By Andy Banning, Cyberian Technologies
The letter from the CEO looked official, so a Human Resources staffer didn’t hesitate to comply with a request to forward W-2 information on every employee in the company to his office.
That simple exchange cost $100,000. A hacker had sent that letter, not the CEO.
As a result, the company had to spend a hundred grand on credit protection to repair the damage.
Unfortunately, this costly event was not an isolated incident. As a 2017 article in U.S. News & World Report reported German firms lost millions of euros in these CEO Fraud scams that rely on fake memos from “executives” to extract cash or sensitive financial data from targeted companies.
Among my own clients there’s been an uptick in these scam attempts, as well with the “supplier swindle” where hackers impersonate third-party suppliers and deceive companies into transferring funds to their accounts. In some cases, cyber thieves issue bogus invoices and employees unwittingly pay them.
We noticed an increase in these types of cyber-threats beginning mid-2017 — which tracks with data showing Business Email Compromise (BEC) attempts rising 106 percent in the second half of 2017 compared to the first half.
These attacks could be drastically reduced if companies were willing to invest in protecting themselves from one of the main sources of data breaches: employees. Quite simply, human error — such as employees leaving their laptops in coffee shops or falling for phishing scams — makes it easier for cybercriminals to thrive.
It can be difficult, however, to convince executives the people sitting at keyboards in their own offices are the biggest threat to their cybersecurity. Sometimes, it seems the school of hard knocks is the only teacher.
Educating End Users To Think Twice, Click Once
Nevertheless, MSPs can make a strong argument about the importance of investing in employee training and security measures before a data breach takes place. For instance, some clients contend they don’t have time for security training for their employees. To counteract that idea, MSPs can point out that if computer systems get infected with ransomware because of employee mistakes, the company will have plenty of time for training because their network will be down.
MSPs also need to hammer home the message cybercriminals prey on the innocent nature of many employees, as well as their instincts to be helpful to others in the workplace. The well-meaning Human Resources staffer who sent the W-2 information to a hacker, for instance, was acting in response to the perceived need by the CEO. This employee never stopped to think about why a CEO would ask for such sensitive data in an email — nor why the head of a company would make such a request in the first place.
Employees need security training to counteract their natural inclination to automatically respond to emails without giving them a second glance. Just as crossing the street safely requires pedestrians to look both ways, so too must employees think twice before they click once on emails and messages that may prove dangerous to the company’s cybersecurity.
Seeing Is Believing
MSPs should take up the challenge of promoting cybersecurity training for one simple reason: If employee errors let hackers punch through firewalls and breach a company’s network, MSPs end up with the black eye. MSPs have a vested interest in educating end user employees about cybersecurity, because they are the ones who can inadvertently undo all the hard work that goes into installing technological defenses against hackers.
The best strategy for MSPs is to offer a comprehensive range of security services and products. We use a full array of services from Breach Secure Now!, including end user employee training, Security Risk Assessments (SRA), policies and procedures, two-factor identification, dark web monitoring, firewall updates, encryption, backups, and secure password development. We also recommend cyber-insurance.
One of the newest features from Breach Secure Now! that attracts attention from clients is a visual dashboard where managers can see the level of risk an individual employee poses to the company’s cybersecurity. This dashboard is created using the Employee Vulnerability Assessment (EVA) program which gauges employees’ susceptibility to hackers through simulated phishing scam emails and other weekly micro-training and tests to improve their cybersecurity awareness.
Each employee earns an Employee Secure Score (ESS), similar to a FICO credit score. Using ideas drawn from gamification strategy, the program motivates employees to improve company-wide cybersecurity through anonymous, friendly competitions with coworkers to raise their ESS scores, similar to a workplace Fitbit challenge. Through ongoing training, employees can improve their scores and, consequently, improve the company’s overall cybersecurity. And management can view their scores to see which employees are taking the challenge and improving their security acumen.
When our clients have a visual aid to see how their employees are performing in terms of thwarting hackers, they are more receptive to the total package of security services MSPs have to offer. And employees are more resistant to the traps set by unscrupulous cybercriminals.
About The Author
Andy Banning is a partner at Cyberian Technologies, a complete technology solutions provider that helps businesses in the greater Indianapolis area maintain peak efficiency of their IT networks. For more information visit www.cyberianit.com.