by Chris Arnone, Jon Powell and Journet Greene
That moment you thought would never come has just arrived. Your trucking company’s systems have been compromised, and hackers have stolen a significant amount of money. As you race to secure your systems and try to recover the funds that were stolen, you become distracted from your core business strategy of serving customers. How did this happen? Could it have been avoided? Where do you go
According to IBM’s 2019 U.S. Cost of Data Breach Report, the average cost of a breach is $3.92 million, with 67 percent of the costs occurring the same year, 22 percent in year two and 11 percent in year three. Additionally, on average, it impacts 25,575 records and is only discovered a staggering 279 days after the breach has occurred. So what should trucking companies be doing now to sleep better at night? Here are the top strategies for protecting your business from cybersecurity threats.
LOCKING THE DOOR
The best way to protect your company is to “lock the door,” making it difficult for attackers to infiltrate your environment. This is your first line of defense and one of the most important. To identify potential weaknesses in your IT infrastructure, external penetration testing should be performed at least annually. Then ensure that any identified findings from the test are addressed by IT and executive management in a timely manner.
Next, it’s time to perform an internal vulnerability analysis of your network’s configuration to identify devices (e.g., switches, routers, firewalls, servers, laptops) that are subject to exploitation. Similar to the external penetration test, we recommend that this internal analysis is also performed on at least an annual basis and that findings are addressed timely by management.
Finally, with the increased use of multiple cloud solutions and other incoming connections to the company’s network, such as employees working from home, it is essential to require two-factor authentication on all cloud solutions and incoming connections to the company’s network.
SECURING THE PERIMETER
While employees are the lifeline of your company, when it comes to cybersecurity, they are also your greatest security risk. The most common exploit used against employees continues to be phishing. Phishing is the fraudulent practice of sending emails purporting to be reputable companies, customers, vendors or company employees (e.g., IT administrators, finance and treasury managers, or other executives) in order to convince your employees to reveal sensitive information, such as passwords, company banking or credit card information, or even to execute a business transaction with the phisher. Phishing attacks have become more sophisticated, where attackers will obtain your password through a bogus email and take no immediate action. You remain unalarmed, as the attacker lies unnoticed, reading your emails and learning your interaction and communication styles. The attacker
- Send out invoices to your customers with updated payment instructions.
- Send out requests to management to initiate urgent wire transfers.
- Request payroll or ask human resources to update an employee’s direct deposit information.
- Exfiltrate proprietary company, customer and other information by leveraging access to historical emails and linked access to other Office 365 applications (i.e., Microsoft SharePoint, Teams).
You may remain oblivious as the attacker puts email rules in place to redirect all incoming emails to a hidden folder in your mailbox or another email address. With these rules in place, you will never see the replies on the bogus requests. You may notice a quick flicker in your inbox or your number of unread emails going from 10 to 11, and then back to 10 almost instantly. This indicates you should immediately stop, notify your IT department and check your email rules to identify any suspicious items.
To combat these phishing schemes, we recommend the following best practices:
- Implement two-factor authorization for email accounts.
- Provide and require employees to complete cybersecurity and phishing training on at least an annual basis.
- Perform test phishing exercises to identify which employees are most vulnerable to these attacks. Companies can publish these results to their employees to provide increased accountability.
- Deliver praise and other awards for employees who pass phishing exercises or otherwise identify suspicious emails.
- Provide employees a way to report suspicious emails.
- Implement an email cloud service that sits in front of your email server and can filter for spam and phishing. These services are reasonably priced and can also provide email link validation to reduce the impact of employees clicking on “bad” links.
- Request that employees review their inbox rules for any unknown items on a quarterly basis or when they see a “flicker.”
- Ensure that anti-virus and anti-malware solutions are deployed on each employee’s computer.
Once a hacker has gained access to an employee’s email, another common attack is to implement a wire request. Even without gaining direct access to your email, attackers can still attempt to initiate a wire on your behalf by sending a spoofed email or one that uses an email address very similar to your domain (i.e., [email protected] vs. [email protected]).
We would suggest companies ensure they have the following internal controls in place and reinforce them frequently to prevent a fraudulent wire transfer from being perpetrated:
- Up-to-date policies on wire processes that all finance and accounting employees review and sign.
– Consider requiring verbal confirmation of the wire recipient’s details.
– Consider verifying all email signature contact information by performing a web-based search.
– Consider requiring email confirmation from the wire recipient upon receipt of funds.
– Consider training and acknowledgment of policies for all new finance or treasury hires and annual confirmation of policies by existing employees.
- Implementation of two-factor authentication with your banks via software or hardware solutions.
- Policy that all wires require a separate initiator and approver.
– Consider a third segregation of duty for a preparer that pulls together the details of the wire, including confirmation of wiring instructions.
PRACTICING GOOD HYGIENE
Similar to the advice we are receiving related to health practices with the COVID-19 pandemic, practicing good hygiene in IT terms is a key component to keeping hackers out of your network. One of the simplest, yet most effective practices, is requiring employees to utilize lengthy, complex passwords. Encouraging the use of phrases or sentences as part of a password to maximize password strength is strongly recommended.
Not all hackers take what they need and leave. Many hackers may continue to access your account to either monitor your data or steal additional information over time. Just like you are encouraged to wash your hands frequently in the current health climate, it is important to change your password on a regular and ongoing basis. Increasing the frequency of updating passwords will reduce the risk of a hacker continually monitoring and accessing your account, keeping your IT systems safe and healthy.
HAVING A BACKUP PLAN
Having a robust off-site backup solution in place is critical to provide the ability to restore your data and IT operations in the event of an incident (e.g., ransomware attack, disk failure, data breach). Replication is needed for high availability in case the primary data center/server room becomes unavailable for use.
Consider a review of your current backup and replication configuration. And yes, you should have both.
- Replication configuration should include notification of any failures to replicate data.
- Backup and replication configurations should be defined separately for each core application.
- Backups should be stored separately from both the source data and the replicated data.
- Backups should be tested quarterly via restore procedures. (This doesn’t require a full system restore, but could simply restore a single application server, database or directory to confirm that data is readily readable and available.)
- Disaster recovery testing should be considered on an annual basis to ensure systems can be brought back “from scratch” in the event of an incident.
Now that you have locked the door on cybercrime and deadbolted it with a secure perimeter, good hygiene and a backup plan, let’s explore a couple of additional areas to consider as you navigate the COVID-19 crisis and its effect on your business.
COMBATING COVID-19 IT THREATS
Employee Terminations: As the COVID-19 pandemic continues, businesses are considering different strategies on how to mitigate financial impacts to ensure overall financial health. In doing so, many companies are implementing furloughs, reductions-in-force (RIFs) and layoffs. If that difficult decision is made, businesses should consider these important security steps as part of their termination process to protect their organizational, financial and customer data.
- Disable the employee’s access to all relevant systems, including cloud systems (e.g., Salesforce, QuickBooks Online, Office 365).
- Ensure the employee returns any company-owned property (e.g., laptops, tablets, manuals, USB drives).
- Change the employee’s voicemail and email passwords.
– Set an automatic email reply on their email account that lets incoming emailers know they are no longer with the company.
– Grant another employee direct access to their account or forward all incoming emails to that employee so they can respond accordingly.
– Require staff who worked closely with this employee to change any shared passwords.
- Contact customers and/or vendors who worked with the employee, alerting them of the employee’s change in status and providing a new company contact.
Web Conferencing and Meetings: Virtual meeting security has likely not been top of mind prior to the flood of companies now being forced to leverage this platform for daily team communication. While the necessity of virtual meetings is paramount in this current environment, there are related security risks with the use of web conferencing technologies that should be understood and managed.
Meetings, whether conducted in-person or via web conferencing, often include the discussion of sensitive and confidential information.
That information being compromised could result in the loss of proprietary company information, customer data or even a loss of revenue.
Whether using third-party web conferencing technology or a system that has been developed in-house, it is essential to consider not only its ease of use, but also the security of the tool and those using the technology on a daily basis.
Consider the following to help stay secure while using web conferencing technologies:
- When creating a new web conference meeting, select an option to require a password. This will prevent those without the password from joining the meeting.
Note: Remember to provide the password to meeting attendees in a separate email, phone call or text message.
- If hosting the web conference, continue to monitor those who have joined. To assist with this, most solutions allow the meeting host to replace phone numbers with the caller’s name. Consider also using a notification chime to inform of new attendees.
- While in a web conference, do not click on any links that may appear in the chat window. If one of the presenters or attendees wants you to follow a link, this is a red flag, especially if you do not recognize them.
WEATHERING THE STORM
This is a difficult time for businesses. The transportation industry, in particular, is facing extreme challenges as it is playing a critical role in maintaining the nation’s strained supply chain. While this work is saving lives, getting essentials to people who need it and helping keep our country afloat, it comes with increased demand, causing even longer hours than usual for many of its management, staff and drivers. When a crisis hits, it can be overwhelming to prioritize all that needs to be done. However, if you are uncertain of the strength and security of your IT systems, this belongs on your priority list because hackers will, unfortunately, capitalize on vulnerable times. If you need help, IT risk assessments as well as vulnerability and penetration testing can be done remotely by cybersecurity experts. This allows you to continue your business operations, ensuring you are not only protected during this challenging time, but are also prepared for the next disruption.
Chris Arnone, CPA, is partner; Jon Powell, CISA, CPA/CITP, is partner; and Journet Greene, CISA, is Risk Advisory and Compliance Services director with Moore Colson.