Cybersecurity for a Mobile Workforce: Is Your Business at Risk?
How many times have you left your house and asked yourself, “did I lock the door?” If you’re anything like me, you have to go back and double-check, because the one time you don’t, someone could break in, invade your privacy, and set you back financially.
It’s worth turning around to double-check. It’s worth spending $60 for a Ring camera at Walmart. It’s worth the intangible aspect: your peace of mind.
So what about your business? With the dawn of remote employees and an uptick in email phishing schemes, your company and employees have never been more at risk.
Cybercrime is up 600% due to the COVID-19 pandemic.
At Whirks, we process payroll and provide HCM solutions to help you build a better back office. But when it comes to IT, we prefer to stay in our lane and leave it to the experts.
A cyber attack could compromise client information, steal employee data, and permanently paralyze our business. Thankfully, we’ve got Micah Thor, the president of Techguru, on our side to ensure that we’re protected and keeping client information safe and secure.
Who is TechGuru?
Mike: Micah, tell us a little bit about who tech guru is, how you guys got started and what type of customers you serve?
Micah: Tech guru is 100% focused on delivering I.T. services to accounting firms all over the country. We focus on three pillars of our service: strategy, security, and support. We help organizations understand what they’re trying to accomplish from a business perspective, and then we align it with our security solutions and provide ongoing support, like an IT department.
Mike: What made you specialize in the accounting field?
Micah: Funny enough, we originally started with dentistry. But as we dug into it a little bit more, we found that dentists don’t consume technology the same way CPA firms or accounting firms do. When a dentist’s computer goes down, they can still drill, fill, and bill, but a CPA or accountant? It’s an emergency.
The dependence on technology is increasing as well as the stakes around cybersecurity. We saw this opportunity to go in-depth with a specific industry and be able to speak their language. We can understand what’s happening with the evolution of their technology stack or their tax software and how that’s going to connect with the other pieces. How do we understand what unique security needs they have to protect their client data and their reputation?
Matt: It’s interesting to think about that from an accounting perspective because we have the data that anybody would ever want to have. It’s a major concern of ours. On one hand, for our customers: we have to protect their information. On the other, it could lead us to bankruptcy if we had a security issue.
Micah: I believe that’s true for a lot of small businesses. I think one of the common misconceptions out there is that cybersecurity is something that only big businesses have to face. But for small or medium-sized businesses, it isn’t necessarily at risk.
But the reality is that there are a lot of malicious actors in the world. They’re super savvy and they’re going to chase anybody that has the potential to payout. That could be small, medium, or large businesses.
Tell me about some of the experiences you’ve had as you’ve helped accounting firms deal with cybersecurity.
Micah: We have a lot of firms that come to us with sad stories about breaches that have happened, money that’s been lost, and reputations that have been tarnished. Lately, spear-phishing or whaling has been popular, aka, impersonating somebody in the company and acquiring information, from social security numbers to credit card information.
Spearfishing: an email or electronic communications scam targeted toward a specific individual, organization, or business. It’s often intended to steal data for malicious purposes or install malware on a targeted user’s computer.
There’s a constant threat of ransomware. This is when all of your data is locked up and a very expensive ransom is left on somebody’s desktop to pay. If your backups aren’t solid, you’re forced to make a difficult decision about trying to get something from somebody.
Mike: Don’t negotiate with terrorists, right?
Micah: Yeah. The interesting thing I’ve found is that there’s honor among thieves. These guys are after your money. From what I’ve read and seen, if you go through their process and you pay them, they generally unlock your systems and give you back what you need.
Mike: Has that been your experience as well?
Micah: Yeah, luckily – I’ll knock on wood. I don’t want to tempt fate here, but we have not been involved in a ransom payout from one of our clients. But I have read that and heard that in the industry, they do tend to give back the keys to unlock the data.
Mike: They still have the lock though.
Micah: Yep. You have to purge your computer and servers of all that software.
Matt: That’s scary.
Micah: Part of the problem is that everyone has cyber liability insurance now, which includes money to pay these ransoms. And then, of course, cryptocurrency is how you transmit this money.
Ransomware is part of 10% of all breaches. It doubled in frequency in 2021.
