The general perception is that most cybersecurity breaches are caused by external hackers—much like the old stereotype of the shady character sitting in a basement trying to gain access to a company’s systems—but internal cybersecurity threats are increasingly compromising organizations’ computer systems and data. MSN reported that one of the biggest 2020 internal cybersecurity threats occurred in Denmark with its tax portal system. To access the system, all users are assigned a personal identification number. An internal software coding error caused each user’s ID number to be added to the site’s log-in address whenever someone logged in. The address was picked up by analytics services like Google, which could have been accessed and exploited by hackers. The bug was detected five years after the system was developed during an audit and finally corrected. So what steps can management accountants take to protect their organization’s data and information from internal cybersecurity risks?
A perfect internal cybersecurity storm occurred with the COVID-19 crisis of 2020 because many organizations had to abruptly pivot to employee work-from-home (WFH) arrangements without adequate planning to be able to establish internal controls and policies. According to Forrester Research, a U.S.-based company that examines the impact of technology trends on organizations, the crisis dramatically raised organizations’ exposure to internal cybersecurity threats because of the rapid move to remote work for employees and others outside the organization’s normal security controls, employees’ job insecurity caused by the pandemic, and the vulnerability of data because of new ways to move it outside the organization’s normal channels.
Forrester predicts that 33% of total breaches in 2021 will come from insider cybersecurity breaches, an increase from 25%. Organizations relying on WFH arrangements for employees should conduct an immediate review of their policies to ensure that they’re addressing the increased risk of remote work. At a minimum, virtual private networks (VPNs) should be required to access organizations’ network and data. VPNs hide data and computer IP addresses by using a virtual tunnel preventing hackers and others from accessing company data. Organizations should also consider providing their employees with company-provided computers that are configured with security software and monitoring tools to detect breaches. They should also consider restricting or prohibiting employee use of other devices, such as personal tablets and phones, to access company data because they could pose security risks.
Zero-trust network access (ZTNA) is emerging as a powerful virtual cyber defense tool to provide enhanced security to VPNs. Traditional VPNs allow carte blanche access to networks, data, and information by default. ZTNA operates on the principle that VPN users should only access network functions and information based on a need-to-know basis. Configuring and implementing ZTNA will embed security controls into an organization’s network, resulting in restrictions to an organization’s data and information and causing a dramatic reduction in cybersecurity risk and internal cyber threats.
TRAINING, TRAINING, AND MORE TRAINING
A critical defense for internal cyberattacks is employee training. While malicious, deliberate attacks are behind many insider attacks, unintentional behavior can also result in security breaches. By taking the steps to educate employees about the increased risk and exposure of cybersecurity, an organization can leverage its employees in the fight against breaches.
Helping employees understand the schemes hackers use to discover passwords and gain system access must be part of the training. According to cybersecurity expert Michael Kaiser, president of Defending Digital Campaigns, training should include being able to identify and defend against phishing and spam attacks, following strong password-management processes, completing device and remote-work training, and the importance of installing system updates.
While engaging a third party to provide cybersecurity training is recommended, small companies with limited budgets can access comprehensive free training resources from the U.S. Federal Trade Commission. The material includes cybersecurity basics, user guides, videos, and quizzes to support developing cybersecurity policies to protect the organization from cyber risks.
INTERNAL CONTROLS, TOOLS, AND POLICIES
Organizations’ internal controls must address cybersecurity. Don’t delegate the responsibility to the IT department. It must be a coordinated effort integrated with day-to-day operations. Strong controls can prevent access and secure data. Make sure your organization has a written acceptable use policy (AUP) that spells out what users are allowed to do with the organization’s computer system, including access to the internet, use of computing resources, and authorized online behavior that outlines both authorized website access and download restrictions.
Examples of AUP clauses also include forbidding computer systems users from violating applicable federal and state laws and disclosing confidential company information, password-maintenance policies, prohibiting the sharing of passwords, and requiring network security. The AUP should be distributed to all employees and users. Require signed acknowledgment to ensure that everyone using the company’s systems is accountable for their use. Penalties and punishments for violating the AUP should also be spelled out. Many systems display an AUP banner when users log in, reminding them of their responsibility to comply with the policy like traffic cameras at an intersection warning speeders.
Investing in cybersecurity detection tools is a critical defense. According to The Wall Street Journal, in October 2020, an email from a supplier was sent to Zak Brown, CEO of McLaren Racing, asking him to authorize a payment using DocuSign. He was too busy to try to open the email because it was the peak of the racing season. Several days later, the company’s chief information officer reported to him that the email was a phishing scam. Had Brown tried to open it, he would have failed because the authentic-looking but fake email was detected by the company’s security system and a digital lock was placed on it, freezing access. The tool prevented an inadvertent internal cyber breach.
Management accountants must play an active role in safeguarding their organizations from internal cyberattacks. Data and information are valuable assets that must be protected. Is your organization prepared?
The opinions included are those of the author and not necessarily those of the U.S. Air Force Academy, the U.S. Air Force, or any other federal agency.