The tumult of 2020 was not limited to the physical world, the cyber security world also felt increased turbulence. The events of 2020 reinforced the importance for organizations and individuals alike to strengthen their information security postures. This blog explores at a surface-level a few things that can be done to enhance information security both at an organizational level and an individual level.
Due to the ever-evolving nature of the cyber threats, it is important that a regular review and audit cyber defenses include methodical system hardening processes. Proper configuration from the outset is not enough, one must keep apprised of the latest developments in malware and attack patterns. However, even with the best defenses, 2020 once again demonstrated that no system is impenetrable.
One of the most highly publicized cyber security incidents from 2020 was the SolarWinds’ Orion attack. This attack is believed to have been orchestrated by a nation-state. While conventional cybersecurity rhetoric acknowledges that “little can be done to prevent a nation-state level attack,” there is plenty that can be done after learning of an attack to mitigate damages. Having a well-documented and well tested Incident Response Plan (“IRP”) can save valuable time in responding to a cyber incident.
Organizations, particularly those with access to sensitive data, must have a codified and regularly tested IRP. A well-written IRP informs those overseeing the plan of what to do in the event of a cyber incident. Without regular testing, a good plan can become stale or its execution can be slower or sloppier than desired. Four common aspects of a IRP include:
- Identify the underlying problem, analyze the scope of the compromise
- Contain the damage, prevent any further resources from being compromised
- Eradicate the source of the attack and all underlying symptoms
- Recover the system to a working, stable state
On an individual level, there are many ways bad actors will attempt to dupe users. A yearly example is W-2/tax refund scams. Every year during tax filing season individuals are bombarded with threatening voicemails from the “IRS” requesting some form of sensitive information, usually Social Security Numbers. Employees in Payroll/Accounting are perhaps the most preyed upon during this time. These employees often receive emails claiming to be from a high ranking official or executive asking them to send large amounts of sensitive employee or financial data. The attackers’ goal is to use this information to collect refunds from fraudulently filed tax returns, commit identity theft, or both. With the unprecedented levels of unemployment spurred by the COVID-19 pandemic, state unemployment offices are inundated with fraudulent unemployment insurance claims. This leaves Human Resources Administrators stuck sifting through false claims and reporting them to the appropriate agencies. There are certain measures one can take to help prevent these attacks:
- Apply for an IRS Identity Protection Personal Identification Number (IP PIN).
- IP PIN was previously only available to those who were victims of tax fraud, starting in 2021 the IRS stated they will allow all individuals to apply for one.
- Encourage employees to create an account with your state’s unemployment agency.
- The ability to create an individual account may depend upon your state’s online portal, but proactively creating an individual account may help prevent an attacker from filing an online unemployment claim.
- Closely monitor your credit.
- Many credit cards and banks offer free credit reports.
- Individuals can also freeze their credit and only thaw if they plan to apply for a loan.
- Scrutinize ALL requests for sensitive information, whether about yourself or others.
- Individuals, particularly employees responsible for large amounts of personnel records, must verify that any requests for sensitive information is legitimate.
There is no silver bullet to these individual attacks. The reality is that remarkably little information about an individual is needed to attempt fraud. However, individual awareness training is arguably the best defense. An informed individual can better question and scrutinize requests for sensitive information, rather than providing it readily. Organizations would be well-served to provide ongoing Security Awareness Training to their users to ensure that they protect organizational interests, as well as their own.