Transcript for:
Risk Mitigation in a Remote Environment: Practical Considerations

good morning and welcome to today's webinar risk mitigation practical considerations maintaining compliance security and integrity in a remote environment my name is Rick Jose I'm director of IT assurance and today's webinar moderator this webinar has three main objectives telework best practices addressed teleworking threat landscape and finally Kovac 19 impact on controls and compliance please note that if you'd like to submit any questions please submit all your questions using the Q&A option at the bottom of the webinar platform for our panel to address thank you for that our panel members are well known to us as jell of all traits the bank hacker and the sheriff we hope you'll enjoy today's informative presentation by our subject matter experts our first panelist is Sara Lynn security advisory partner with 30-plus years in IT and for IT information security compliance risk management advisory audit prep business continuity disaster recovery operations and technology engineering verticals include high-tech banking and financial services insurance medical telecommunications and retail she's well versed in the SAS and IAS platforms our second panelist is David trip security assessment partner David is the partner in charge of BPMS information security assessment team as a leader of over 1,400 comprehensive penetration tests for financial government law enforcement healthcare and commercial organizations worldwide you could just say that David breaks into banks for a living David will bring a hackers perspective to today's webinar our third panelist is Ashwin e Verma risk assurance and advisory services partner ash Vani leads be PM's risk assurance and advisory services group and IT assurance practice he has over 20 years of experience providing angel auto risk management regulatory compliance on IT controls related services his expertise and backgrounds include internal audit strategy and implementation sarbanes-oxley readiness and compliance Enterprise Risk Management fraud risk assessments soft one as well as soft two and three readiness and reporting IT security privacy strategy and assessments you may also learn more about each partners areas of expertise at BPM CPA com forward slash people without any further delay let me welcome our first panel is Sarah good morning Sarah hey good morning Rick yes I take on the title Jill of all trades but today I want to talk about telework best practices so let's get right into it so some of the things that we care about for our employees are controls that we can address in this world of teleworking or items that we can address in the world of teleworking and I just want to talk about a few that we should review and keep in the back of our minds these are sometimes overlooked a bit first how your business should address security and privacy when your workforce is at home in a home workspace and not tied to their desk and I'm not just talking about their laptop the VPN and the access control but what is going on in the environment how is that environment working what's going on on their desk and how are they working in that space when we can't see them and this is going on now every day during the week and not just maybe one or two days so things to think about there are are they do they actually have a workspace are they like the guy in the picture here with his four-year-old hanging off his back using a coloring book I know that's what it is when I work from home but I know that there are other considerations about where our confidential and restricted paperwork is whether we're able to use certain devices in the home office that we can't in the office and how they're monitored those are all things to think about and things to think about I mean by like printing so when we print at home are we able to print from home what are we printing what's happening with that piece of confidential paperwork or restricted paperwork sitting out on your desk going in the family trashcan or when you're in the office it's going to the confidential trash it's at least protected inside the office a little bit more so things to think about we can control that we can make it administratively controlled that a person cannot print from home but they can view from home so there are some things we can put in place or should put in place for the remote workplace and these are just things to think about again and then where is your desk when you work from home and what is on it I was on a video chat with someone a couple days ago and he was just sitting on the corner of his couch and I asked what was going on and he said well that's where I work on the corner of the couch in the living room and so we want to think about where they're working what is on their desk what does their workspace look like is it sufficient there any way that we need to help and is there anything that we need to control in that workspace and then we move on to what it is you do with your laptop and how do you leave it when you take a break when you take that four-year-old out to play soccer in the backyard for five minutes or you take a break for a sandwich or a cup of coffee or go on the porch to pick up your amazon package what do you do with that laptop do you leave it unlocked does it lock automatically is it going to a screen saver what is going on and if there are other people besides one person in the house who else can see what's on that laptop those are things to think about and there are ways to and in Australia we control this and practice control this so things to think about and then again who else is in the workspace is it just your employee your employee of their spouse five people ten people six people children adults people who might not need to see what's on that laptop these are things to think about and potentially attempt to control X I please alright so then we want to talk about once we think about all the items and we think about what's happening in the workplace and what we want to happen in the workplace at home and what we don't want to happen there then we want to update potentially or right if you don't have it a wfh work from home policy or practice maybe you already have one maybe needs updating maybe you didn't think of all the things that are happening today update that practice write that practice and I know that's not something we've been thinking about for the last three or four weeks but