Protecting yourself against bad actors
So…. A different topic for a blog post. Still prompted by our new COVID world.
We’ve seen a huge explosion in the use of technology since the crisis started. Life is very different compared to January – but it would have been even harder without today’s technology…. I like to say that the Internet is an unsung hero of COVID19. (Although, obviously, not in the same league as our health care workers.)
- Some simple examples of what’s changed in my life:
- The H&Co team is working entirely virtually.
- Work being delivered (or products sold) entirely in digital format
- Much more use of online shopping and home delivery
- Video-conferencing instead of face-to-face, with colleagues, clients, and others. We have a daily team video huddle with our full staff. Allison has a weekly virtual cocktail hour with her
- Toronto girlfriends!
- Kids and students studying from home
Now, we’re very technology-driven at H&Co…. so some of these changes are less for us than for many. But it’s still been an adjustment. (Jaclyn, who’s based in Vancouver, is amused by the teething problems the rest of us are having – she’s lived it for 3 years!) And the change is huge for many people.
I’m a bad guy…
Because H&Co is so digital, we’ve already put a lot of effort into thinking about IT-related risks. But many businesses have had to make huge changes very quickly – without the time to really work it through.
Today’s main villain is microscopically small…. but there are other bad actors out there. They’re taking advantage of the current crisis. I’ve certainly noticed an increase in emails that are trying to trick me to divulge information – or blackmailing me for $2,500 in bitcoin, or they’ll email inappropriate footage to my mother…
This blog post is prompted by a 12-minute video I received, via one of the boards I serve on. (Don’t worry, it should be safe to click). The video is written with a “corporate governance” angle for bigger organizations – but I’d still encourage you to take the time. If you’re really busy, skip to the start of the ninth minute for “5 things to do”.
What we recommend
There are so many options out there. Before you choose, do your research and look at:
- Reviews on the software
- How long the companies have been in business
- Talk to other users if you can
- Look at their social media channels if they have them
- Demo before you invest
Not sure where to start? You may find you actually have some of this in place, but just not activated. Microsoft, Google and others have much of this stuff built in. You may just need to set the parameters and turn it on,
This is the most obvious…. We recommend a password vault. If you’re working with a team that needs access to client passwords or company apps, you should really use a password vault that allows your team to access the data at various permission levels. Most of the vaults have built-in functionality to help you set very secure passwords. Of course, then you need to make sure you NEVER lose your “master” password – been there, done that, it’s not fun….
When handling confidential data – it’s best to go beyond just passwords. Almost all key apps are set up to require 2-factor authentication, and we certainly recommend it for any data that falls within PIPEDA requirements.
2FA is typically a code generated by an authenticator program on your device, but also biometrics (my laptop recognizes me today…. let’s see after a couple more weeks without a haircut…).
Security of stored data
Many companies are trying to get away from physical servers to cloud-based storage but the same security rules apply to both. You need to ensure that even though your data is stored in the cloud there are security measures that keep out the bad actors as well as enable you to be notified if there’s suspicious activity.
When sourcing a cloud-based storage option some things to consider are: the login process, permission levels, audit reports, ability to shut down remotely if there’s suspicious activity, data back-up process. Look to go beyond just a google drive – find something that enhances that.
Careful transmission of data
In many businesses, you need to provide data to your clients such as reports or forms for signature. One of the easiest ways to do this is by password protecting the file if you’re emailing it over or even uploading it to a shared folder. It’s best to never share the password in your emails – provide this to your client over the phone or use something only both of you would know. Also if using a shared file folder such as WETransfer, Dropbox, etc make sure you control who has access to the folder and you know exactly who that folder is shared with.
That’s especially important if you terminate the relationship – make sure that you have closed off access to shared folders at either end.
When COVID hit there were bad actors that hit Zoom and Google Meet by infiltrating video calls uninvited. Zoom quickly jumped on this and has since put in place stricter security measures. But with both Zoom and Google Meet, never share your meeting details via social media and it’s best to send your meeting info via a direct calendar invite. This way you have more control over who has access to the meeting information.
And webcam covers are a nice easy solution, as well!
Controlling the access
In many of the sections above we have talked about controlling user access to software and data. After all, in a virtual world, access to the physical hardware is less relevant.
Some starting suggestions:
- Maintain control over who can “invite” users to your systems – or revoke access
- Turn on notifications, so you know when specific apps/data have been accessed
- Set requirements for password-strength controls and audit them
- Turn on mandatory 2-factor authentication
- Monitor log-in records. If you know who has access to your systems, it’ll be very apparent when anything suspicious occurs.
Call to action
OK, we know we’re accountants, not IT people. But…. we live this, as well as numbers. We’d love to talk to make sure you’re protected. Let us know if this is on your mind.
Stay safe (in more ways than one!)