The coronavirus pandemic sent millions of professionals to work remotely and dramatically shifted work patterns over the last year. While CEOs, COOs, and other C-suite-level employees, business owners, financial advisors, and family office professionals were reconfiguring their home offices, cyber criminals were busy honing their nefarious skills to access confidential and proprietary information, outsmart individuals into falling for fraudulent wire transfer scams and take computer network systems hostage via malware in exchange for money. Through the COVID-19 pandemic, bad actors have been increasingly successful with a wider target to attack, as more individuals became reliant on digital technology for business amid weakened cyber security measures in a work-from-home environment.
Incidents of social engineering, including phishing and vishing, along with ransomware saw significant spikes during 2020. For example, social engineering attacks increased from 46% in 2020 Q1 to 60% by Q2 2020. The pandemic also sparked a 72% ransomware growth and mobile vulnerabilities grew by 50%.*
Inside Social Engineering
Cybercriminals manipulate human error using social-engineering techniques to gain confidential information and commit theft or fraud. For example, phishing attackers pretend to be a trusted institution or individual in an attempt to persuade the target to expose personal or business data or wire transfer money.
Vishing (voice phishing) involves scams designed to get an individual to reveal banking and other confidential information over the phone. One particularly dangerous scam is designed to thwart two-factor authentication with scammers calling individuals to say they are conducting a security check. The cybercriminals will ask for the code sent to an individual’s phone; if the code is provided, the scammer can take over the account. One of the reasons that vishing can be very convincing is that typically scammers will use spoofed caller ID numbers that look legitimate.
The FBI has warned that the huge shift to remote work created the perfect breeding ground for cyber criminals to target workers. Cybercriminals research high-net-worth individuals, companies, and organizations through publicly available information to create a profile of the victim that can include name, address, position, email address, and other relevant information. They then create realistic-looking websites that may even include a company’s logo to convince victims they are from the company’s IT department. In many cases, the criminals will tell the victim that the company is switching VPN providers and they need to go to this new website to connect to the company network securely. What they’re actually doing is capturing login credentials, so they can access the company network and launch malicious software code to block people or organizations from accessing their computer systems until a ransom has been paid. Cryptocurrencies, such as bitcoin, have made it easy for these bad actors to receive payment without exposing their identities.
- $1 out of every $4 in U.S. healthcare costs is spent on caring for people with diabetes
- $237 billion is spent each year on direct medical costs and another $90 billion on reduced productivity
- Total economic cost of diabetes rose 60% from 2007 to 2017
- 48% to 64% of lifetime medical costs for a person with diabetes are for complications related to diabetes, such as heart disease and stroke
According to the Centers for Disease Control and Prevention (CDC), smoking-related illnesses in the U.S. cost more than $300 billion, of which about $170 billion is for direct medical costs for adults and $156 billion is in lost productivity (CDC). Individuals with insomnia cost employers an extra $976 per person per year due to absenteeism alone, according to the National Safety Council (NSC), with an additional $2,530 lost through presenteeism or decreased productivity while at work. Healthcare costs are also higher for individuals with untreated insomnia; an estimated $2,224 goes toward treating other health conditions exacerbated by insomnia.
Beef up Cybersecurity at Home, at Work, in the Family Office
To stem the rising tide of cyber threats with more individuals working from home, professionals and all employees should implement the following measures:
- Maintain good password hygiene, including using complex passwords (avoid using spouse and children’s names) and changing them frequently.
- Update systems and software on a timely basis, including on mobile devices.
- Use a VPN originating from a trusted connection within the organization to ensure ongoing access to corporate tools.
- Be wary of COVID-19 scams, and resist the urge to click links in a suspicious email.
- Avoid using work devices for personal matters.
- Recognize the signs that your computer is affected, and contact IT immediately.
Employers and family offices should put the following risk-management measures into practice to mitigate cyber-related losses:
- Meet regularly (including virtually) with your IT staff to identify vulnerabilities as a result of more employees working remotely. Prioritize protecting your most sensitive information and business-critical applications.
- Alert all employees, especially those in accounting, finance, HR, and benefits, to the types of social engineering scams being perpetrated to get them to wire transfer funds or disclose confidential and sensitive information.
- Provide regular anti-fraud training that teaches all employees to detect and avoid phishing and other social-engineering scams.
- Set up an out-of-band verification process to confirm the identity of the person requesting a wire transfer, a change to banking information or payment instructions, or access to sensitive data, such as tax and payroll information. This includes:
- Requiring voice verification for all changes involving banking information.
- Not relying on the contact details provided in the request, including a phone number to call in the email.
- In lieu of using “Reply,” forward the email and type in the email address you know to be correct.
- Advise clients you will not change banking instructions without authentication and to treat any such request as possibly fraudulent.
- Ensure your employees understand to whom they should communicate about any suspicious activities.
- Make sure all business-owned or managed devices are secure, and extend the same network security best practices that exist within your organization to all remote environments. These practices include:
- Securely connecting users to their business-critical cloud and on-premises applications, such as video teleconferencing applications
- Protecting laptops and mobile devices, including VPN tools with encryption; ensure that the latest versions of VPNs are used, and patches are applied promptly
- Enforcing multi-factor authentication (this is typically a password followed by a code sent to an individual’s phone)
- Ability to block exploits and malware
- Ability to filter malicious domain URLs to thwart common phishing attacks.
- Employ a regular backup system with files stored remotely.
- Ensure that the security settings for cloud-based services are appropriately configured
It’s important that a wellness program strategy provides choice, flexibility, and personalization for employees to gain their adoption and engagement. The current pandemic has made engagement more difficult, and providing additional platforms, including telehealth options and digital interventions for mental health, is critical, with remote work the norm in many cases and onsite wellness programs limited.
Also important in this new paradigm as a result of COVID-19 is the disruption in care. Preventive care services decreased during the first several months of the pandemic. What will this mean going forward, and how will this impact your employees’ health down the road? If the data shows a reduction in cancer screenings among your workforce during the past year, part of your wellness program may encourage employees to get these screenings to help mitigate potential future issues. It only makes sense to invest in services that will serve to improve individual and population health.
A cybersecurity program should also include an incident response plan and insurance. Companies and family offices need to be prepared to effectively respond to a cyber incident, which includes resuming business operations with minimal impact and demonstrating to investors, employees and other parties that the incident was resolved appropriately. Cyber insurance can be designed to respond in the event of an incident for the following:
- Forensics fees to determine how the attack occurred and to what extent
- Notification costs if there is a breach of third-party confidential information
- Crisis management and public relations expenses to protect one’s reputation
- Remediation costs
- Ransomware payments
- Fees and liability settlements in the event of litigation
- Business interruption/loss of income as a result of the cyber event
- Other related expenses
Cyber insurance policies differ significantly and require professional expertise to ensure the right policy is put into place. The BKS Partners Private Risk Management team can help protect your legacy and business with a tailored cyber and risk management program that addresses your risk profile.
This material has been prepared for informational purposes only and was generated from information provided to BKS from the client and/or third-party sources. Therefore, BKS makes no warranty or representation(s) as to the accuracy or appropriateness of the data and/or the analysis herein. This information is not intended to provide, and should not be relied on for, tax, legal or accounting advice. You should consult your tax, legal and accounting advisors for those services.