Preparing for Cybersecurity Questions from Your Auditor
Cybersecurity risks ran high during the COVID-19 pandemic. According to Bitdefender, a cybersecurity and anti-virus software company, there were 1,448 malicious COVID-19 related threats reported in February 2020, and 8,319 reports as of March 16, 2020. Many of these threats came through phishing email messages designed to “hack and leak” your company’s and employees’ information.
An information security breach presents a significant financial risk to your organization; data breaches for companies average $7 million per breach, which includes discovery costs, customer notification costs, legal fees, loss of revenue, and loss of reputation. Given the financial risks involved, controls around information security are vital. They became more important when the COVID-19 outbreak had the majority of employees working remotely because the increased reliance on more emails, more voice conferencing, and conducting business virtually.
Regulators and auditors may be asking additional questions about what your organization did to secure its information while the majority of employees had to work from home. In the second article of our phishing series, we provide some the key questions about information security measures that your organization should be able to address.
How Sophisticated Was the Employee Training?
Malware distribution via email often uses file attachments or links. Once an email is received with an attachment or other link, the user clicks on the link and the malware or ransomware is installed on the computer. Most malware, ransomware, and viruses multiply throughout the organization’s network very quickly and can shut down an organization in minutes.
All employees should be reminded of the risks of clicking unknown attachments or links within emails, even if the emails seemingly come from a known source. Cybercriminals may be reaching out with a “spoofed” email — a message that seems legitimate but is coming from a bad actor — after having “watched” activity on your network for several months. This means the cadence of the email may seem like it’s coming from an employee or someone you know. For example, a phishing email may be sent to the Controller from the “alleged” CFO (really just a bad actor posing as the CFO). The bad actor tells the Controller in the email to “approve and send the $40,000 wire to the vendor as I am on vacation and can’t be reached.” The phishing scam is successful if the Controller sends the wire based on the “alleged written approval.”
Training procedures should reiterate that cybercriminals are becoming increasingly sophisticated, and if there are any red flags about what an email request is asking for, the request should be verified through a phone conversation with the individual making the ask, regardless of whether the individual is another employee or a trusted vendor. For example, in the CFO/Controller example above, the organization could prevent a bad actor pretending to be the CFO from getting the wire transfer if the organization required the Controller to call the CFO for verbal approval prior to sending the wire.
Where Is Your Sensitive Information Stored and Is It Secure?
Auditors may want to know how physical access to critical resources were monitored for authorized access during any COVID-19 modifications to the worksite.
If your organization houses financial information on its servers, auditors may want to know if the data is kept “offline.” It is recommended that a version of the data be backed up to an off-site server, so that if a network were to be penetrated or encrypted by malware, there would be safe cache of financial data that could be used as a back-up.
Are System Access Points Authenticated?
Questions may arise from auditor teams around controls over access to applications and data for remote employees, temporary workers, contractors, and any employees that were furloughed as a result of the pandemic.
All organizations should be using two-factor authentication to permit user access to the VPN, applications, databases, key financial websites, and other systems with potentially sensitive information. The control helps ensure that even if the malware steals the user’s ID and password, the cyber actors would not have the second level of authentication (which is typically a randomly generated 6-digit number received on the employee’s mobile phone or RSA key fob).
Your management team should be able to produce information about how remote and VPN access was granted and revoked, particularly during the COVID-19 work-from-home arrangements.
Are You Up-to-Date on Software and Security Protections?
Auditors may ask additional questions about how changes to existing systems were upgraded or patched remotely.
Protocol should be established that organizations install security updates on applications and operating systems when they become available (and have been tested in a test environment by the company beforehand). The latest anti-virus and anti-malware signatures should be installed to servers and workstations on a routine basis. This should fix newly discovered exploitable bugs and vulnerabilities while reducing risk to your company’ information security environment.
How Did Travel Restrictions Affect the Control Environment?
Another external auditor consideration may include determining if travel restrictions could have materially impacted the ability of the company to operate across multiple locations while maintaining effective internal controls. Many organizations suspended inter-office or location travel for employees during the pandemic, which may have affected traditional oversight functions. Organizations should be prepared to provide additional detail about how supervisors provided any needed oversight without being physically present in an office location.
How Did Your Organization’s Key Vendors Respond to COVID-19 Situation?
Your control environment is only one piece of the risk environment in which you operate. If your company relies on outsourced service providers or key vendors to conduct its business, auditors may assess the additional risks those vendors have on the company’s control environment. This will be particularly true if volume increased during this time or additional services were requested of these providers and vendors.
Being able to address internal user concerns as well as questions from external auditors will be crucial over the coming months. For additional information on information security best practices and protocols, please contact us. Our COVID-19 Resource Center contains additional insights about the ways in which the pandemic affects your operations.
Phishing During COVID-19: What You Need to Know
Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).