to move through during the return-to-work process. Those elements are detailed as follows:

  • Situation – Parameters are established to help define the given stage. This is especially helpful in determining when a company can begin to move from the partial opening to the full opening stage.

According to World Health Organization director-general Tedros Adhanom Ghebreyesus: “The last thing any country needs is to open schools and businesses only to be forced to close them again because of a resurgence.”
Source: https://www.reuters.com/article/us-health-coronavirus-wuhan-secondwave/beware-second-waves-of-covid-19-if-lockdowns-eased-early-study-idUSKBN21D1M9

  • Objectives – A company articulates what is most important in each stage. It could be maintaining cash flow, re-establishing connections with clients and customers, re-evaluating supply chains, or completing a look back at the event with an eye toward future maturity.
  • Indicators – This information is gathered from both government orders and agency guidance. It informs the company what is or is not allowed from a movement, work, or health and safety perspective.
  • Actions – Finally, companies should outline how they will act within each stage. This may take the form of specific actions related to People, Process, and Technology.

The final stage of the return-to-work plan is to monitor and prepare. Here it is incumbent on companies to continue to monitor for any resurgence in the virus, identify changes to government restrictions and agency guidance, and better prepare the company to be more resilient toward future disruptions. This is also the stage where companies should do a “look back” to evaluate if any controls were relaxed during the work-from-home period.

There is growing concern among academics that a second wave of virus infection cases may occur later this year. Given that possibility, companies should take full advantage of the expected break over the summer and early fall months to begin to perform after-action reports and outline a plan for improvements. Those in highly regulated industries (e.g., Financial Services, Pharmaceutical) should further prepare for regulatory inquiries on how they are planning to address gaps. Regardless of industry, it is always better to show the Board and regulators (if any) that gaps have been self-identified, remediation programs outlined, and resources allocated.

This will also be the time for companies to build a consolidated operational resiliency function. In this environment, resiliency components are no longer siloed but are integrated and provide end-to-end recoverability regardless of the next business interruption.

Conclusion

As companies continue to navigate these uncharted waters, it is essential to understand that business may fundamentally change when we come out of this. A return to “business as usual” may also be a return to a new normal where we re-evaluate how we work, where we work, how we interact with customers, and where our products are made. Supply chains and concentration risks will be reassessed, and executives will begin to evaluate outsourcing and the use of low-cost locations with more of a risk lens and not merely a cost-cutting lens.

Like every systemic shock to the economy, winners and losers will emerge. One need only look to the long list of defunct internet companies from the late 1990s or the more recent list of white-heeled boutique banks that didn’t make it out of the 2008 financial crisis. In most cases, the firms that emerged had strong risk management programs and decisive leaders who executed on clearly defined recovery plans.

That is why now is the time for companies to begin working on the following three return-to-work steps:

  • Build a return-to-work plan.
  • Work through the stages of partial and full operations.
  • Increase resilience through monitoring for possible virus resurgence, completion of after-action reports, and program enhancements. 

Audit Committee Questions During Pandemic

As audit committees weigh the practical challenges of accounting, reporting and disclosing the impacts of COVID-19, the following series of questions are designed to assist audit committees in execution of their oversight roles and responsibilities to ensure the performance of high-quality audits and issuance of transparent and reliable financial reporting.

Audit Specific Questions

  • What unintended consequences of COVID-19 may increase incentives or pressures on management that may result in management override of controls?
  • Are there changes in controls over financial reporting that need to be evaluated to ensure management certifications are adequate?
  • Are we able to ensure continued proper segregation of duties and monitoring controls given changing physical work situations?
  • Have any significant risks or material weaknesses been identified as a result of impacts from COVID-19?
  • What changes in risk assessments have auditors determined need to be made and how will that impact the audit strategy?
  • Are there known impediments – either by management or by the auditors – that may delay timely filing of financial statements? (e.g., lack of access or ability to obtain audit evidence or other information)
  • What additional resources or expertise may be needed by management to properly account for judgments or estimates or changes related to circumstances brought on by COVID-19?
  • What additional efforts may be required by the auditor to ensure the performance of a high-quality audit?
  • Does my audit firm have the depth of or access to adequate resources to address complex accounting and auditing questions, including industry-specific matters, as they arise?
  • Do my management teams, as well as my auditors, have the ability to properly supervise and direct the work of their staff and teams?
  • Are there additional challenges in performing auditing procedures due to multi-geographical considerations?
  • Has COVID-19 impacted circumstances that may call into question the company’s ability to continue as a going concern? What are management’s plans to address? How do these impact the auditor’s going concern evaluation?
  • Are there any auditor independence issues that have arisen with respect to COVID-19?

Accounting and Reporting Specific Questions

  • Has management adequately assessed changes in risk factors impacting our business? Are these appropriately reflected in our financial statements?
  • Has management properly identified significant accounting areas where impacts from COVID-19 are likely? Has management further accounted for related income tax effects of these impacts?
  • Have we properly accounted for and disclosed changes in significant estimates and judgments impacting the financial statements?
  • Has management, along with the auditors, identified applicable relief opportunities with respect to the 2020 CARES Act and appropriately factored these into the accounting and reporting, including income tax effects, within the financial statements?
  • Are there accounting or disclosure matters that have required significant consultations outside of the audit engagement team?
  • Have the auditors and management identified significant or industry-specific matters related to the interaction of the CARES Act and GAAP or GAAS impacting our financial statements that need regulatory consultation?
  • Has new information arisen regarding COVID-19 events contained in previously filed financial information that requires updating of current disclosures?

Corporate Governance Specific Questions

  • As an audit committee, how are we maintaining our education with respect to COVID-19 considerations, relief efforts and related risks and opportunities?
  • Are we appropriately engaging with internal and external stakeholders and providing transparent and consistent communications about significant impacts on our business?
  • Are we allocating enough time and making ourselves available to discuss critical issues as they arise with management, the auditors and the board?
  • Are we keeping the full board appropriately updated as to significant challenges with respect to financial accounting and reporting?
  • Are we considering responses to anticipated questions from shareholders during upcoming annual meetings?
  • Is management actively and effectively engaging with lenders, customers and other stakeholders in a timely and productive manner and are the results of those engagements reflected in the financial accounting and reporting?
  • Are we, as a board committee, appropriately considering additional risks that have arisen related to other stated committee responsibilities as described in our Audit Committee Charter – e.g., COVID-19 cybersecurity and data privacy risks?