Monday, April 18th, 2016. Zero hour. Tax Day. 

Today you’re popping a champagne cork in celebration of a well-deserved rebate or muttering to yourself about the injustices of the system in between sips of Pabst Blue Ribbon.  Either way, if this is you, your taxes were filed successfully and the doomsday clock to Uncle Sam’s next pay day resets to 365.

But what about those lucky few who have become victim to tax fraud? Like you, they too dread Tax Day, but now have even more reason to do so, and for years to come.  Because unbeknownst to them, a phishing attack on their employer two months ago resulted in the distribution of their personal and confidential financial information to a cyber attacker. It was quite easy, really. The attacker simply spoofed the CFO’s email address, cast a wide net, and waited for one recipient to fulfill his request for the entire company’s W2s. An odd request, perhaps, but who’s to question the CFO?

It was not long thereafter that those W2s found their way into the hands of the highest bidder on the dark web and the fraudulent request to file thousands of returns was complete. It’s now time to learn about tax forms you never knew existed and begin the long, arduous process of reclaiming your identity in the eyes of the IRS.

One solitary malicious email among thousands successfully mitigated by a variety of security defenses managed to slip through the cracks and into the inbox of a trustworthy, unsuspecting victim of corporate crime. All the defenses that organizations rely upon to detect and defeat these attacks perform admirably, perhaps 99% of the time.  But all it takes is one.  And this year, that one found you.

In 2016, this story became all too familiar as over 40 organizations were successfully phished for employee tax data. Impacting organizations and individuals equally, this type of corporate crime affects the morale of an entire workforce.   So how do we reduce this risk? Surely my firewall is enough? What about the secure mail gateway, intrusion prevention systems, and end-point security products? I should be covered!

Tried and true technologies exist to defend against malicious mail, viruses, malware, and intrusion. But all these defenses rely on perfection and ignore the very real, ever persistent threat of human error.  The only true way to prevent successful phishing attacks is to assume the worst and prepare for an attack. Lock down your critical assets, protect your sensitive data with a series of authentication mechanisms, incorporate human oversight, and continuously enforce a security policy that can capably stop a bad actor from realizing the objective. 

At Bomgar we believe our role in that effort is to:

Identify the Critical Asset
Protect the Access
Control the Account
Manage the Session  

So how do we do it?

With Bomgar Privileged Access Management and Vault deployed in your environment, your critical assets are protected by an additional layer of security beyond the status quo.  End-users that need access to a high-value resource must route through our solutions for connectivity and pass a series of automated and/or manual security checks and policy requirements before being granted access. 

The user in need of access to this asset does not have the privilege of doing so until they’ve been properly vetted. And even when identity is confirmed and access is granted, they don’t have the knowledge of the credentials, an ability to navigate beyond the parameters of their defined request, a static connection for unrestricted use, or the latitude to take actions without continuous monitoring.  When their work is complete, their session is terminated and they cannot regain connectivity without navigating your defined security checks.

Perhaps this sounds a bit arduous, but for a critical asset hosting information as sensitive as an entire organization’s W2 data, the alternative has proven insufficient.  And the ramifications of a breach far outweigh the costs of implementing a few more steps to access the data. While employees almost always have the best of intentions, it’s perfectly understandable to help protect the entire organization from an honest, and costly, mistake.