As residents of the Carolinas attempt to stay safe during Hurricane Florence, they may encounter another threat that can add to the misery of natural disaster victims.
Victims, volunteers, and infrastructures may become vulnerable to cybercriminals during disasters. Corporate and business interests also may face greater risk of cyberattacks following a disaster because systems may be compromised and IT personnel who ordinarily would be monitoring cybersecurity threats may be diverted to rebuild IT assets.
“Cybercriminals are known to exploit natural disasters,” Lisa Traina, CPA/CITP, CGMA, president and technology services director of Traina & Associates, a CapinCrouse company, said in an email. “Individuals and organizations can be targeted.”
Disaster victims, volunteers, and donors are likely to be interacting with unfamiliar people and organizations such as government entities, insurance companies, and not-for-profits, which cybercriminals may attempt to impersonate in “phishing” attacks.
In these attacks, cybercriminals pretend to be reputable and legitimate sources as they contact victims or volunteers through emails, text messages, or phone calls in an effort to acquire personal information such as credit card and Social Security numbers.
Meanwhile, cybercriminals may pose as charities following a natural disaster, pretending to solicit on behalf of victims in order to obtain credit card or bank account information.
“Be cautious and stay vigilant,” Maria Thompson, North Carolina’s chief risk officer, said in a news release. “Let’s ensure one disaster does not lead to another. Phishing threats are real. Cybercriminals will use every tactic in their arsenal to deprive citizens of their information and ultimately their financial assets.”
The North Carolina Department of Information Technology advises individuals to:
- Carefully review email and web addresses since cybercriminals will make them look as legitimate as possible, often using variations of spellings.
- Refrain from clicking on links in emails from anyone unless you know and have verified the sender of the email. Typing web addresses directly into your browser rather than clicking on links can prevent you from making contact with cybercriminals.
- Look at the sender’s email address and refrain from clinking on links until you are certain the organization is real. Go to the organization’s website to verify its contact information, and use sites such as Charity Navigator for additional confirmation. “When in doubt, inspect the links, but preferably go to the nonprofit’s actual website to make a donation,” Traina said. “Practice the same concern with telephone calls.”
- Keep anti-virus software up to date, and make sure you have enacted the anti-phishing software furnished by your email provider.
- Remember that a disaster aid organization such as FEMA would never ask for personal banking information, a Social Security number, or a registration number. In emails or phone calls, cybercriminals may try to pose as disaster aid organizations; don’t give them personal information.
For businesses, the U.S. Department of Homeland Security recommends that organizations develop business continuity plans that would address IT procedures during a natural disaster as well as actions to be taken in an IT breach that is not associated with a natural disaster.
But backup plans may put businesses at risk, as Traina said criminals target organizations that are operating in a backup environment following a disaster.
“Many disaster plans involve the use of backup systems,” she said. “These systems can be vulnerable because they may lack the same security protections that exist in a live environment. For example, firewall protection may not mirror the live system and servers and other systems may not be updated with current patches. This opens a number of security holes that are ripe for exploitation.”
Traina said organizations also need to be aware that they will open themselves up to further risk if they temporarily switch off controls to allow for continued operations.
“An example is multi-factor authentication that allows for system access from a set list of IP addresses,” she said. “If people need to work and access systems from evacuation locations, a limited list of the normal IP addresses will prohibit access. To resolve the issue, the IT department may turn off the validation list to keep things running.”
While suspending these controls may help the business keep running, it also provides cybercriminals with an opening they may exploit to cause even more problems.
“Don’t let your guard down, even when the power is down,” Traina said.
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.