if you have someone that's got a little spare time at home this is a perfect time to have those practices either written or updated by your staff as well as when that happens you have to update your training material because if you don't update the training material you know you can write all the policy you want in the world but nobody's gonna follow it or no they need to follow it unless they get trained and then acknowledge the training acknowledge the training either in your HR is system check box I watch the video or I read the policy or I agree to the policy or there's a policy set to be an email and a practice of a knowledge of it form but remember also to have a way for people to ask questions if they get stuff you don't want it to be just a checkbox you really want them to understand what it is you need and desire for them to do at home and if for some reason they can't do it that they bring it back to a manager and then you're we're considerate but firm about what we want to happen and then that leads to enforcing the work from home practice or policy so that's always the hard part there are things that you would can administrator they control there are things that you can monitor that you might not be monitoring like the whole network a piece of the whole network VPN over the home network what the person is doing or not doing on the laptop determine how far you need to for compliance sake go or want to go but also there are things that you don't administrative Lincoln troll you control through teaching and practice and acknowledgement and finally making sure that everyone understands just because you've moved from the office to the home if you're in a position of administrative access or privileged access you're still in an auditable state your machine your practice is what you do is still auditable no matter where you're sitting whether it's at home or in the office so we have to keep that level of control no back doors to environments we still want to keep our access controls our VPN access we don't want to hand out administrative controls to additional people and want to maintain the level of control and a suwannee is going to talk about that a little bit that we need for the compliance of our businesses ok next slide please and so I just want to tell you a couple of stories about what's going on right now during this time one of the companies that we work for shared with us over the last few weeks that they didn't think they could continue their compliance projects because they didn't know how to have a remote workforce in the past rarely did anyone work from home most everyone came into one of two offices so since we do a lot of remote work we assured them that we can continue our practice with them when they get settled and we can help provide some advice on how to do remote work hold remote meetings continue to march down project plans if they have the time and sure enough after about a week and a half they got back onto the project and the compliance is moving forward so if you're in that position where you're worried about a compliance project or some other IT project or a security project or a privacy project and you don't think you can keep it up we can give you some support in that area but also I think he can you just need to think about the remote workspace as just an extension of the office and one other customer was in a position to hire a security staff of professionals one two three people maybe a VP maybe some other staff and during this time they just couldn't close on all the paperwork for these candidates so what they asked us to do was step up and fill in as interim sigh so and staff for them while they continue through this phase and continue either interviewing or getting the candidates in place and so we were able to just additionally support them during this time instead of letting their compliance go to the backburner one of our other companies was in the middle of a big project and it was surrounding changing security architecture so instead of slowing down they actually asked us to double down and speed up they could actually see the value more during this time so instead of slowing down everything got faster and the architecture is going to be put in place sooner than expected and finally we had a customer that was planning for continuous monitoring going through the RFP process vetting out several different companies that might be able to do 24 by 7 by 365 monitoring and all of a sudden they made a decision to start working with us because it was going to be faster and we were ready to receive them so those are some things that we can support you on but some things that you might consider that can happen during a slow period that might not be as obvious to happen during a slow period so that's what I have Rick did you have any questions that popped up on this telework addressable controls for your employees section thank you sir yes an individual asked the you mentioned CIS oh and I responded but would you like to spend just maybe a few seconds on the definition of a CIS oh and their position within a firm oh sure a chief information security officer a lot of companies either have the CI soo or the CSO the chief security officer or maybe they have a director of information security some small medium companies don't have that position that they have someone that is moving toward that position or they have an IT security manager in the case with a couple of our companies they are the size that really needs a sigh so and a staff but they don't have that person identified right this moment or they were in the process of identifying and we can step in as a what I call this ISO team one two three of us can step in and support that company while they either go through a compliance project or transition attempt to hire and tend to expand a team or make that transition from no security department to a security department Sarah thank you so much sir any other questions Rick we do have a couple of questions which would like to ask you towards the Ana's part of our back and forth and but at this moment no questions are coming in from our audience but again our audience are welcome to join us through the Q&A okay that sounds great so I'm gonna turn it over to my partner here Dave who's gonna really talk about a threat landscape okay thank you Sarah Thanks everybody for taking time out today from the new normal to join us as Sarah said I'm going to talk about the