While you may think that cybersecurity is just an IT issue, the truth is that actions taken by bad actors can target any number of departments, including finance and human resources.
October is recognized as Cybersecurity Awareness Month, a time when both the public and private sectors work together to raise awareness about the importance of cybersecurity.
“Local public entities maintain a lot of confidential and sensitive information which are viewed as targets to bad actors,” said VRSA Managing Director Marcus Hensel. “That’s why it is important to bring awareness to your community and educate and train employees and implement in-place controls.”
Social engineering is the most frequent type of cyber incident reported to VRSA. One type of fraudulent instruction is Business E-mail Compromise (BEC). This consists of a bad actor obtaining access to a business e-mail account, altering legitimate invoices, or imitating an employee, to trick victims into sending payments for goods or services to alternate bank accounts.
For example, in one claim, an authority received fraudulent instruction to wire funds to a bank account, which they did – to the account of the bad actor.
Entities should be particularly careful after a bid has been awarded, as these awards are public and may draw the attention of bad actors impersonating the legitimate vendor requesting payment.
Loss Mitigation
HR and finance staff play an important role in preventing losses. Entities are encouraged to develop policies and procedures. They should focus on:
-
- Ensuring only authorized employees have permission to access systems such as payroll, digital personnel files, benefits information, retirement plan information, and more.
- Conduct thorough background checks on individuals being hired for these sensitive positions. It is important to check for past criminal conduct to ensure they won’t pose an inside threat.
- Always verify any request to change payment instructions. One method is to authenticate the request by phone using a number on file and a known contact. Another method may be to verify in person.
- Review the contract terms about how payments are to be made. Most contracts will specifically state that the terms of the contract may not be changed without the signatures of all parties.
- Train and bring awareness to employees that bad actors are exploiting weaknesses such as the use of authority, eagerness to please, and endearment. Alert them to use caution when clicking on links or opening attachments in an unverified email, even if the URL may contain a seemingly familiar website.
- Ensure citizens are educated on the verified types of communication they may receive from the entity.
Be suspicious of new email addresses seemingly associated with known contacts, especially from free, web-based email providers such as Gmail.
It is also important to document the policies put into place to maintain control over these systems, including:
-
- Roles and permissions
- If/then scenarios
- Tools/resources and uses
- The exceptions
- Sign-off on the process
Review these procedures regularly to test that they are adequate, and audit them to ensure they are being followed.
IT Role
While all employees should be regularly trained on identifying and mitigating cybersecurity threats, technical and physical security controls are also crucial. Consider:
- Implementing multi-factor authentication (MFA) for remote access and privileged user accounts.
- Using email filtering to prevent malicious emails from landing in your employees’ inboxes.
- Deploying next-generation endpoint protection to help detect and stop the spread of malware.
VRSA Resources
Members have access to several cybersecurity resources on the VRSA website to help identify and implement controls. These include prevention measures, incident response, a cyber inventory, and access to a free cybersecurity application with security healthcheck and sample incident response plans.
A recording of a recent virtual engagement, HR’s Increasingly Important Role in Cyber Risk Management, is also available online.
Upcoming Engagement
Cybersecurity and a Review of Recent Incidents
Every entity faces the potential for a cyber incident, from the smallest to the largest. Since 2012, we have provided cyber protections tailored to our members’ interests. As protections have evolved to meet coverage expectations, our service delivery has matured as well.
This virtual engagement will walk through cybersecurity and a review of recent incidents.
- Wednesday, Dec. 4, 9 a.m.
- Register here.
VRSA was the first group self-insurance pool in the Commonwealth to provide cyber protections, and we continue to update these protections to meet member needs as the cybersecurity environment evolves. Please contact your coverage specialist or member services representative for more information or questions.