It’s creating the ability to hit a button and pay your deductible. There’s not a great way for the U.S. government to trace where these funds go. So at Techgur, we focus on mitigating the threat and responding to it.
Does the rise of remote employees lead to greater cybersecurity risks?
Micah: Absolutely. From a security perspective, one of the first things we saw go out the door during the onset of the pandemic was this hardware firewall that everyone was behind inside the office. Your I.T. department runs advanced threat protection tools, so anything coming in and out of that office automatically has an extra layer of protection on it.
As soon as people went home, that was gone. But there are ways we can do the same thing with the software on individual computers.
However, some people didn’t have computers to take with them. They started using whatever they had at home, which turns out to be shared with the kids.
Mike: In your world, are you requesting or requiring that the companies that you work with furnish computers to their remote employees? Or are you pivoting their conversations around because it can get expensive? If I have to provide a whole hardware stack to every one of my remote employees, it starts to add up. Does the employer provide that gear?
Micah: That’s our passionate plea. The reality is that it isn’t possible immediately. But we can help them build a plan to get there. In the interim, we can help them understand what’s at risk and what are the worst-case scenarios.
We want people to understand that if you don’t invest in this solution, this is what’s at risk. For some, that’s actually not that great of a risk. Maybe they don’t have sensitive data. We’re focused on CPAs – and yes, you always have to safeguard your stuff. But for other professions, it might not be a big enough risk to spend $30,000 on computers.
Mike: One of the other industries that we work with closely is home healthcare. We’re seeing a lot of those organizations hire remote administrative or operational support staff. And that increases cyber-attacks if you don’t have as much control over the hardware.
What are some of the tactical things that you would put in place for a company that is starting to hire more remote employees and branch out of a central office?
Micah: Ok, so I’ll explain what the high-level, golden standard would be:
- A company-owned and issued laptop, keyboard, mouse, and monitor. You want to control this aspect so you can dictate everything that’s on the computer.
- Enterprise-grade antivirus software.
- You should also be teaching your employees about security awareness and training them, aka, sending out fake phishing emails. If somebody falls for clicks on one of those links, it takes them to train and shows them what they missed for next time.
- Implement ransomware mitigation tools.
- And lastly, offer home internet reimbursement. These things are important to consider, not only from a security standpoint but from a productivity standpoint as well.
Mike: We’ve run into that whenever we first start having remote employees that we’re branching out a little bit and we realize quickly that we have to be very specific in what we’re going to require. Internet speed is important because we’re on the computer all day.
If the internet goes down, it’s a huge productivity loss.
The thing that we see most commonly is people use their phones as a hotspot for backup. Making sure that you’re this is one of those other things that employers are starting to reimburse now to is cell phone plans and making sure they’ve got a certain level of data.
Matt: We realize that. I mean, in our world our phones are a huge part of our security protocol. We do reimburse for phones. We do not currently reimburse for the Internet. But that is something interesting to think about for sure.
Micah: One nice thing about cell phone reimbursement is that you dictate what happens on that phone. Mobile device management is a security piece that doesn’t get talked about often, especially in the small business space.
As soon as you want to add your company email, calendar contacts, etc., it forces you to download a mobile device management tool. This encapsulates that application and any other company-owned or managed applications.
So when somebody leaves the firm, you have control over that part of their phone. You don’t have any access to photos, phone calls, or text messages. It increases the security of your firm, but it’s inexpensive, easy to roll out, and easy to manage.
Mike: A lot of small businesses struggle with the ongoing implementation and maintenance of these different protocols, whether it’s device management or phishing-type testing.
Do you see potential clients that have a desire for better cybersecurity, but the implementation and IT side is really difficult for them?
Micah: Absolutely. We try to make every security policy global. With Office 365, you can set a global policy so that any new email address has to have two-factor authentication. It’s not a manual process anymore.
Mike: You mentioned earlier the security awareness training. It’s been my experience that most cyberattacks that intrude into an organization are from somebody at some point clicking a button that they should not have clicked.
How do you prevent employees from clicking on things that they shouldn’t?
