Compliance officers are now a power center in many organizations with far reaching influence, oversight, and access to sensitive information. Employee records, investigation documents, sensitive legal findings, and communications with governments could all be valuable information for bad actors to acquire for espionage or profit.
On February 15, Ericsson disclosed an investigation into possible compliance issues related to Iraq, ISIS, and failures to comply with its 2019 deferred prosecution agreement that was part of its $1 billion FCPA settlement. In the five days following that disclosure, Ericsson’s stock fell nearly twenty percent. Hypothetically, a bad actor — either public or private — with access to internal compliance communications in the months leading up to the disclosure could use that information in many ways.
While companies allocate tremendous resources towards strengthening their network security, every cybersecurity program has an achilles heel: humans. Over 95 percent of all cybersecurity incidents are caused by human error, according to a study by IBM. Here’s an excerpt from that study:
The most commonly recorded form of human errors include system misconfiguration, poor patch management, use of default user names and passwords or easy-to-guess passwords, lost laptops or mobile devices, and disclosure of regulated information via use of an incorrect email address. The most prevalent contributing human error? “Double clicking” on an infected attachment or unsafe URL.
Use a Password Manager
Do you use the same password for everything? Imagine this scenario: a website that doesn’t store your important banking information leaks on the dark web. You might not be too worried that a hacker has access to a now defunct pet photography company, but the risk exposure is huge if your login credentials are the same as your cloud document provider or email account.
With a password manager you only need to remember one password. Super-secure passwords are generated for each website or login, and most services monitor the dark web for possible leaks or vulnerabilities. Many large companies already use single sign-on services that allow users to log into many different applications and websites using one set of authenticated credentials. If your company doesn’t use single sign-on, a password manager is a good alternative.
At the FCPA Blog, all employees are required to use Dashlane. It’s easy to set up and use, and integrates well with a browser plugin.
Use a Virtual Private Network (VPN)
With a VPN, your internet traffic is encrypted so no one can see what you do online. If you’ve heard of a VPN, it’s probably because they’re often used to watch streaming content in a location you aren’t in. For example, if you’re traveling and want to watch your favorite show from aboard, you can with a VPN.
But the value of a VPN goes beyond that.
It keeps your location private. It inhibits the ability of ISPs, governments, and marketers to track and collect your browsing data.
Some larger companies have VPNs so employees can access internal networks from anywhere. Other companies disallow VPNs on company-issued devices. But using a VPN is one of the best ways to stay private online.
One downside: You can only trust your VPN as much as you trust the company running it, since they have access to your browsing data.
Reputable VPN companies typically charge a small monthly fee for the service, and also provide external audits validating their privacy claims.
At the FCPA Blog we use NordVPN. It’s fast and works across devices.
Corporations have made enormous investments and many maintain state of the art cybersecurity teams. However, a weak point in even the most sophisticated organizations is people. According to TechRepublic, 84 percent of organizations fell victim to phishing in 2021.
Phishing attacks trick users into handing over access credentials or opening backdoors by impersonating companies or organizations trusted by users. Typically, a user gets an email or SMS appearing to be from a company they use, prompting them to reset a password, update billing information, challenge a suspicious login, or even review a phishing attempt. The links in the message can install malware onto the device or funnel the user to a different website that scoops up information that would give the hacker access to the user’s credentials.
We’ve all seen generic phishing attempts, but a more dangerous variation known as “spear-phishing” explicitly targets specific individuals. Often, targets are senior executives with discretionary power. In 2016, a Belgian subsidiary of Crédit Agricole lost $76 million to an attack that targeted its CEO.
The FTC has a resource page on recognizing phishing attacks. Companies should also include resources for employees and security contact points if they believe they have been the victim of an attempted or successful spear-phishing attack.
There is a reason why email phishing is a perennial problem: it works. No one wants to believe they would fall for it, but phishing gets more sophisticated and targeted every day. Software and security providers can monitor corporate systems and mitigate the risk, but only training and vigilance can prevent the damage.