teleworking threat landscape and so if we move to the next slide please as Rick mentioned when he did the introductions the my job and the the job of my team at BPM is to think like thieves and when one thinks like a thief the new telework work from home environment to a thief represents an increase in the surface area that we have to attack and so some examples are shown on the slide here first and foremost all these computers and mobile devices whether they're company-issued or owned by the employees are suddenly attackable outside the company firewall so these systems were largely constrained behind a firewall that limited our ability to get to them now we find them strung out across home offices all over and to an attacker that is a tremendous increase in attack surface area along with that things like VPN systems and remote email services cloud services and applications all of these are seeing a tremendous increase in utilization which allows thieves or attackers to fly below the radar better to avoid detection better and this is a tremendous benefit to those threat actors or fraudsters out there trying to perform attacks additionally there are all kinds of new social engineering type attacks or attacks against humans themselves that present to an attacker that weren't readily available to us in the past so things like calling employees at home and maybe impersonating IT and telling that employee are there to help them maybe secure or enhance the performance of their remote access and then talk them through some technical steps that may expose their computer or expose credentials or other sensitive information that they can take advantage of there's also all kinds of attacks taking advantage of the coronavirus responses such as many of us have seen attacks where we get a an offer to view a map that shows information for our area or our neighborhood or something next slide please additionally when we think about these systems at home there's all kinds of attack surface presented to us by home networks so not only have everybody has everybody brought home computers and mobile devices to work from home but now they're working from home on ISP provided routers or modems that are often really poorly secured so they may have default passwords lack adequate patching or updating and if an attacker coming dear is one of these systems now they have a man-in-the-middle position from which they can monitor and intercept all of the traffic moving between that employee and the office or the cloud wherever they're going home networks whether they're wired or Wireless are often really poorly secured we'll talk about securing home Wireless in a moment home PCs are often already compromised at least with adware and in some cases with much more malicious malware prior to even beginning the the whole work from home and then of course homes these days have a lot of what we call IOT or Internet of Things devices that may connect to the internet from from thermostat and your heating and ventilation and air conditioning system to garage door openers home alarm system smart TVs all of these represent an increase in attack surface area to attackers so on to the next slide just a couple quick examples here here we see a very common phishing attack using current events many of us have received emails like this in our in boxes already and this one purports to be from state.gov which is actually a valid domain for the state department but of course if one clicks reply on this email one finds out that it's not going back to state.gov at all it's going back to some crazy domain that nobody's ever heard of before and it's got this wonderful little attachment here but if one looks at the extension on that file it's an ISO extension which is a executable file format type that allows the computer to view the file contents as if they were on a on a CD drive in a great way a very common way that attackers used to circumvent security controls on workstations next slide please as we move on here just a couple of very basic text based attacks using current events there on the Left we see someone offering to help with the the stimulus funds that are coming out for organizations all you gotta do is click on that link and you'll either be asked for some PII or that will send you to a site that will attack your mobile device there are a lot of attacks out there targeting both Android and Apple phone users on the right there of course we see another great example that purports to be from an authority that says you've come in contact with someone who is been tested as positive so please take appropriate action of course in this case the appropriate action involves getting your phone attacked in one form or another on to the next slide please and then as we talk about remote work from home environments a lot of organizations hopefully a lot of you present today have implemented MFA or 2fa multi-factor authentication and that of course is when we take something like a fob here or or a mobile device and we send a one-time code to it to augment our username and password and multi-factor authentication is a tremendously powerful control in in the case of attackers they have developed a number of ways around it so some of those attacks we just saw in the previous slides are used to deploy payloads malicious payloads like we see in the first bullet here with lovely names like necro browser that are meant to intercept critical communications information from your phone or your home PC there are a lot of attacks against help desks both your company's help desk and your vendors help desk such as your phone providers help desk and you see the little photograph there on the right from a little attack that we attempted against a phone provider helpdesk wherein we tried to convince the phone provider to switch the phone number for that account so then when that one-time passcode gets sent to the users phone it gets sent to our phone instead of the user's phone when setting up remote access there's all kinds of backdoors that may not require multi-factor authentication things that go under the name of exchange web services or exchange native clients with modern equipment that can be can be used as an end-around on you're multi-factor authentication and then of course there's always just asking users for that one-time code there's a very popular attack going around right now where an attacker tries to login to the user say online banking system or remote