Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Is Your Company Vulnerable to Summer Cyber Attacks?
Quick Take
On this episode of Compliance Unfiltered, The CU guys have the remedy for your Summertime Compliance Blues. This week, Adam goes over why summertime is such a perfect opportunity for cyber attackers. The guys will cover how organizations can protect themselves this summer. They chat about helpful trainings and talk about some of the key planning companies can undertake to avoid some of the most common summertime scams. All this and more on this week’s edition of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who could be considered the stargazer Lily to your compliance bouquet. Mr. Adam Goslin, how the heck are you, sir? I’m doing great, Todd. How about yourself? Man, I can’t complain. I’m not complaining.
Well, today we’re going to continue with the summer theme and talk specifically about, I don’t know, man, maybe it’s something in the air, maybe it’s the pollen, but I’m curious, what is it about the summertime specifically that kind of ramps up those cyber attacks that people might be vulnerable to? Well, you know, you figure it this way, you know, it just kind of set the stage, right? It’s, you know, it’s the middle of summer, and your CEO is on his annual couple-week vacation in some foreign land, visiting his wife’s family, something along those lines, and all of a sudden you get a text from a number that you don’t recognize, and, you know, the person’s, you know, saying, hey, you know, this is Mike, I lost my phone, I had to borrow somebody’s, you know, I’m going to jam, I need 25,000 sent to this account immediately, I’ll explain it when I get back, you know, there’s a link, it looks legit, you wire the money as quickly as possible, text them back, you know, hey, you know, you’re all set, we just the you know move the 25k and you know sure enough you get a thumbs up emoji you know and you, you kind of have a sigh of relief and yet you, you know not less than two weeks later the boss gets back and that’s when you, you know kind of put to put all the bullets together that you fell for a $25,000 fishing scam so it’s you know it, it happens yeah it does now the cyber attackers don’t take the summer off It’s not a thing you know no, they said they sure don’t you know, I mean it’s summer summer’s an interesting time, right? You get you know Everything gets a little bit more relaxed and people will go more, you know dress casual you know if you’re working out of an office and you know, the office is definitely quieter You got all sorts of people going on vacations and you know things slow down a little bit, etc But you know meanwhile the cyber attackers are just busily at it and you know, certainly they’re up to take advantage of any opportunity that’s provided to them so, you know including launching really if you think about it complex coordinated attacks over, you know national holidays or you know, especially since they know that you know staff things at a minimum you know work life, you know might be relaxed But you know your, your cyber security group needs to you know needs to keep it together all year long including the summertime You know as you’ve got people that are coming in and out of the office for you know They’re various, you know holidays and vacations and whatnot, you know the you need to make sure you’re staying on top of you know, your, your security and compliance, you know best practices through that period and making sure that you know The employees know, you know what, what are the types of things that they need to do to, to help to protect the company while they’re you know well, they’re out and about as well. So, you know, there’s, there’s just a lot of a lot of considerations If you will that that need to come into play that you know When it especially when it comes to you know to folks where their, their brains aren’t quite where they normally are during the summertime shall we say?
Sure. Well, how can organization protect themselves this summer? Well in terms of protection, you know as you’re going into those you know those summer months You know, it’s, it’s good to you know, good to prep you haven’t done it already then, you know, dust it off but you know make sure make sure that your disaster recovery business continuity contact lists are up to date before people are heading out of town. Nothing sucks more than to have something hit the fan and you’re trying to call so-and-so cell phone number, meanwhile they change their number, etc. That’s about the last time you want to try to get it figured out and then praying that they’re actually looking at their email or something while they’re on vacation, usually not a good recipe. It doesn’t do anybody any good to have a bunch of out-of-date information on that disaster recovery business continuity game plan. As well, when you’ve got personnel… that are requesting time for vacations, etc, making sure that you’ve got the coverage that you need, not just day-to-day, but for your security and compliance stuff as well. Any organization that’s already up and running on a security or compliance framework should be in operational mode, which means maintaining compliance, doing security-related tasks on a regular basis throughout the period. So this means that you’ve got personnel that likely are jumping in to fill the gaps through the summer as various people are going on vacation. So some strategic planning in advance is good to make sure who’s the backup for the people that are gonna be out of the office. How are we timing all the various vacations? What knowledge gaps do we need to make sure are covered as people are kind of clocking in and clocking out over that period? Anything that needs to be transitioned, if you’ve done that forethought, now anything that needs to be transitioned from one to another can be done before the employee leaves town instead of folks struggling with trying to figure things out or otherwise leaving it until so-and-so gets back. You know, if it’s been, you know, since last summer that you had backup people filling in, they may need a refresher or, you know, maybe your processes or whatnot have changed. So they may need to do things differently than they did the last go around, you know, so you don’t want to just be launching, you know, net new responsibilities at somebody as they’re, as you’re waving out the, as you run out the door, you know, type of thing. So, you know, setting that time aside, you know, in advance, you know, certainly is going to be, is going to be helpful, you know, and the other, the other piece of this is, while you’ve got the backups that are in, you know, making sure that they are trained to keep a lists of any important elements that need to be transitioned back, you know, once the vacation returns, you know. So, you know, in some cases, things kind of sort themselves out on their own and there’s no need for, for any follow up. But, you know, keeping that list as you’re going through it certainly means that you’re not going to forget something that was important for the either, you know, incoming or outgoing transitions.
