The coronavirus probably has not hit its peak yet, but every facet of daily life has already been affected. Many companies are actively reaching out to their customers to ensure operations will continue under the best of circumstances and as government regulations allow. For many companies this means supporting a widely spread remote worforce.

As we are already in the midst of this crisis, the chance for your firm to proactively prepare for disrupted operations has passed, but this does not mean there is nothing that can be done. Thanks to the plethora of cloud-based processing options, it is still possible to fully secure resources for the majority of your staff to work remotely. It may be more expensive right now, but that is still a better alternative than shuttering operations entirely. For companies that have already gone remote, you have probably deployed your remote desktop connections, trained your staff on remote conferencing options, and made sure your phone data plans are paid up for any type of mobile device solution you choose to use. Now that these features are fully deployed, this is a great time to review them for potential cybersecurity risk factors.

As is the case with on premise work, cybersecurity has no ‘one size fits all’ solution for remote environments. Each company is going to be different and will require its own strategy to mitigate risk. However, there are some basic steps companies can take to ensure that their cyber risk is limited as much as possible during this time of remote work.

Risks of relying on public internet

The single largest risk factor for remote work is the public internet that is being used by your staff to access your company data, but there are some simple steps you can take to mitigate risk from the largely unsecured public internet.

First and foremost is the securing and monitoring of all connections into your infrastructure. Think of all connections to your data, from any location, as a phone call. A device calls into the physical location of your data to access it, process it, and possibly transfer it to another location, much as you would see with a phone call or fax machine. The key is to identify the various points from which these devices can ‘call into’ your physical infrastructure and then limit the number of devices that can actually make this call. Identifying and securing the remote access points of your company data or network infrastructure is most likely the easier of the these two tasks as in most circumstances you should have near full control over the physical space in which your data storage device resides.

Establishing a secure infrastructure

From here, the simplest and most effective means of protection is to erect a firewall to keep out unauthorized calls. Step two is to do as much as you can to secure the connections that you want to allow through the firewall. The simplest means to accomplish this is through a Virtual Private Network (VPN) that will not only provide verification of the authorized connections past your firewall, but will also create a secure tunnel by which the call into your data can travel.

The VPN will compensate for most security provisions your staff’s at home internet might or might not have. From there, you will need to look carefully at which devices you actually will allow in through your firewall. It would be prudent to direct your technical team or IT Vendor to create a list of approved devices that is as small as possible. You should limit approved devices to company issued laptops and mobile handsets. You can expand this list to employee owned devices, but this should only be done with the advent of a Mobile Device Manager (MDM) solution. While a VPN will compensate for an insecure connection, an MDM will compensate for the lack of cybersecurity protection an employee owned device may or may not have. At this point, you might be asking, where can I find VPNs, MDMs, etc. Thankfully there are plenty of businesses on the open market that have these tools, and even technical staff, setup and ready to deploy and are just waiting for a company like yours to engage them for assistance. By employing these two relatively simple steps, your company can create remote work infrastructure that will significantly cut down on the risks of employees working from home over the open internet.

Vigilant infrastructure maintenance

Now that we have looked at what infrastructure should be put in place, we next need to look at how to properly maintain the infrastructure. As with the technical tools listed above, the market has plenty of Managed Service Providers (MSPs), such as MGO Technology Group, that are ready to engage and provide you with the technical staff and tools your company will need to effectively continue operations during this crisis. Make no mistake about it, your remote work environment is going to require some form of troubleshooting, either in the form of equipment malfunction or staff training on how to properly use the tools mentioned above. This is where having a good level one (L1) IT support staff comes into play in your cybersecurity strategy. In order to properly mitigate the risks of data breach or leakage, your staff will need to correctly use the tools you have put into place. Never underestimate how far a well-trained and well-equipped IT support staff can go in correcting the human errors not caught by your VPNs, Firewalls, and MDMs.

Access professional guidance

In order to weather this crisis or any over further disruption your company might experience, you are going to need good equipment and knowledgeable people to install and maintain this equipment. Finding, maintaining, and retaining the equipment and staff can be a difficult and time consuming endeavor. As mentioned above, you may want to consider engaging with technical MSPs who have the training and resources in order to install and maintain the infrastructure your company will need to not only allow your employees to work from home, but to also switch back to working on premise as soon as the situation improves.

