A cyberwar is making every single person at your organization a target — a target that must be equipped to protect itself and your operation.
“The problem with cyber is that you don’t feel it,” said U.S. Air Force Col. (Ret.) Cedric Leighton. “It’s not like a bomb goes off and everybody’s eardrums are shot.” Instead, he says, the danger is what you don’t see.
Church scammed
What leaders at Saint Ambrose Catholic Parish in Ohio did not see was devastating. Cybercriminals targeted the church during a construction project, hacking into the email server and using confidential information to pose as the contractor.
Father Bob Stec, who wrote about the project going well, suddenly wrote the parish about a heartbreaking call from the construction company. Why, the company asked, had the church failed to pay $1.7 million?
“Upon a deeper investigation by the FBI, we found that our email system was hacked and the perpetrators were able to deceive us into believing [the contractor] had changed its bank and wiring instructions,” Stec said. “The result is that our payments were sent to a fraudulent bank account and the money was then swept out by the perpetrators before anyone knew what had happened.”
Known as a business email compromise (BEC) attack, this kind of activity is rampant. According to the U.S. Secret Service, BEC attacks increased 136 percent between December 2016 and May 2018, and losses now stand at $13.5 billion over the past six years.
This is one of many ways that hackers use phishing emails to steal or encrypt your organization’s data until you pay a ransom.
Lowering your risk
Latest research shows more than 90 percent of all cyberattacks are perpetrated in some way through email. However, leading cybersecurity companies have documented that regular security awareness training works to combat this.
The most effective programs include a systematic approach that allows for reporting of suspicious emails, provides education around current attack methods, and sends fake phishing emails that track whether employees click when they should not. These tests provide a baseline on how the program is working.
Research also shows this must be done consistently, rather than simply to meet periodic compliance requirements.
Limiting damage after a breach
If your security awareness program is part of a consistent strategy around cybersecurity, attorney Shawn Tuma says it may benefit you in court.
“When you can show you’ve done those things, and you can show you’ve made legitimate efforts to combat the risk that your company faces,” he says, “then even when you do have an incident, it makes you look so much better in the eyes of the regulators, the judges, and the attorneys.”
And that, he says, can help limit liability and financial damages.