In the post-pandemic world, the number of people working remotely has skyrocketed. The result has been more satisfied workers across the globe – as well as new opportunities for cyber-criminals, who are feasting on vulnerabilities created by companies being forced to onboard, train, and connect a workforce that spans various countries and often numerous continents.
Many companies adopted work-from-home or remote work policies out of necessity and have not always been careful to implement tight security protocols. The time has come to tighten security in all departments or risk falling into the hands of hackers and internet identity thieves.
The following are five operational processes that are particularly vulnerable to cybercriminals:
No operation in any company is as attractive to cyber criminals as payroll. Not only does payroll involve transferring enormous sums of money from one place to another, it also contains a treasure trove of personal information, including bank details, addresses, birth dates, and much more.
Even if a hacker doesn’t manage to divert the flow of funds to their own accounts, the amount of data that can be sold to identity thieves online is second to none. It’s not an exaggeration to say that payroll data may well be the holy grail for hackers of all types.
At the same time, payroll is often extremely vulnerable. People routinely use unsafe channels like email (see below) to send payroll information, usually with no encryption at all. Payroll is also one of the last areas in most companies to adopt new technology that can make it more secure, although times are changing. A new set of start-ups such as Papaya are adding levels of security to payroll through their secure, automated platforms.
With these secure new channels, payroll data is never exposed to the prying eyes of criminals. What they can’t see, they can’t steal. Payroll is entering a new stage of security, but only when it stops relying on spreadsheets and moves to automation.
Nothing has entered the world of work as deeply as email. We all use it all the time to ask and answer questions, share documents of all types, and even as a backup for files because of its easy access. Naturally, the ubiquity of email makes it especially attractive to skilled cyber-criminals.
There are several ways online criminals target email accounts. The most common forms are spoofing and phishing. Both have proven extremely successful in gaining access to information that can cause companies tremendous damage, either because the information is proprietary and extremely valuable or because it compromises the personal data of employees, which can damage a company’s reputation and hurt relations with its employees.
A spoof page is designed to look like a legitimate page from a reliable source but is a fake page. A common form of spoofing through email take place during tax season. That’s when companies are often engaged in a great deal of back and forth with various accountants and lawyers. The email exchanges often contain sensitive financial information and are highly attractive to cyber-thieves. A Spoof page that appears to come from an accountant and requests sensitive data can be hard to detect, especially during a period when such emails are being sent.
Another form of spoofing through email is within a company itself. A regular employee might receive a fake email that appears to be addressed from the CEO or CFO asking them to carry out an emergency task. The email may contain a link that contains a virus, or to deliver sensitive information to a third party.
Of course, phishing schemes that try to gain access to a person’s computer are often delivered through email. Look at your spam folder at any point to find dozens of examples of phishing attempts.
Security against cyberattacks can be described as a game of cat and mouse. Cybercriminals locate a vulnerability and exploit it, then security scrambles to close the opening. In many cases, after a vulnerability is discovered, cybersecurity companies will send a piece of code to seal the breach. It usually falls on IT to make sure that the seal is implemented correctly.
But what happens when the code a cybersecurity firm sends out is not a seal but the breach itself? That’s exactly what happened with SolarWinds, the victim of one of the biggest data breaches in history. SolarWinds provides important IT monitoring tools to many companies worldwide. However, a breach in its system resulted in the company sending updates to many customers. Because SolarWinds software monitors IT, its updates bypass many of the usual checkpoints.
As a result, the department that often stands as the first line of defense against cyber attack was the department where the breach took place.
The lesson is clear. No one, not even the most tech savvy people at the company, are immune to cybercrime. If the IT department can get hit, every other department needs to double down on security measures.
4. User Access Policy
When too many people have access to sensitive information, the potential risk can be multiplied many times over. Conversely, simply limiting the number of people who have access to sensitive information can dramatically lower the risk.
Unfortunately, too many companies have lax user permission policies, or even no policy at all. But if a hacker gains access to someone’s user profile. They will only be able to steal as much data as that person’s profile can reach.
Some departments, such as finance, might need to access a company’s most sensitive financial information. But other departments, such as marketing or design, may have no reason to access that information. Simply limiting the level of permissions people have to the areas they absolutely need will serve as a layer of protection.
5. Human Error
People are the biggest threat to a company’s data security. A huge number of data breaches take place because of human error. People often stay logged in to accounts when they leave a computer. If the computer is lost or stolen – something that happens with greater frequency with remote work – the data stored on the computer or the access it has to important and sensitive data is compromised.
While human error will never be eliminated as long as people are involved in operations, the risk they pose can be minimized through automation. The more processes there are at a company that take people out of the equation, the less chance there is for human error to rear its head.
Automation is nothing new. Machines have been replacing people in tasks such as building cars and serve as bank tellers for many years. The difference is that technology has reached a point where more tasks than ever can be automated. The process may save time and reduce costs, but the greatest benefit may be one that gets overlooked too often – it may dramatically reduce the number of data breaches brought on through simple human error.