For more guidance or to schedule a consultation, contact us here.

Emerging industries are prime candidates for cyberattacks and criminal hacking. That’s because as an industry matures companies quickly scale operations to meet the rising demand. With the focus on generating revenue, the implementation of appropriate security protocols is too often overlooked. A hallmark of a sophisticated and successful organization is robust cyber and information systems and processes that protect intellectual property, customer information, and other valuable data, or risk losing the market share you’ve fought so hard to win.

Cannabis faces nearly all of the same cyber security challenges of other industries of equivalent size and maturity. This includes, but is far from limited to, service disruptions through natural disasters, regulatory compliance, online based attacks, and especially offline based attacked such as phishing.

Understanding phishing attacks

Phishing holds a unique place in the cyber security sphere as unlike active attacks against a company’s information technology infrastructure, phishing seeks to gain access via user vulnerability. No matter how good your electronic defenses may be, a single well placed phishing scheme can compromise your data. This is why user education must be a part of any cybersecurity program and cannabis is no different. It does not matter if your cannabis operation is involved in cultivation, distribution, or retail. If your employees handle information that is important to your business they must be educated on best practices regarding phishing. The data your business holds is a valuable commodity and must be treated accordingly.

The emerging threat of ransomware

While phishing is the most common culprit of data breaches, ransomware has emerged as a less common, but just as threatening cyber risk. Ransomware is a type of attack that, rather than attempt to steal your data, will deny you access to it typically by encrypting your files. This will render your businesses inoperable until, in theory, you pay the ransom to your attacker to regain access to your data. Ransomware was prominent in the news in 2019 for various high profile attacks on mid-tier cites that simply did not have the financial resources to combat and undo the consequences of ransomware. Such a patterns is crucial for the cannabis industry to recognize. A result of these trends in 2019 shows us that ransomware attackers will often chose their victims carefully in the hope that the victim not have the willpower or resources to combat the attacker.

Since cannabis is a relatively new industry, with most resources dedicated to production development and company growth, most companies will not have the resources available to dedicate to combating ransomware attacks. Industry players should be aware of a simple fact of life when it comes to cyber security: prevention is always more cost-effective than recovery. Resources may be tight, but even a basic offsite data backup strategy could go a long way towards mitigating an attack that compromises data access.

IT asset inventory is a strong first step

This period of early growth is the perfect time for industry leaders and business owners to cultivate cyber security strategies. The relatively early-stage of the cannabis industry provides an opportunity in that companies are not unencumbered by legacy software and processes. Cyber security software and processes may not need to be stacked on or integrated into existing operations. Rather, it can be ‘backed into’ the company at an early stage. This will make the inevitable need to scale up cyber security operations within your company that much easier. It is also a good time to start your IT asset inventory processes, which will allow for a more robust IT security posture down the road. There are companies that have been around for decades that still do not have a handle on what equipment they actually have. In this regard, the cannabis industry has an advantage.

Smalls steps produce big results

The examples of phishing, ransomware, and asset management are just three core topics within the broader world of cyber security. While cyber security may seem to be a large, complex, and costly endeavor, even small and recently founded companies can effectively tackle the problems at hand. For example, as phishing constitutes the vast majority of data breach starting points, instituting a phishing awareness campaign at your company could go a long way towards reducing vulnerability to potential threats. Secondly, a small firm need not pay for real time data replication. Even a simple and cost-effective off-site backup can go a long way towards mitigating the effects of a ransomware attack. Sure, it might take longer to restore your data in the event of an emergency, but a slow restoration is better than none at all.

Today’s world is more connected than ever. Not only are users sharing more information across the Internet than at any other time in history, they are doing so with a variety of devices available to the public. That’s hundreds of devices available for a user to connect and conduct various facets of their lives in a convenient and productive way. It also means thousands of potential vulnerabilities that nefarious actors can exploit. Mobile devices represent the newest threat to user security as more and more of our digital lives are accessed via these handheld computers. Given the popularity of these devices, it’s not surprising that hackers have turned their attention to how they can exploit vulnerabilities for personal gain.