access VPN controller and they and they know the username and password through some other attack they enter that and now they're presented with multi-factor authentication okay well not to be denied they're going to pick up the phone then call that user and say hey we're from the bank and there's been some suspicious activity in your account we need to go over this with you but before we do we need you to verify that it's really you so would you please provide the one-time code you just received and of course that one-time code you just received is not for you to validate the caller who you are it's for you to divulge your one-time code to that caller so they can finish the login process and then take advantage of whatever they're trying to defeat and then lastly there's SIM card swaps attempts to actually impersonate or a place the phone you have with with other phones so those are some of the common attack techniques now we'll just wrap up here with some of the telework security considerations that that all users and organizations should keep in mind from hackers view point we're going to start with user considerations first and foremost just to follow up what Sarah was discussing you should if your company has a work from home policy or procedure in place you should know it understand it and follow it other key items use your privacy screens when you don't need them there are a lot of attacks out there that turn on cameras without the little light that indicates that it's actually on and then they can spy on you make sure your digital assistants like Siri or Alexa are not in earshot when you're having sensitive conversations you know Texas and Lexus sound a lot like Alexa and you will invoke their listening protocols practice safe application storefront protocols when you need to go to download an application be reminded that you're no longer safe behind the corporate firewall that's going to watch and look for those malicious payloads so only go to the Apple Store only go to Google Play places that have vetted the contents of their applications and just simply don't download anything that you don't need to at this time pay very close to links before you attention to links before you click on them chase.com is not the same destination as Chase Bank comm and chase comm is not the same destination as chase net pay very close attention to the links you're clicking on the last three letters or an occasionally four letters that net.com at org and the word that immediately proceed those last three letters those are where you're going anything that comes before that is irrelevant for our purposes pay attention to the dot org or the dot-com or the dotnet and the word that immediately precedes it and if that's not where you think you should be going then you're going to the wrong place and again as we saw in phishing email example if you get an email that purports to be from a fellow employee or some vendor or other authority source and you're not sure about it just click reply you don't have to reply just click the reply button and see where it says it's going to if that email is not headed back to the same place it purported to be from then someone is attacking you next slide please continued user security considerations I can't overemphasize this now is the time to use the strongest possible passwords and so you strong in other words long passwords the only strong password is a long one we recommend examples like pass phrases but avoid easy to guess slogans lyrics etc attackers like us have started to incorporate advertising slogans and the Lord's Prayer and McKenna McCartney Lennon lyrics and so forth into our dictionaries for password guessing make sure your home Wi-Fi has is using secure encryption not old-fashioned WEP or WPA one make sure it's wpa2 or better yet WPA three encryption levels you can check those settings on your home Wi-Fi considered hidden segmenting your network that may be a bit much to take on at this time but but paranoid people like I have more than one network at home and one network has non secure stuff and the other has secure stuff and then lastly think about least functionality turn off your location services if they're not needed especially if your staycations at home you're not going anywhere you don't need those location services turn off Bluetooth turn off Wi-Fi unless you need it and consider a personal hotspot if you do have to travel void using public Wi-Fi next slide please and just a couple of telework security considerations for the organization itself now is a good time to consider mobile device management solution for managing all those mobile devices make sure everything has good logging controls and this is something Sara's team can help with if you don't already have this in place someone to monitor who's logging in at make sure you have adequate storage for those logs because now is when an attacker can fly below the radar because there's so much activity on those devices again multi-factor authentication for everything patch everything and if the organizational level think about lease functionality as well when it comes to which employees need access to what when everybody is safely ensconced behind the firewall that's not as important consideration as it is now when someone an attacker could have commandeered one of those remote employees logins and now all of a sudden has access to everything so what exactly does that employee with that job role need access to not an easy solution to this problem but a very important consideration during these mobile work from home times and the last slide for those of you last slide in my section for those of you who are faced with concerns Rick if we can move on to the next slide for those of you faced with concerns about what your attack surface area looks like right now in the telework world we have put together a very concise inexpensive telework remote access security assessment service where you can come in and look at your technical footprint take a deep dive into your remote access systems and policies so that's all I had for this morning any questions Rick before we move on we don't have any questions for our audience at this forum but I want ask you a question you brought up the issue of public Wi-Fi can I just ask you is it ever okay to connect to a public Wi-Fi including my own ISP public Wi-Fi such as in a greater Bay Area we have Xfinity so such as Xfinity Wi-Fi yeah great question and the answer is sometimes