A key element of being proactive against cyber fraud is ensuring that everybody in your organization is trained and understands the various ways that bad actors attempt to access systems. Frequently, it’s though innocuous or well-disguised emails or messages that employees may not think twice about.
In an earlier article, I discussed being proactive against cyberattacks in part by understanding the differences between cyber liability and data breaches and understanding the different types of associated insurance, but the initial incident almost always involves some form of influence or manipulation to gain access. From there, the attacks vary by industry and opportunity.
Criminals use social engineering to play on the recipient’s innate desire to be helpful and they create a false sense of urgency. Before you know it, a malicious link has been clicked, sensitive information has been shared or credentials have been accessed.
This type of accidental disclosure (usually via email) is extremely likely to occur within any organization. Furthermore client/vendor relationships are more intertwined than ever before and involve sharing trade secrets, network access and in some cases, continual monitoring and oversight – so it’s not just your own employees you need to be concerned about training, but any partner organization that has legitimate access to your system or sensitive information.
Knowledge and training: your best defense
With the pace of business today, it is impossible to avoid these schemes. Unfortunately, no one is immune from the potential of an attack and most deal with a host of these threats daily as they tend to be high in volume and relatively low in success. But similar to a water leak, it is just a matter of finding the vulnerable spot. Given the nature of these attacks and acknowledging that the risk commonly involves some elements of human error, recognizing the various threat and raising awareness is key to minimizing those vulnerable spots.
Often these threats will appear as a request for payment or a change of a vendor account number. If the recipient is tricked into engaging and responding, it could be very costly for the organization. For that reason, it is important that everyone understands the process for making payments, even if that means they aren’t allowed to make them. Strict rules regarding verification of identity and the request are what generally limits the success of these attacks.
It is also important that everyone enrolls in some level of cyber awareness training. For a while, cyber risk training was not considered a priority as Multifactor Authentication (MFA) implementation took center stage. But now with most firms adopting MFA as a standard, the shift has focused back to developing a training program to help raise employee awareness to recognize attacks in real-time or ensure security safeguards are followed.
Increasing sophistication of schemes
Early attempts at these schemes – the most basic phishing – were rudimentary but effective enough for the cybercriminals to continue.
Today we are seeing Business Email Compromise (BEC) schemes based on pretexting. This means the attack is focused on a specific individual or small group based on information the criminal already knows, making the outreach seem more plausible and real. They criminals may have hijacked an existing email thread or are mimicking an actual vendor with a propped-up website and email address.
As a result, successful attacks are growing in number and cost. The median amount lost per successful attack is $50,000 according to the 2023 Verizon Data Breach Investigations Report (DBIR).
The dual pronged approach of employee training and tight security measures combined with the right cyber liability insurance can help protect your organization by both minimizing the chance of a successful attack and protecting the organization in the event of an attack.
Topics:
