Study: Only 40% of manufacturers perform proactive tests
The pandemic created a breeding ground for hackers and bad actors. At the outset in March 2020, many companies viewed the move to remote work as temporary, and they reacted accordingly, doing whatever it took to get employees up and running in remote environments. But this move to remote work increased cybersecurity threats. Individuals’ home networks lack the protections of a company network. Personal computers are more vulnerable than company-issued and -managed equipment.
Further, some employees took sensitive files home, and financial professionals were handling company money with less oversight. At the same time, many companies failed to update their financial controls.
Fraud examiners across industries have documented an increase in cyber fraud (e.g., hacking, ransomware, etc.) during the pandemic, according to a recent report from the Association of Certified Fraud Examiners. While 33% said they’ve seen a “slight increase,” 52% said they’ve seen a “significant increase.”
The two most common cyberattacks we have seen impacting manufacturers during the pandemic are ransomware attacks and electronic payment fraud. Both of these types of breaches often start with a compromise of remote access services established for at-home employees, such as email account takeovers or unauthorized virtual private network (VPN) connections using guessed or stolen employee passwords.
Given the immense challenges manufacturers faced during the early days of the pandemic, it’s understandable that many initially made do with whatever tools they could find. But now, with some front-office employees returning to the office part time and others continuing to work remotely, it’s a good time to take stock and reassess data security and financial controls.
To strengthen cybersecurity preparedness, manufacturers should start by thoroughly looking at their current security exposure, scrutinize remote-access solutions, and understand how many employees access company networks with personal computers. The widespread use of personal computers for company business raises cybersecurity risk significantly. For one, these computers aren’t monitored remotely by the company and often lack sophisticated security protections. If a hacker can get into a home network and a personal laptop, he may be able to daisy chain his way into the company network.
According to a report from Malwarebytes, criminals are using existing malware families to infiltrate employees’ computers and understand which applications and access points remote teams are using. From there, criminals can identify vulnerabilities they can exploit.
To secure their systems from these threats, companies should:
- Extend company security controls to employees’ home offices.Throw out any insecure remote-access tools the company acquired during the height of the pandemic and put in place high-quality VPN solutions with two-factor authentication. These tools protect company data, no matter what network an employee is on (a home network or even the free Wi-Fi at Starbucks).
- Implement connection timeoutsto minimize exposure to the company’s network.
- Outfit employees’ home offices with company-issued equipmentthat its IT teams can manage remotely.
With these solutions in place, a company can stress test its newly fortified system and identify remaining gaps. Less than 40% of respondents in Sikich’s 2020 Manufacturing and Distribution Report said they perform penetration testing, phishing exercises on employees, and assessments of vendors’ data security efforts. Manufacturers should proactively engage in these preventative efforts to stay ahead of evolving security threats.
Remap Processes to Strengthen Controls
Fraud is often connected to repetitive, seemingly immaterial financial transactions that few people see. Gaps in controls over these types of transactions bring more opportunities for fraud. So, just as the pandemic ushered in new data security threats, it also weakened manufacturers’ fraud controls when employees began working remotely.
To combat this type of fraud, take a granular look at processes and identify the material weaknesses. For example, who picks up the customer payments that come in through the mail? How were they processed pre-pandemic, and how are they processed today? How many people are involved in processing payments? Who checks the work of the employees processing these payments?
Alongside this assessment of processes, work to increase virtual oversight in the absence of physical oversight. A key part of fraud protection in the post-COVID era will be optimizing the use of existing technology. Most financial software includes built-in controls, such as edit reports. Simply turning on these features can give leaders much more oversight of the financial activity taking place in a distributed work environment.
Additionally, educate employees about fraud awareness and prevention early in their tenures with the company. Employees who know the signs of fraud will be able to help the organization uncover simmering issues before they become crises. It is also essential to establish a whistleblower system, as fraud is most often uncovered through employee tips.
Starting with a thorough assessment and remapping process, manufacturers have a chance to improve their data security and fraud-prevention efforts to protect themselves in a new world of work with expanding threat vectors.
Written by: Brad Lutgen, Partner-in-charge of Sikich’s Cybersecurity Team, and Mary O’Connor, Partner on Sikich’s Forensic and Valuation Team, for Industry Week.