Because mobile devices are often used outside of a regulated environment, such as an office or private network, they can be susceptible to attacks over public networks that purposely do not restrict access. Despite these inherent vulnerabilities, there are several steps you can take on your handset to help ensure that your device remains secure. Though this list is not all-encompassing, it will provide a handy guide to make sure your mobile environment remains a safe and reliable tool for you to use.

1. Keep your apps and operating system up-to-date

Updates will apply the most recent security patches to both your apps and operating system which is why you should apply the updates as soon as you see the notification from your phone. For an extra layer of protection you should consider allowing your apps to auto-update while the device is connected to WiFi.

2. Keep access secure

Always use a PIN, Passcode, or some form of Biometric Authentication to access your phone. No one, not even you, should be able to pick up your phone and access it without some form of verification. Though passcodes are still the strongest form of a security on a mobile device, you can provide an adequate layer of security by applying both Biometrics, such as a fingerprint or eye scan, and a backup pattern or PIN.

3. Limit points of access

When you are not using these features, you should turn off WiFi, Bluetooth, and the Near Field Communication (NFC) receiver. The less active access points available on your phone, the less likely someone will be able to exploit them. This doesn’t mean you should never use them. However, shutting them off when you are not using them not only lowers your attack surface, it’s healthier for the device’s battery. Many headsets also now include software that allows you automate turning these settings on and off with a single voice command. Try to make use of these tools to find the most efficient balance for your own lifestyle.

4. Mind your connections

Much like you would think twice about going to places where you may have doubts about safety, so should you be mindful about who and what you allow your phone to connect with. ONLY allow connections and access to devices, individuals, and apps you know you can trust. his includes only downloading apps from a trusted source such as the Google Play or Apple Apps Store. Additionally, be wary of any apps that request admin level permissions in order to function. Is having that one face filter really worth giving an app access to ALL of your friend’s contact information?

5. Keep the device tidy

Occasionally you should inventory the apps on your device and decide if you still actively use them. Deleting unused apps has an array of benefits, which include freeing up storage and processing power, reducing background usage, and reducing possible attack vectors from apps that are no longer updated by the developer. Most handsets now come with tools to allow you to list your apps based on the last time they were used. This can help you narrow down those that should be removed first.

6. NEVER jailbreak your phone

As temping as some might make it sound you should never ‘root’ or ‘jailbreak’ your phone if you wish to keep it secure. Doing so removes many of the protections that handset makers often put in place to prevent incompatible programs from interfering with the phone’s basic functions. Jailbreaking your phone removes these protections while also taking your operating system out of the regular update cycle. Jailbreaking your phone may also have the effect of voiding it for many Bring Your Own Device (BYOD) programs run by professional organizations.

To learn more about cyber and information security, for you and your organization, schedule a consultation with the experts at MGO Technology Group.

Initially this particular attack appeared to be an insider threat as it originated internally when an employee logged into the travel network, deploying the ransomware that infected all Tribal systems.

A few days later an investigation confirmed that the attack was an inside job perpetrated by a Tribal member and former IT employee who was then charged with felony tampering with public records and felony obstructing government functions.

This incident raises concerns about your own systems and their vulnerability to insider threats and ransomware. Tribes are especially vulnerable as they often operate multi-million dollar enterprises, managing economies that rival those of foreign nations. Having said that, even Tribes that don’t operate on that scale need to be cognizant of these risks and prepare for the potential threats.

Prevention is a strong part of any strategy.

In order to help prevent insider threats, here are five tips:

1. Know and protect your critical assets.
2. Develop a formalized insider threat program.
3. Clearly document and consistently enforce policies and controls.
4. Deploy solutions for monitoring employee actions and correlating information from multiple data sources.
5. Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees.

In order to help prevent ransomware attacks, here are five tips:

1. Do not pay the ransom.
2. Ensure you have backups that are tested regularly and sent offsite.
3. Establish a cybersecurity training program that trains your employees how to identify phishing and social engineering tactics.
4. Use reputable antivirus software and firewalls.
5. Ensure all software is kept up to date.

MGO Technology Group recommends a multi-layered security approach and has a dedicated team of cyber and information security professionals that can create a custom program for small or large tribes to improve your security posture.

Learn more about us.

Definitions

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems.

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.