it's necessary to use public Wi-Fi if it's all you have available then that is what you need to do there are some compensating controls make sure you have a VPN solution before getting on the public Wi-Fi so that all of your transmissions can be encrypted as we noted in the previous slide if you can use a personal hotspot that will leverage your connection to the sell system and that's a good way to try to avoid it but the answer is you probably shouldn't if you can avoid it I appreciate that I thank you for that um we don't have again as I said our participants were appreciate your questions so please make sure you post your questions and I'll be sure to ask our panelists your questions along the way let me just welcome our partner ash mone Verma who speaking to us about koban 19 impact and controls and compliances good morning sir morning Thank You Rick and thank you David and Sara for doing a wonderful job and discussing the risk and their and your suggestions related to IT security given the the more work situation we just cost like over nineteen my you know my perspective is really today to share some of the risk organizations are facing from the enterprise bar and a privacy standpoint of you which many organizations are either struggling it or trying to manage at the moment some of the example risk you know Rick and the audience's companies are worried about the fraud risk companies are very worried about the reputation risk some of the organizations which have a manufacturing or they have a supplier global supplier supply chain is one of the risk organizations are struggling equally important business continuity is a huge challenge at the moment given given the situational ran and and equally important how to continue to generate revenue how to continue to generate collect your AR both things are perhaps are at the forefront at the moment bigger organizations if you're a public company tend to have a form of risk management framework and they may be better to prepare to address some of those risks but I would say this is something I don't think anybody has dealt with so even though some of the organizations who have the ERM frameworks still struggling with with this risk which we have never seen today so Trisha ran today the key focus for leaders is how to run their business and perhaps controls and compliance is not the key focus at the moment and that is for understandable reasons for what I'm going to do for the next few minutes just really share some of the risks companies need to be aware of from the controls and compliance jam point of view and perhaps a reminder to the leadership and the management that you're in laughter's are still going to be required companies still need to be filing for their can queue and chemical filing if you're a public company and if you are in an industry which is required to do regulatory filing and comply with some of the regulatory requirements those are not going away so I that's what I hope to share a perspective some of the risk you know people need to keep in mind there some of these suggestions we might have BPM standpoint of you that what they what can they do to address that why don't you go to the next slide great so what I have done I have broken down the risk into that different categories and one of the risk is the the impact the companies are gonna have from the internal control standpoint of you especially and I don't need to go through every single one of them I think the audience are gonna get the copy of the deck so I'm perhaps gonna focus on some of the key risk which are gonna be irrelevant to the organization's one of the risk is going to be as most of your workforce is removed now maintaining the internal controls is going to be slightly different than what company have seen before if you don't have a large ERP or financial system in place which comes with some of the configured controls comes with the segregation of duties built into it this is some of the risk you need to be aware of and you may have to find a creative solution to address that many of the clients still use QuickBooks which necessary don't come a lot of the configure controls built into it so I will say this is very important for but those organizations to make sure the murder the work the more work situation doesn't cause that issue fraud factor is certainly is very prevalent moving money around various bank accounts you're checking signing authority could could be looking very differently now you could have a situation where a management is overriding controls which is an ideal situation is a huge problem from a service jam point of view and also from the fraud sector standpoint of view and you could have issues with people complying with your company policies and procedures last but not the least and these staff layoffs as you know this has been a this has been a worrisome for from economic standpoint of view many companies have furloughed employees or their does some restructuring one of the thing I always caution people when you when you let somebody go and somebody is taking over the responsibility you want to make sure you're not causing any conflict for me from the control stand point of view so I think this is one thing I seen some come don't necessarily care forward at the moment but ourselves you don't want to be put yourself in a situation where you could be pause and opening yourself to the fraud factor and and I think this is something to keep in mind the only compliance documentation the second area of very critical if you are a Sox company or if you have auditors coming from the regulatory standpoint of you very important you want to make sure that you are storing and collecting our controls evidence as you have done before in a more situation it may be you are different because some organizations still keep the paper trail so I think you need to make sure whether you have a paper trail you have to make sure you find a creative solution which is going to be satisfactory to meet your socks and I go to a requirement up from the storing and collecting audit report a standpoint of you management review of controls is a key focus for your auditors especially if you're a Sox client I can't emphasize enough that this is gonna be the team for for the auditors ever done before because the management review of control is going to be perhaps far more critical than anything else in the past because there's gonna be a higher burden on management to make sure