Even as the threat of the virus begins to lesson its grip, remote work options are here to stay. Nearly half of office workers (48%) surveyed prefer a hybrid work model to working in the office full time. As many employers start to reshape their office workdays around this half-home, half-office model, it’s a good time to evaluate how to maintain security when employees work remotely.
Why remote working creates security gaps
According to the American Bankers Association, as remote work becomes common, cyberthieves are taking advantage of the situation by tricking employees into wiring money into sham accounts. When you consider what remote work does to communication methods, it’s easy to see why. Thanks to Zoom fatigue along with the physical distance, people are leaning more on digital means of communication to get stuff done, especially instant messaging, emails and texts.
So even if your firm already has verification procedures as a type of virtual lockbox on company coffers, it’s easy for busy employees to let down their guard, if only as a gesture of goodwill to a friendly colleague — or a higher-up.
How cyberthieves trick employees
Enter the cyberthief. They’re pretty clever at passing off a faked fund transfer request from the boss as the real thing. Cyberthieves use social engineering, which is where they count on employees to let down their guard to accommodate people they trust. They use this to pull off a form of wire fraud called email business compromise. As we explained in a prior blog, Cyberthieves are trying to trick your employees into wiring money. This is how cyberthieves tee things up to pull off the heist:
- Lurk: First, they case the organization, learning who the managers are, and who’s in charge of their finances.
- Study: Next, they enter the company’s email system, tracking how money flows in and out of the organization. They’re taking notes on vendors, key players in purchasing, trends, travel schedules and communication style.
- Strike: The cyberthief emails the finance team requesting funds, making it appear it’s coming from, say, a company boss.
- Steal: The unwitting finance team releases funds into the criminal’s account.
Of course, once someone in your organization releases the funds to the sham account, the clock is ticking: The bank has a narrow window of time to recover this money. Once the transfer clears, there's no grabbing it back. Unless you have the right insurance policy to cover losses from email compromise, that money is gone forever.
Remote working cybersecurity checklist
For a business of any size — from global conglomerates to sole proprietorships — having a work-from-home security policy is always a smart start. Here are some top considerations when taking a fresh look at remote work policies and procedures.
Require Virtual Private Networks (VPN)
Whenever employees access work, a secure VPN connection should be mandatory.
Be savvy with personal devices
Even with company-issued laptops, employees are highly likely to use personal devices to access email accounts and documents, at least some of the time. As the world opens back up, employees can check in and work from just about anywhere. (Think of all the times you kept tabs on work with your smartphone.) Talk with your IT provider to form a plan to audit home network security systems and devices — and give employees an incentive to participate.
Maintain the guard rails
As our earlier blog details, safeguarding your accounts from business email compromise means taking time to double-check each and every request for funds and transfers. That means designing a system that exists outside the computer network. Examples of verification include reaching the requestor by voice contact, or receiving a matching PIN by text.
When people are working from home, it’s easy to sidestep these processes to save time and keep the workflow moving. Do an audit to make sure everyone is still committed to verifying. Identify anything that may be blocking people from sticking to it, and remove those obstacles. The best systems are foolproof and easy to follow, so it’s critical to make sure things are set up for speed and convenience.
Continue to educate about phishing emails
Training about phishing emails isn’t one-and-done, especially when people change jobs, get promoted or just get caught up in the day-to-day workflow. Fraudsters are very clever at creating authentic-looking email templates. It just takes one busy employee to click an innocuous-looking link to release a virus into the company system. Keep the team alert to phishing scams with occasional reminders. For example, if you get a phishing email, sending a companywide email can serve as a real-time reminder.
Have regular shredding parties
Recycling office paper is admirable, but doing so can be the source of leaked information. Urge employees to always use a shredder. Even better, host quarterly shredding parties, allowing people to bring in anything they need to keep out of an open recycling bin, from personal documents to anything work related.
Minnwest Bank’s cash management services give you the tools you need to streamline your business, but with the security assets to reduce your risk. Learn more by meeting with a cash management specialist today.