Are your employees comfortable telling leadership about a potential problem at your company? Now ask yourself, are they comfortable telling leadership about a potential mistake? A large number of today’s cyberbreaches often begin as the result of an innocent mistake by an employee. It might be sharing a password over an unprotected median, a nefarious actor grabbing a picture of an employee’s laptop screen while they are working in public, or as is most common, an employee clicks on an innocuous link from a phishing email. What most employers may not realize is that many employee’s common sense regarding breaches is actually pretty good. At the very least they will suspect that something is amiss, which could be the first step in detecting a potential breach. Empowering your employees to actively look for, and report on, potential breaches goes a long way to helping your organization build a strong cyber security culture.

Creating a positive cyber security culture

The first step is to educate your employees on what to look out for when it comes to cyber and information risk. Many firms employ some form of basic cyber-security training, mostly at the time of on-boarding, but training usually ends there. Cyber security is an ever-shifting landscape where threats are always evolving. This is why it is important for firms to enact a year-round cyber security awareness program based around employee activities. A good employee-based cyber security awareness program will be light on technical jargon and focused on highlighting the vulnerabilities of the processes and systems that all employees use in their day-to-day work, such as instant messaging, answering e-mails, browsing the web, and sending documents through authorized and unauthorized means of file sharing. There is no great need to get into the technical details of how an attack might happen, but rather acknowledge that the danger is out there and focus on what employees can do to look out for potential dangers, such as noticing strange URL’s and suspicious e-mail attachments from unrecognized users. Consistently educating employees on current cyber threats and methods will give them the tools to identify a threat and be proactive in helping your company stop it.

Encouraging active breach and threat reporting

Training employees to spot the dangers is only half the battle. The other half is generating an effective reporting culture. No cyber security strategy is complete without a good cyber security reporting culture that puts a premium on reporting potential breaches. Here are a few suggestions to create a positive culture of reporting:

Have the team that provides your first level IT Support lead awareness/education sessions, as they will mostly likely also be the first point of contact for reporting potential breaches. The sessions can be developed by an outside consultant or an internal cyber security professional, but building a repertoire between those who should be reporting the incident and that first point of contact provides a sense of comfort that your employees are reporting the issue to the right group in the correct way.

In training, the IT support staff should make clear that reporting a threat is NOT a burden and that employees should err on the side of caution. If an employee receives an e-mail they find suspect they should not hesitate to contact their IT department through the designated reporting means.

Everyone from the organization must know and believe that the consequences of reporting a potential mistake will not be dire. Beyond feeling comfortable reporting suspicious activities, employees must also feel comfortable in reporting suspicious behavior that might be a direct result of their own actions. If an employee feels that admitting a mistake will be detrimental to their career they will keep quiet and a potential breach oversight could occur. Admittedly, this strategy carries some risk as you do not want certain behaviors to be consequence-free. However, the scope of consequence must be weighed against the actual action.

For example, an employee need not be officially reprimanded for admitting to clicking on a suspicious link and reporting it, but it would be prudent for the IT support staff to point out what could have been done differently to avoid the infraction. If the employee becomes a repeat offender, then a more official process might be warranted. Until then, simply pointing out of the issue should be enough to change behavior while maintaining a culture where employees are not fearful of bringing an issue forward.

Strong and proactive cyber security culture starts at the top

When setting the company’s cyber security policy, upper management must keep an eye toward baseline employees who perform the day-to-day actions of the company. Clear signals about saying something if you think something is wrong can go a long way toward changing your company culture. Having a strong IT or Cyber Security group is simply not enough when your own staff could unknowingly be your cyber Achilles Heel. There is a saying in cyber security that “every employee is a potential vulnerability.” However, if trained and leveraged correctly, your employees can also act as another safeguard, actively working to protect your information technology environment.

If you have any questions or would like support developing and implementing an effective cyber security program, reach out to the MGO Technology Group for a consultation.

But what happens when your technology leaves you vulnerable, such as in the case of your IT environment suddenly held hostage by a cybercriminal?

According to Recorded Future, since 2013 there have been 170 city, county and state governments that have been attacked using ransomware, a type of malicious software built to interrupt or shut down your business or government operations. That means it’s a good time to understand how it works and, more important, what you can do to prevent it.