there was no control labs and they have done it enough to make sure control environment less sound due to the Cobra 919 situation nas not but not the least the impact on the audit testing I have many friends who are having turn order functions many of the inter honor I haven't put on hold I have also heard stories where internal auditors actually are doing accounting type of work processing invoices not to blame anybody but that's something you know people haven't seen before so so certainly make sure everything which has changed from the organisation stand point of view you evaluate that and from the extraordinaire point of view it is very important that you you stay in close touch with them be because this this situation did more situation and every impact I'm going to talk about it's going to have a huge impact on what the auditors focus is gonna be so once you go to next light-gray from information technology a general computer controls champ point of view many things David and said I have talked about so I'm going to focus perhaps on two of the key important things which are very important from the Sox and compliance standpoint of view first one is the unauthorized and inappropriate access is quite possible many organization were caught by surprise and they may end up allowing people access which in normal circumstances was not considered appropriate but I would say from the other stand point of view it is a high risk so if you had a process when co19 hits you I think this is something you need to make sure that you do have process going forward and as of now the third buttered point the the company change management policy is also very important from from from the Sox and non Sox percent point of view if you are required to make any system changes because you have to adopt you have to modify some of the business processes some of the IT controls some of the IT systems to meet the new requirement I can't emphasize enough please make sure that you follow your company's change management policy this is going to be a key focus for the auditors as well because the system itself if you're using NetSuite Oracle recipe I think is gonna be far more important than ever that that company is really taking a harder look at the system control especially anything is being made because a lot of the financial information coming out of the system is gonna be relied upon by the your own elector so those are the two or two areas I would say are key risk I see on the IT DC side from regulation compliance standpoint of you if you have exposure to Europe if you are maintaining or if you have digital footprints which may require or which make your subject to GDP our GDP our and California Privacy Act hasn't gone away okay I think very important to make sure that any compliant any compliance regulation you're under this is this is going to be the challenging test for the organization to make sure they continue to show the compliant for both of the GDP and CCPA last bullet point many organizations such as health care organizations and if your insurance pays you are required to do a lot of the elaborate profiling on quality and annual basis please continue to make sure that you have processes and controls in place and you don't lapse on those filings unless there is a new regulation passed to get you an extension but our said stay on top of that this is very important to make sure you continue this tragedy to follow those guidelines let's go to the next library third-party risk management very important many of the organizations have outsourced their business processes and it's quite possible you could have been getting sucked one in stock to the poor's from those two vendors and this year you make it a reasoning that hey listen the cost constraints or due to the impact of the cover 19 those reports may not be available it's very important matter of fact is even more important to kept the stock one stock to report this year from them because this is the test those organizations have that that to make sure that the business processes the controls and the IT security privacy practices they have in the organization's is really something you can rely on and vice versa if you are the one managing processes and outsourcing for your clients is very important to make sure there is no lab for soccer and soccer report which you've been sharing with your customers the last year you had the financial reporting and disclosure requirements this is something is a moving target SEC is continue to come with new guidelines what his expectations are from the regulatory standpoint of you what needs to be deported what doesn't need to be reported but this is something if you are a public company what if you are required to do some sort of reporting to SEC or the regulator please stay on top of that because this is this is something that's gonna have a huge impact on your reporting process so those are some of the things you know I seen that my clients are seen being part of the profession for 20-plus years or so it's gonna be a game changer for you to co19 some of the things are just basic things so this is just a reminder to make sure that you don't ignore these things these things I know you have to run your business but the compliance requirements are still there you're still expect you to follow those so next a slide Rick I have put together some of the suggestions for our audience to follow again you know I don't need to go through all of them but I was just some of my favorite ones update your company's risk assessment if you do have some sort of erm framework but if you are subject to Sox please make sure every risk co19 has brought to your organization gets documented because this is this is how if you do have a formal risk assessment or management process this is gonna be perhaps one document you can keep track of what has the organization done to address those stand pet with your external auditors regulators legal team government is coming with a lot of the financial incentives a lot of packages it's almost impossible to track all those things on daily basis so a lot of your you know experts your external auditors and regulators and legal team perhaps in a much better position to send you the periodic updates which may be impact to you if you are subject to Sox is very critical take a look at your scoping documentation to make sure your succour being is is most likely will be impacted so you want to make sure you're not wasting