4 minute read
4 Steps to Strengthen Cybersecurity with Your Team
BY CHRIS R. CICALESE, CPA, MSTFP, ALLOY SILVERSTEIN
In a post-pandemic world, remote work continues to be a mainstay in some form or another for employees. Unfortunately, with the increased remote workforce, there is also an increase in corporate vulnerabilities for perpetrators to exploit. These vulnerabilities often make a company’s complex security setup less effective.
With a remote workforce, the added outof-office locations also increase the number of unmanaged devices that connect to the company network. Alternatively, having an in-office workforce or supplied devices for remote work allows the technology team to reduce complexity by having a more standardized device setup. If workers are supplying their own devices, it makes it more difficult, as each device may have different software and employees may not have the same philosophy about keeping their home network or devices secure.
1. Use a Virtual Desktop
The best-case scenario when a device is not supplied by the employer would be to connect to a virtual desktop where the company can manage the data more easily and prevent it from being transferred to the employee’s device. With a virtual desktop, the technology team can disable various features such as printing or connecting storage devices to help manage client confidentiality. The desktop profile can also be customized so that upper-level management and entrusted employees have more abilities than the common employee. While making it more complex, it also provides management with more flexibility to make their remote workforce more efficient.
2. Enable Multi-Factor Authentication
In both a company- and employee-provided device setup, multi-factor authentication should be utilized to prevent someone from easily accessing company information if they happen to get an employee’s password. An example is using an authenticator app or texting a code to be required after trying to access the system. Without the code, the user would not be able to access the files. To make it harder for passwords to get in the wrong hands, it would also be wise to require frequent password changes and complex alphanumeric passwords that also contain symbols or characters.
3. Educate Employees on Phishing Scams
While securing the devices and how the company’s data is accessed is a great start, all that hard work can quickly be undone with one click of a bad link. Phishing scams have become extremely popular with the rise of remote work. Perpetrators create fake emails with masked links that will bring employees to a fake page to capture their login information or install harmful files on the network. Without proper diligence, an employee can easily fall for one of these fake emails that can cripple a company’s network and reputation.
The best way to prevent employees from falling for these phishing scams is through education. An effective way is to utilize a phishing education campaign that has multiple layers to it. These layers often include an annual training, micro trainings and fake phishing emails. The annual training goes through the basics of what scams are out there and how employees can be prepared to identify bad emails. This can be part of new employee orientation initially and then included with annual training for current employees. Micro trainings can be conducted throughout the year to keep employees updated. Lastly, utilizing a fake email campaign can help identify employees who would be an easy target and enable the company to focus on educating those employees to reduce the risk that they will click a bad link.
4. Perform Penetration Testing
After getting a handle on devices and encouraging employees to pay attention to the details of emails, the next hurdle would be to test your network to see if it could get hacked. In most cases, you would utilize an independent third party from your technology services provider to ensure you get a fair look at how your systems are set up. By having a firm perform a penetration test, you can see what vulnerabilities exist in your network and what the technology team needs to focus on improving. The white-hat hackers could even use social engineering to try to get employees to provide information that otherwise would not be obtainable.
When considering the security of your client information and company network it is vital to be proactive. The potential liability from data being stolen or the network being down is not easily defined as every hack is different. It is best to get ahead of the potential loss and educate your team so that they are better prepared to identify and mitigate threats appropriately.
Christopher R. Cicalese, CPA, MSTFP, is an associate partner at Alloy Silverstein. He is a member of the NJCPA and can be reached at ccicalese@alloysilverstein.com or on X at @AthleteCPA.