Kevin Baker, Marcum LLP. Kevin Baker, Marcum LLP.

The COVID-19 pandemic has forced companies across the world to embrace a remote workforce with an extremely limited window of time, or no window at all, for planning and testing. Many companies had employees that worked remotely at least part of the time. However, few companies were prepared for the challenge of transitioning the majority of their workforce to a remote environment in a matter of days or weeks. The directives from the top were to get as many people working remotely as quickly as possible. In order to accomplish those goals, IT departments and business units have had to forego many of the planning and testing requirements that would typically accompany such a significant change. If companies did not already have complete security information and event management (SIEM), data loss prevention (DLP) and cloud-based endpoint security systems in place, it is unlikely they could deploy them in such a short time. However, there are still steps that can be taken now to help prevent fraud.

As companies complete the first month of this transition, and with potentially another one to two more months ahead, now is the time for IT departments, business unit managers and employees at all levels to take a deep breath, maybe even get a few hours of sleep, and review the security concerns and regulatory compliance gaps that this rapid transition has introduced. It is unrealistic to think that a comprehensive system can be deployed in the current environment, but getting ahead of known security flaws and preparing the company for future issues can be accomplished now. Under normal circumstances, this type of implementation would take many months, or even years, to properly plan, test and deploy. These are not normal circumstances though, and although not ideal, there are still many things that you can put in place quickly to prevent fraud and add to the security of your environment.

Document Exceptions

The first step is to review who has access to what, and what access exceptions were made in order to "make things work." Quite often, it is necessary to elevate someone's privileges during an emergency in order for them to be able to complete their job function. At other times, managers and employees may even commit the cardinal sin of sharing login information to provide access. This rapid transition has almost certainly required many such exceptions to standard security policies. It is important to begin to document these exceptions as soon as possible. These gaps in security need to be identified so that they can be evaluated and addressed. As the weeks tick by people will begin to forget the quick or "temporary" fix they used to get the job done while everyone was scrambling. Whether you or your team elevated an employee's access, shared login information or received additional access, make a note of it and share that information with the appropriate people. Otherwise, these holes will be left open and used for fraudulent activities in the future.

Collect and Preserve Data

It is difficult and time consuming to roll out enterprisewide policies and security systems, especially in this very challenging time. Take for example simple things we take for granted in our office such as shredding bins, printing, scanning, faxing and clean desk policies. The security around each of these naturally need to be reconsidered in a work from home setting. But do not be dismayed, there are proactive steps that can be taken remotely, with minimal time, at little or no cost, that will increase the security of your environment. Modern computer systems are controlled by central policies and have the ability to log a significant amount of information. Updating these central policies to increase the amount of data that is logged, the maximum size of logs and how long logs are retained, will strengthen the ability to investigate issues when the need arises. These changes should also apply to email and data retention systems. When an employee is terminated, furloughed or otherwise separated from their position, make sure that their computer and data is securely stored for future analysis or have a forensic image of the computer prepared. Putting the equipment back into immediate use without a forensic image can significantly hamper future investigations. Having the information available will allow for future analysis that can detect fraud and other irregularities.

Communicate Policies and Procedures

One of the best ways to prevent fraud is to communicate to your employees that security and fraud prevention are part of your organization's operating environment. Even if you do not have updated policies and procedures for all of the new aspects of working remotely, you should communicate that your current policies still apply where practical and that you are working on updated policies to address the new environment. This ensures that your employees are aware that you take security seriously, which will discourage fraud. This is also a good time to let everyone know some of the steps you have taken, such as increased logging, to help detect and investigate fraud. As you update policies and address new situations caused by a remote workforce, continue to disseminate that information to your employees. The more apparent your focus on security and fraud prevention is the less likely an insider will commit fraud.

Protect Sensitive Information in Video Conferences

Companies and individuals have scrambled to find solutions to effectively communicate remotely. Not surprisingly, video conferencing solutions such as Zoom, WebEx, Microsoft Teams and Google Meet have skyrocketed in popularity. Although Zoom has made headlines for security weaknesses, for the most part all of the platforms are relatively secure. However, they all suffer from the same weakness. Video conferences are only as secure as the security controls that hosts choose to configure. You may have heard about Zoom bombing, which is where an unauthorized user joins a conference and broadcasts offensive material. Although it is disruptive, the more serious security concern for a company is someone accessing sensitive information because a video conference was not properly secured. Imagine a conference where someone is sharing sensitive financial information or security information that is then viewed by an uninvited and possibly malicious person.

It is important to have guidelines for the use of video conferencing. At a minimum, every conference should require a password to join. It is important that these passwords are not posted in publicly accessible locations. Be aware that the meeting invite links often include the password in the URL. If sensitive information is going to be presented, additional security measure should be put in place, such as using virtual lobbies, locking meetings after they start, etc. It is not that these platforms are suddenly less secure than they were a month ago, it is that now malicious actors are focused on these platforms and spending considerable resources to scan and infiltrate them.

Next Steps

Everyone is hopeful that this will pass quickly and soon we will be back in the office spending time at the water cooler recounting all of the challenges of these trying times. However, the truth is that these events have likely changed the way we will work in the future. As the dust settles, it is going to be important for companies to evaluate how they can secure and monitor a remote workforce. This will include many technological solutions including endpoint security systems that work remotely, network monitoring to address substantial remote connections, and possibly most importantly, updated policies and procedures. In concert with planning for future resiliency, there will be a need in the near future to analyze and investigate all of the logs and collected data from this period of sudden transition to a remote workforce. Even if not used for fraud detection and remediation, this information will provide valuable insight for developing future policies. I hope that these tips have been informative and useful. If you have any questions please feel free to contact me.

Kevin Baker is a director at Marcum Technology and head of the digital forensics practice.