your time testing the controls just in the processes which may not be school this year very important to make sure that you effectively manage your socks for 2020 these core 19 impact it may has internal audit and compliance you know I've been a career internal auditor for for a long time now internal auditor is the one function within the organization have wealth of knowledge for the organization I can emphasize and now you utilize them they're not there to just order to you and find issues in your processes internal auditors actually from from a consulting standpoint of you can add a lot of value can provide a lot of guidance for your control matter so if you do have internal function or compliance function eternally this is perhaps the the best time to make sure you utilize their skillset effectively and last but not the least something the succession planning is most many organisation have realized that the succession planning was not that important but dr. organisation may have that some point because they required because of the socks or erm standpoint of you but some of the smaller organizations haven't thought through that a succession planning has become very important but I have the most important thing because what if one of your exactly one of your leaders gets sick due to the Cobra 19 issue you want to make sure somebody is there to make sure your business operations continue to sustain and and this is one thing I seen company in taking you how to look at the to make sure there is a succession planning in place so those are some of the things you know I have Rick any any question came up anything I can I can help audience with sure again our audience serve being very kind to us but I wish to ask you some tough questions get a great group of analysts also no open questions at the moment but actually as you were speaking I was thinking about something I hope you can help me understand here you made so what are some of some examples of potential unique risks you use that word unique risks with a let's say health care providers and health insurance at can you provide some examples for us sure so one rescue C which is broadcasting the news over and over medical supplies and I would say this is perhaps the biggest risk if you are a hospital community hospital in your neighborhood Medical Supply has been the most important thing your ventilator the mask obviously this is something if if hospitals have not thought they will ever have a shortage of medical supply this is perhaps the time they're gonna be looking at that risk when things will get better and things will get better soon it is this is gonna be the risk they're gonna be looking at the long term standpoint of view another risk is the privacy risk due to the HIPAA compliant whether you are a health insurance company or you are a hospital this is perhaps far more important because you're you are really struggling your staff is really struggling with treating patient not only treating patient their kind of space saved himself as well so you know that's that both of the to risk our saying is perhaps far more critical due to co19 situation and this is applicable to both payers and providers in the healthcare space I appreciate you David and Sarah I have a question oh yeah something go ahead please yeah Rick I see in the the chat section a question from Meho about check and see of EPM system is hacked so I thought maybe we should address that question yes I was about to ask you and Sarah both the question go ahead - please thank you oh great I'm sorry about Patrick um so the I guess there's really two possible versions of that question may checking to see if it can be hacked or checking to see if it has already been hacked both of those activities can be performed will require fairly technical response to answer that question directly but suffice it to say when we talk about VPN and remote access systems there are really two considerations there one is the system itself and its susceptibility to being hacked and the other is all of the users who use that system and their susceptibility to being hack so there's sort of a couple different levels at which the VPN can be hacked hacking an individual user account gaining access through the VPN impersonating a real user who somehow been compromised is very very difficult to detect because to the VPN system it just looks like an ordinary user that said there are some artifacts out there that could be used to identify that that outcome that if the VPN system itself has been hacked that's going to leave probably some very easy to identify telltale artifacts behind that would be fairly straightforward for a technical forensics person to identify maybe that does that answer your question while we're waiting for me to respond to us I Sarah anything from you is there anything from a few say you would like to add yeah I just want to add to the end of what David was saying that let's double check your VPN itself to make sure it is a VPN that logs there are VPN out there that do not do logging and when they don't log there's less or little to no forensics data to go get to see if you were hacked and as always to prevent that even if you do have a logging system if you want to check it on a periodic basis David's team or my team can help support you in that thank you Sarah well I have you I was taking notes as you were discussing your area of expertise I want to ask you a question about how do I address security and privacy if my company doesn't offer VPN and the question that made was also raising was about VPN are there any other options well first off in this day and time we should be offering VPN but I I know a lot of people that might be working from home might not be using VPN because they're just responding to email and passing files back and forth and email and maybe their email is not over VPN so meaning that it's not does not have that extra encrypted protection layer that the virtual private network provides us so you know it is as an employer I would want to implement VPN when I can but as an employee I want to make sure that even if my company doesn't offer VPN knowing that I'm responsible for all that email in those files I'm passing back and forth make sure that I have the most complex password that I can possibly tolerate upper/lower a special character at least 12 characters long maybe you have pass phrases etc maybe you haven't changed your password since you went to work from home maybe