You know, those are all, you know, kind of helpful for, you know, for the effective passing back and forth of the baton, you know, as you’re going through the, going through the process. That way, you know, instead of the returning person, as an example, you know, trying to pour through, you know, thousands of missed emails, you know, while they’ve been out, now they’ve got a really focused list that they can go and, you know, go and sit down and, and really be effective, you know, at the moment that they’re, you know, that they’re coming back, coming back online. Now, it sounds like a silly question, but Cory, it’s like, would training be helpful here?
Is this something that you could, I don’t know, kind of take a more approach to? Well, you know, certainly training, you know, training for personnel. is an important element. One of the most important pieces is making sure that people have secure connections in case they do need to jump in and do remote work. Making sure that they’ve got secure hotspots and internet connections while they’re out and about. We’ve talked about it before, but not using Bob and Martha’s corner coffee shop, public Wi-Fi, avoid doing things along those lines and so that you can make sure that you’ve got a good secure connection. But certainly only using those secure hotspots to connect to the internet. you know, cognizance of their surroundings when they’re on the road, you know, increased possibility that other people can view their screens and see what they’re doing, making sure that they’re making those connections, you know, through a VPN to the, you know, to the work environment, aka an encrypted connection, as well as, you know, making sure that you’ve got mobile device management for employees’ devices. You know, if you’ve got people that are doing traveling. You know, the other consideration is, you know, what about if they’re going to, you know, going to other countries? You know, do they, you know, do they have the ability to make and receive international calls, you know, from their, you know, from their phones? You know, once they leave and, you know, whatever, go to the, you know, go to the Bahamas or to France or whatever is not the time to realize that they can’t communicate in any way, shape or form, you know, so making sure that their phones are working, their hotspots are working internationally, those are all considerations.
And as well, you know, now we’re on the topic of foreign countries, you know, there are certain countries that we’ll call high-risk countries where, you know, you need to be careful about even which devices that I bring, right? You know, I’m not gonna, as an example, I’m not gonna travel to China and bring my work machine. You know, instead, I want like a burner phone, a burner laptop, you know, things along those lines, if I’m gonna be going, you know, going to countries where I’m concerned about, you know, risks to, you know, to, you know, the intellectual property of the organization or, you know, kind of privacy issues. So getting those, you know, burner phones and burner laptops out to people that we can just clean the clock on when they get back, you know, those are certainly things that, you know, that would be helpful to consider in advance. A lot of people just don’t, you know, put the, you know, don’t go put the- you know, out there of thinking about especially that international travel to sensitive locations, you know, and the other part we were talking about it earlier was, you know, your business continuity and disaster recovery will if I’ve got somebody that I’ve now issued the business continuity and disaster recovery, you know, plans with the issuance of those, you know, of those kind of burner. burner engagements, you know, burner. burner phone so we can get a hold of them as we need to on, you know, in relation to anything that we’ve got going on.
Sure. Now, let’s talk a little bit about planning. What planning is needed for compliance engagements over the summer? Well, we kind of alluded to it a little bit, a little bit earlier, but, you know, certainly one of the things to keep in mind You know, if you’re actively pursuing kind of first-time compliance, if you will, well, if that’s gonna hit a crescendo, you know, in the midst of the summertime, then that’s a consideration, you know, but, you know, if you’ve got, you gotta look at when you’re in operational mode, what’s the timing of our, you know, kind of the end of our current period, whether it’s end of Q1, Q2, Q3, you know, type of thing.
You know, where does that fall in the grand scheme of things and in relation to, you know, in the relation to, you know, all these vacations and what not happening over summer? You know, you gotta think through those summer vacations, the timing of your compliance engagements, you know, and, you know, making appropriate modifications to be able to either keep up with your, you know, security and compliance obligations, or especially if you’re coming up to like your end of year happens in the middle of the, you know, middle of the summer, that can be, we’ll call it especially problematic. Because, you know, the personnel wanna, you know, wanna take time off while, you know, their, you know, their, you know, kids or, you know, spouses are more available.
So, you know, and the other thing is too, depending on the personnel that you’ve got, you know, I worked for years in, you know, in the IT arena and, you know, a lot of the folks, we’ll call it a foreign descent or with foreign families, where they’re making a trip back to, you know, to their homeland, they will often save up their vacation for maybe a year or two years so that they can, you know, take a continuous, that’s a big trip, right? You’re gonna travel for 24, 30 hours just to get there. Well, you don’t wanna be there for three days. So, they’ll typically go and take a lot of time off. least two weeks, maybe it’s four weeks, you know, type of thing. And they’ll often will do all the coordination in advance, but that’s again something that you really got to think about if you’ve got, you know, if you got somebody literally out of pocket for, you know, for three or four weeks solid, you know, it underscores making sure you’ve got your I’s dotted T’s cross timings, you know, in place, etc. So, you know, you’ve got, you’ve got all those considerations going on, you know, and certainly there’s, you know, we talked about the gaps that’ll be left, you know, more often than not, you’ve got specific individuals that are responsible for specific evidence, you know, and, and making sure that you’re, you know, kind of doing all the, the planning and the transitioning and whatnot that, that we talked about earlier, just to make sure that you’ve got the right people providing, you know, kind of the right coverage, so that you can kind of keep things moving, you know, throughout that period.
