All businesses are vulnerable to cyberattacks.
As just one example, an auto parts manufacturer lost more than $37 MILLION as the result of a simple email scam. In this instance, the attackers targeted someone with financial authority to change account information on an electronic funds transfer.
Educating Employees how to Mitigate Risk
According to a recent report by the FBI, this type of cyberattack, known as Business Email Compromise (BEC), has cost global businesses more than $5 billion over the last six years. Moreover, it is estimated that at least 75% of businesses are exposed to at least one attempted BEC each year.
BEC attacks follow a similar pattern: Identify names and email addresses of people with signature authority (usually in Finance and HR departments) and contact them using the name and email of a suitable person of authority within the company (executive, manager, etc.). In just a few minutes browsing the corporate website or LinkedIn profiles, an attacker can gather hundreds of email combinations—and it only takes one or two good hits for them to score big.
Protecting your company from cybercriminals takes more than safeguarding the company’s network and internet access. It also involves educating the human element—particularly those employees with access authority to sensitive company information and/or signature authority to company funds—on the dangers of cybercrime and educating them on steps to prevent it.
Managing that risk is a challenge. On the one hand, companies must provide employees the access rights and privileges they need to perform their jobs without too much red tape or multiple levels of authorizations. On the other hand, granting an employee too much authority without the appropriate checks and balances can lead to catastrophic consequences.
The solution: Educate your employees on the many types of cyberattacks out there today, as well as the steps they can take to mitigate risk to themselves and to the company:
Phishing – Using official looking emails to fool victims enough so that they click on links to fake emails that masquerade as a legitimate website and enter personal or financial information that is then stolen and used or sold online. BEC is a variation of a phishing attack.
The fix: Train your employees on how to identify phishing attempts and to report any suspicious emails to the person or persons responsible for network security for the company. Many companies simply instruct employees not to click on ANY link they are not familiar with or expecting without first asking IT or other authority within the company first.
The fix: Most software vendors release updates when a security weakness is identified and fixed. These updates must be applied in a timely manner on all company business systems to prevent future hacking attacks.
Viruses and Trojan Horses – Viruses are malicious programs that affect computer systems or computer files, altering them or deleting them altogether. Once inside a computer network, a virus can easily spread to other computers, disrupting operations and potentially deleting all data on the network. Trojan Horses appear as legitimate applications but actually grant hackers access to the computer that runs the application. Viruses and Trojan Horses are introduced into the environment by downloading software from malicious websites or opening attachments from suspicious emails.
The fix: Prohibit employees from downloading any software application from outside the company’s list of approved vendors. Also, instruct them on how to check for suspicious attachments or web links in emails and to avoid opening questionable attachments in emails, even if they came from someone they trust within the organization.
Shadow IT – Shadow IT refers to applications being used on company computers without the knowledge of the IT department. In most cases, this involves accessing SaaS productivity tools and applications, such as file sharing, file storage, and online collaboration. While many of these applications are harmless, others can pose serious security risks. Some of these online applications also recognize authentication from companies like Google or Microsoft, which can potentially open an organization to even more security threats (all without involving IT). Shadow IT not only poses a security risk to companies, but it can potentially duplicate existing company services, cause confusion by using competing productivity tools, and needlessly waste departmental budget dollars.
The fix: Advise employees and departments to clear all external productivity applications by IT and ensure that similar tools are not already in use by the company.
Maintaining security across the organization
While your IT department keeps your network safe from external threats, it is important to educate your employees about the cyber risks they could inadvertently introduce from within through ignorance or negligence.
It is also important to establish strict company policies and procedures that offer your staff guidance to avoid exposing the company to loss of funds, intellectual property, or both. That way, your employees will know what to do the next time they are faced with an “urgent request” from “the CEO” to pay a certain vendor “right away”.
Interested in learning even more about this subject? Watch the GRC Days on-demand webinar by RSM and Fastpath, "Cybersecurity Best Practices, from Coping to Culture" which covers the fundamentals of a mature cross-enterprise cybersecurity program.