How it works

Ransomware blocks access to your data by encrypting it, then you’re informed you will only receive a decryption code when a sum of money is paid to these anonymous cybercriminals. The attack is sudden and the clock begins ticking for you to pay the ransom, or lose access to your computer system forever.

Fundamentally these attacks are successful because the proper safeguards are not in place for various reasons, the ain one being perceived cost. Statistics support the aphorism that it’s not so much a matter of “if” your organization will get hit, but rather a matter of “when” an attack will happen.

According to Malwarebytes’ Cybercrime Tactics and Techniques Q1 2019 Report, ransomware for businesses of all sizes is up 195 percent in the first quarter of 2019 since the final quarter of 2018, and up more than 500 percent when compared to the first quarter of 2018. This risk is certainly not going away anytime soon.

The financial backlash can be devastating, but even worse can be the loss of access to daily electronic processes, computer data, employee time, organizational records and invaluable information.

Recent ransomware attacks

• City of Baltimore: On May 7, the RobbinHood ransomware infection hit. An estimated $18 million has been reported as likely damages, with $10 million going toward the repair of the city’s systems, while $8 million is in forgone interest and penalties. Some services are still not restored and others are using manual processes.
• City of Atlanta: More than a year ago the city was brought to its knees as the result of a ransomware attack, when the cybercriminal demanded $51,000. Payment was not made and to date nearly $17 million has been spent repairing the damages. In addition, valuable police department dash cam video has been lost forever according to reports.
• State of New York: Hackers demanded $30,000 from the Erie County Medical Center in Buffalo. When hospital officials refused to pay, 6,000 of the hospital computers were wiped. It took six weeks to get up and running again, during which time employees were forced to
  keep handwritten records. Officials estimate it cost $10 million to recover from the attack.
• State of Florida: In December, just before Christmas, a Florida grocery store suffered a ransomware attack when its QuickBooks server was held for ransom. In this case, the cybercriminal wanted
  1.5 bitcoin or, at the time, $5,100. Because the owner did not have reliable back-up files they were compelled to pay the ransom, but they still lost a significant amount of data.

As you can see, regardless of the type of industry or size, cybercriminals are widely casting their nets, which reasonably ensures their catch will amount to a good payday.

8 steps to security

However, all is not lost. There are eight steps you can take that will go a long way in securing your IT environment, rendering it more difficult for cybercriminals to access.

1. Perform a security assessment of your IT environment. Do not rely upon “it hasn’t happened to me yet, so I doubt it will” reasoning. The risk is not worth it.

2. Provide security awareness to anyone accessing your IT environment to prevent the No. 1 cause of cyber-attacks: Phishing. Humans continue to be the weakest link. You need to go beyond training and make employees aware, so that it becomes part of the security culture.

3. Back up your data daily. If you find yourself in the unfortunate position of being a ransomware victim, the best way to recover from the attack is to have secure and reliable backups ready to use when you are held hostage.

4. Patch software immediately. When fixes are made available, don’t wait. Update your software so hackers can’t exploit a vulnerability.

5. Limit the number of people who can install software. This is the IT version of “too many cooks spoil the broth.” You need to trust that your employees are doing the right thing when installing and updating software, and that they’re not relying upon free software, which is a notorious gateway for malware.

6. Use a reputable antivirus software (AV). AV is a simple, yet powerful step that will lower your chances of being attacked by ransomware.

7. Perform security monitoring of your network. You MUST be aware of what is happening in your network by performing 24x7x365 monitoring, which will help ensure you’re actively looking for the bad guys.

8. Use two-factor authentication. Gone are the days of just a single password. Having two forms of authentication, such as a password and a biometric, to access your network will provide added assurance.

While nothing is foolproof, taking preventive measures maintains your brand, ensures customer retention and prevents a cyber breach. At the end of the day you want the peace of mind that’s provided when you know you have done everything you can—even when it’s “just in case.”

Mark Cousineau, CPA, CITP, CGMA, CIA, CFE, CGAP, CGFM, CRMA is a director at MGO and Karl Kispert is managing director of MGO’s technology group. You can reach Mark at mcousineau@mgocpa.com or contact Karl Kispert here.

Published in California CPA magazine July 2019