now is a great time to do that make sure that if you have another file share method besides passing an Excel or Word document back and forth that you utilize the more secure methods maybe your company has box or Dropbox or a company SharePoint where you drag and drop files into it until your person that I sent you a file it's on you know SharePoint I sent you a file it's on Dropbox instead of actually sending the file over the ethers so those are some things a employee might do but employers I always encourage get the in place and a VPN that's a good one also as a follow-up Mei has a question for us as to how to increase VPN security are there additional measures we can take to increase VPN security je vais Sarah I'll throw the question at both of you make sure that this is David my advice would be make sure there is multi-factor authentication to the VPN and make sure as many services as possible are behind the bpn the best way to access email remotely is to log in to the VPN first and then access it and so forth rather than having things like email hanging out on the web those would be a couple pieces of advice I would suggest Sarah absolutely I agree with you Dave I don't think I have anything to add to that well I appreciate it Dave while we are talking about you had a lot of discussions around this I wanted to ask you a question about what is your recommendation for a strong password on a home ground or remote oh I know you made a point about that and I wrote some notes about this but what is some strong password you can recommend to audiences yes and I will follow up both my comments and Sarah's comments from just a moment ago about strong passwords passwords need to have two primary criteria to be strong the first and most important is the password must be long short passwords are not secure we with our little cracking computers that we have and all other hackers have can basically exhaust all possible combinations of characters for a password that's ten characters or shorter in a matter of hours or at most days so a password needs to be long additionally it needs to be not easy to guess so again common phrases common words a lot of people say oh I I'm total I need to have a long password so I'm just going to take the word password and I'm going to double it password password and maybe I'll substitute a zero for the O and it's all good to go the problem is those kinds of common longer passwords are in our dictionaries already so pretty much every possible substitution combination of the word password password is among the first few thousand passwords in our password dictionary and we're going to get to it very quickly so number one it needs to be long and number two it needs to be difficult to guess so we find things like instructions a little set of instructions where how you drive from one place to another how you make your mixture cookie batter any kinds of instructions that are unique to you are both long and difficult to guess and make a pretty good guidelines for pass phrases I appreciate it um I have a question that I want to ask and bear with me as I'm reading through this for Regina this is my first time to work from home I'm curious as to all audience is everyone working from home including the presenters I work for a government agency and this is all a new for our group I think it's uh I'm going to throw it back at the panelists but I think you can just tell us where you were working so when we can address Regina's question I could I'm glad to it I was going to say I'm in the office this morning but only so that I have a good fast reliable interconnect connection for today's webinar otherwise I'm working from home as is the rest of my office Ashley and I would say if you know four days now it is so easy to get just trying to work 24 myself this is not healthy so our sis set up your schedule is 8 2 4 8 to 5 you don't take your left are you watching TV spending time with your kids this is just my suggestion this is this is not healthy from the personal standpoint of you but from from the control standpoint of view especially from government agency they are required to a lot of the regulation a lot of the lot of the audit requirement they need to comply with so if if there has been some issue with regards to keeping documentation from the control standpoint of you because you cannot be in the office you know one session I may have if you want one example will be if you're if you're supposed to require an approval for certain transaction and you are no longer able to do that because you're not in the office get the evidence by email and and make sure you maintain that when you do go back to the office father ways that's one way to do it if your system has configured controls which haven't been enabled try to work with your IT function this could be the time to get those configure controls enabled to make sure that you are taking advantage of all the system controls you knew you could have I appreciate it in addition Virginia to Spencer that she's waiting for her VPN so she can do some work she does come into the office once a week and I think that's very true for a lot of us who may have to come to the office at least once a week just as you can see our partners at least two of them are working from from their office today Sarah anything from urine would you like to add to Regina's question absolutely I am in the office and there are three of us in the office we've been sufficiently socially distanced with doors and locks and we have an essential service here security monitoring center where we monitor for our clients 24 by 7 by 365 but in this special time we are testing some software that might allow some additional extension of our networks for even our analyst to work from home and be under a very strict environment so we're working on that too while three of us are here in the office under soul conditions as essential workers Sarah ash Bonnie David I can't thank you enough for joining us today please stay up-to-date with the BPM Koba 19 Resource Center at BPM CPA comm /co vet space - 19 we hope you enjoyed today's informative webinar I want to thank our panelists for sharing their thoughts and expertise with us if you have any questions or would like more information on today's topics please contact us at EPMA a.com you will also receive a copy of this presentation and a link to this recording as well thank you again for joining us and we wish you a healthy and safe day ahead