Well, this is the part of the podcast that I’ve been excited about the most is just because these are things that I’m unaware of and I think that our listeners will appreciate this knowledge as well. What are some of the most common? summertime scams? Well, you’ve got a you’ve got a lot of you’ve got a lot of things that that you know, kind of eat more easily you know crop up during the summertime you know, we talked about people going on going on vacation With attackers posing as somebody that’s out of the office you know you think about it, right? I mean a you know anybody that has Their out of office turned on, on their on their email. Hey, hey guess what, you know Yeah, they were just you know, they were just sending spam messages or something or phishing messages Well now they’re getting the out of offices coming back oftentimes people in there at offices will you know note I’m gonna you know, whatever it’s I’m gonna be back You know two weeks from now on Monday type of thing, you know, and so you’re literally just spilling information to you know folks outside of the organization to be able to leverage so you know, certainly if they’ve if they’ve gained access to somebody’s, you know, somebody’s calendar or email they’ll know you know, they can go in and look at the look at the settings but you know certainly leveraging the other offices to, to try to do social engineering with you know with other personnel internally you know,
That’s something that that certainly will happen, you know, the you know the. the, the hackers going back to or you know to earlier we were talking about the phishing messages, right? I mean they can they can tear, you know thousands of emails out so just look at the flood of the out of offices that they would get back and they’d have a never-ending treasure trove of information to go to go give him a you know go give him a shot so you know certainly things that surround personnel being out um you know the, the hey send me money you know because I’m on I’m on the road with messages coming from unknown numbers etc you know those are certainly all uh you know all, all plausible as well um you’ll also see kind of an uptick in uh IRS related activity uh you know you figure you know during the summer time it’s you know now we’re what two three months out from you know tax filings and whatnot maybe plausible that you know the IRS will be getting through and doing you know doing their processing of, of tax returns etc so you know a lot of times you’ll see the, the IRS uh the IRS active related activity uh pop up during the summer as well people posing as the IRS, saying there’s a problem with your tax return, you didn’t pay enough money, and yeah, we’re gonna throw you in jail, and you’re gonna have to go to court, and all sorts of bug stuff. So you certainly see the IRS stuff kind of heating up as well, but those are a couple of the common summertime activities that you’ll see.
But the one thing that I’ll tell people is I’ll say, look, if you’re getting some unexpected message, always be suspicious. You know, validate sources before you do anything. You know, if I were to get a text from somebody that, you know, from an unknown number, saying that they were, you know, fill in the blank, you know, person on my team or my boss, and, you know, can I please click here and do something? Just go back to, you know, kind of commonly held channels of communication, and gain validation in a way that, you know, that you can do secondarily, you know, type of thing. Don’t just go mashing things that you’re in and receiving. I always go back to the, you know, kind of known legitimate sources to be able to validate any of those kind of miscellaneous, inbound, you know, inbound requests, because it’s so easy to, you know, just get caught, kind of caught off guard. And it’s natural for people to want to be helpful and to provide assistance when somebody is struggling. And that’s really what the bad guys are kind of playing on, if you will, is the human nature to want to provision assistance to people.
That makes sense. Parting shots and thoughts for the folks this week. Well, you know, the workplace arena is definitely… Definitely more laid-back more casual during the summer and that’s a good thing, as long as people are staying Vigilant about cyber security efforts, you know, certainly, you know One of the good habits to get into for you know for any organization is you know Doing a lot of the aforementioned planning training, etc. I mean, you know almost mentally plan that for you know, we’re right now, we happen to be recording this in the kind of the midst of the summer but you know certainly you know moving your vigilance forward in the year is, is definitely a Good practice to get into so, you know, I tell folks that say listen, you know Go ahead and plan this type of stuff for let’s call it early Q 2 you know, type of thing before we really get full swing into, you know, into kind of vacation and holiday mode. You know, go ahead and do, you know, a lot of your refresher training and then looking at your compliance engagement, looking at the timing of it, what, you know, alternative planning and staffing needs do you need to get covered. You know, doing all of those things in early Q2 will go a long way to helping you kind of smoothly navigate the, the remainder of Q2 and the earlier part of Q3. You know, we definitely don’t want, we definitely don’t want people letting their guard down when it comes to, you know, bad actors and cyber attacks and certainly we don’t want people taking a vacation from creating and maintaining a culture of compliance within their organization.
That right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin.. Hope we help to get you fired up to make your compliance suck less.