Micah: The best thing that we have right now is education. Rewind five or ten years ago: all you needed to secure your computer was antivirus software. The worst-case scenario? One person got a virus and one person is down a computer.
In 2022, if one person gets a virus, it takes out the whole network – or worse. Antivirus is still really important. It’s a lock on the door and it deters things from entering.
But every second of every day, somebody is coming up with a new lockpick. They’re getting smarter. Testing and training on an ongoing basis are the best things you can do because threats evolve every single day.
Mike: It’s always fun to send out those test emails to our employees and see exactly who’s going to click on what and how they get reported. There’s a demographic, and it’s interesting.
We find that our older-aged employees and newer employees are more likely to click. Especially when it comes to whaling. If they see something come from Matt Patrick, and he’s asking for your social security number, you’re going to do it because your boss is asking you.
One of the ways that we mitigate this is by telling our employees that we don’t communicate internally via email. We use third-party messaging, which helps everyone avoid suspicious emails.
An employee opening a phishing email attachment caused the ransomware attack on HSE, Ireland’s national health service, which resulted in a €100 million overall cost.
Micah: CPA firms have been a target more recently. The value of the information and its accessibility has changed and increased. Before the Internet, we didn’t have issues like this. The only way to get a virus on a computer was for me to plug in a floppy disk that had it.
Those were things that big corporations had to worry about, but not small businesses.
If you’re doing your security right, your security is part of the equation. The other part is your response. With ransomware, we tell people you have to think when – not if.
As scary as that sounds, if you plan to get it, you will know what your action plan is when it happens. That action plan looks like what you’re going to recover from backups and what your downtime will be during your period of recovery.
But the question you really also need to ask is how long until I’m back at 100% productivity?
Mike: There’s a big push to move off of server-based software and into more SaaS-based platforms. Do these risks disappear when the server does?
Matt: I assume that a lot of the firms you work with don’t want a server. But the reality is, we aren’t there yet. What are some of the things you’re seeing there with regards to security?
Micah: I coined the term a few years ago and I’m still convinced that this is my term. So I’m gonna keep using until somebody says I can. Don’t keep all your cloud in one basket. The idea here is how can we do cloud-to-cloud backups for things like Office 365.
Mike: In the cybersecurity world, one of the things that’s pretty important is testing those backups.
How often do you recommend that a company actually test their backup whole process?
Mike: I would say at least monthly. Pick someone in the organization to own that seat. Have a second person that they report to so that you have an audit in place. We want them to look at the entire selection of data that’s being backed up, making sure that we’re not missing any folders or drives, and then restore and open at least one or two documents to ensure their integrity.
Matt: How how much time and effort do you put into it? How much risk is there? This is I’m assuming every small business owners kind of similar they’re weighing in that cost-benefit analysis. But I don’t think small business owners have the fear they probably should have.
Micah: Yeah. The president just announced yesterday, I think it was everybody and every business needs to take security seriously, especially right now because the intelligence is not looking great.
Mike: Employees struggle with remembering passwords, especially if you have any type of rotation.
What’s your opinion on password management tools, like LastPass? Do you recommend that people use those?
Micah: I absolutely recommend them. If you’re a CPA or accounting firm, we really like Practice Protect. The reason is that Practice Protect is more of a single sign-on type solution where you log in once and then you’re connecting to all of your other apps from there.
LastPass is great and it’s much more universal, but you know, you’ve got that little button that you click on, and then it populates the username and password.
A Single Sign-on solution enables your employees to log in with their Office 365 account – and there’s no more password remembering or logging on after that. It automatically authenticates you everywhere else.
So when they leave or when you need to change a password, you only have to change that first entry point password. And then you cut off access to all of the other apps.
Single sign-on is where the industry is headed. It’s just it’s a matter of making the integrations for all these different Web-Based solutions that will receive that authentication.
Matt: Is that becoming more standardized? You can sign in with Microsoft or Google or Facebook or Amazon. I always wonder, but do I want to do that?
Micah: LastPass is moving in the direction of single sign-on. It’s a land grab right now, I think. But this will be, you know, three or four years from now, just like multifactor authentication was kind of a new thing three or four years ago. Now it’s the standard.