Cybercrime

In the early 2000s, as the business world began to return to a more normal mode of operations after the events of September 11, 2001, I had a lengthy discussion with the CIO of a large insurance firm. We had known each other for many years and would typically have quarterly deep-dive meetings to discuss areas of strategic interest. I asked her, “What’s keeping you up at night right now?” I had expected she would discuss the enhanced physical security issues facing all New York City businesses at that time.

Instead, she responded, “Pandemic planning.” I was stunned by her reply and asked, “Why pandemic planning, and why now?” She said that as a consequence of the impact of September 11, she was grappling with the fact that the core infrastructure of her company could only support 10% of the workforce being employed remotely, versus a potential need in a pandemic to have up to 80% of the workforce operate from their homes or other safe locations.

This conversation led to a series of business, governance, and IT decisions that guided the insurance company’s direction for the next 17 years and left it well prepared to deal with the consequences of the current current coronavirus (COVID-19) pandemic. This shows the benefit to business of critical strategic thinking and the need to think about the unthinkable.

In the company’s efforts to move down this path, it leveraged both its internal and external audit teams to act as a check against the project management office (PMO) and help ensure that the critically identified business needs were met. As a risk-oriented organization, it made perfect sense for the insurance company to operate under this paradigm.

How This Affects Today’s Environment

As of this writing, it is clear from government briefings and news sources that the country’s response to the current pandemic was slow and disjointed. Deborah Birx, the lead coordinator of the White House’s COVID-19 task force, indicated that the United States should have instituted social distancing at least two weeks earlier than March 14, 2020.

Birx, with Anthony Fauci of the National Institute of Health, both presented data models over the weekend of March 28 and 29 that predicted 100,000 to 200,000 U.S. deaths from COVID-19, even if the current restrictions were to be maintained (Bobby Allyn, “Fauci Estimates That 100,000 To 200,000 Americans Could Die From The Coronavirus,” NPR, Mar. 29, 2020, https://n.pr/2Ye0lF5).

How This Affects Auditors and Business

In the March 2020 Harvard Business Review, Brenda Sharton asked, “Will Coronavirus Lead to More Cyber Attacks?” (https://bit.ly/2xPy6Sd). The answer is a clear-cut “yes.” Already in the weeks since the infection hit the United States, the Department of Justice shut down a website that was advertising free COVID-19 cure kits from the World Health Organization (WHO). This bogus operation was taking credit card information “only” for “shipping and handling” and then would send out a “WHO-certified COVID-19 cure” to the victim. The “cure,” of course, was a fraud; the site was just stealing payment card information (PCI) and selling it on the dark web. Fortunately, law enforcement acted swiftly to stop these criminals and limit the damage caused.

Then there is the overall economic impact. While it is too soon to gauge the damage to the economy, the mitigating steps taken now will help limit the consequences and help the country recover faster after the pandemic subsides. Auditors will play a key role now and moving forward in helping organizations structure processes and procedures to restore normal business operations without adding risks. The following are some best practices to be considered.

While it is too soon to gauge the damage to the economy, the mitigating steps taken now will help limit the consequences and help the country recover faster after the pandemic subsides.

Best Practices

Set up and enhance remote access.

For those staff members who require remote access even if the office is closed, make use of essential IT businesses that remain open to get the necessary technology in place to enable staff to connect to critical systems. This can be accomplished by doing the following:

  • Prioritize all the organization’s applications into tiers (e.g., Tier 1, Tier 2) based upon how long systems can be unavailable without substantial negative business impact.
  • Have the IT department provide maps of all feeder systems for Tier 1 and Tier 2 applications.
  • Make sure that all employees who require access have adequate network throughput to access the information from their homes. The bandwidth is out there, and network providers can increase service speed without coming to an employee’s residence.
  • If multifactor authentication (MFA) is not enabled, enable it and put tokenization methodology into place. If physical tokens (e.g., PIV, PIV-I, CAC, RSA dongles) cannot easily be obtained, use a software MFA solution (such as Microsoft Authenticator, Symantec VIP Access, or Smart Lock).
  • Encourage the use of secure networking tools. Instead of using regular Wi-Fi, look into getting an enterprise license for a VPN solution that can be used on any employee device, even personal devices. Include mobile devices as well as notebooks and desktops.
  • Beware of phishing attacks. Phishing attacks are ubiquitous, but they increase in frequency during any sort of disaster. Any e-mail that offers a cure or treatment for COVID-19 is a phishing scam, and employees need to know this before they click on the link.
  • Publish the CDC COVID-19 guidelines to the organization. The most current COVID-19 information from the CDC is available at https://bit.ly/2VSqkzg. If additional resources are needed to augment overwhelmed HR departments and service desks, consider using one of the reputable digital agents on the market that reference the CDC guidelines. Both Microsoft and DXC, as well as other sources, have digital agents that work and can be quickly implemented.
  • Implement a rapid notification system. Use mobile capabilities to instantly notify employees of critical situations, even when the company’s e-mail system is out. There are numerous apps that operate on both iOS and Android devices that permit organizations to instantly reach out to every identified mobile device tied to an enterprise with critical updates. These tools take only hours to implement.
  • Employ good physical access controls. An example of social distancing and good physical hygiene should be set to all employees. Employees want and need a consistent message from business leaders.
  • Recognize that the attacks are real and will continue. A March 30, 2020, report claimed that the criminal ransomware syndicate Maze successfully attacked multinational insurer Chubb and claims to have critical emails from the company’s CEO, COO, and vice-chairman as evidence (Phil Muncaster, “Maze Authors Claim to Have Hit Insurer Chubb,” Infosecurityhttps://bit.ly/3aoVlQw). On April 20, 2020, Cognizant confirmed that Maze successfully attacked its organization, causing service disruptions (Lindsey O’Donnell, “Maze Ransomware Attach Hits Cognizant,” Threatpost, https://bit.ly/3cRk1m4).

Looking to the Future

Firms and their clients should start thinking about and prepare for the post-incident audits that will be mandatory for all organizations once the current COVID-19 crisis recedes. Focus on the lessons learned and the compensating controls that need to be put in place for a future incident. Do not ignore the fact that there will be another incident that has a dramatic impact on business, people, and society in the future.

Most of all, stay safe.

Steven Wertheim is president of SonMax Consultants Inc., Marlboro, N.J. He can be reached at steven.wertheim@sonmax.com.