Our previous article, Why You Need an IT Audit for Your Small Business, outlined the first step in protecting your organization from cyber-attacks. The next step in this process is creating a human firewall. This week it was revealed that the top three US Antivirus vendors McAfee, Symantec, and Trend were just infiltrated with source code stolen, making their security products potentially worthless and clients exposed. This is a prime example of why you can’t rely on technology alone to protect your business.
A business without a human firewall is like a human without an immune system. If you don’t train your staff to recognize threats, the threats will enter your network unopposed and wreak havoc. It’s not nearly as difficult as you may think to make a big difference. As little as 20 minutes of training and a few simple rules in place will prevent most attacks.
Our Human Firewall Saved Us $20,000
Social Engineering is an attack that occurs when someone within your organization receives a personalized email that appears to be from a trusted associate or client, requesting sensitive information or money. It can also be extortion, such as threats of releasing sensitive emails or webcam footage if you don’t pay their ransom. There are no malicious links or files to be flagged by your firewall or spam filter, it’s scam tactic, and many people fall for them.
This happened in our own office recently. Our accounting assistant received a persuasive email appearing to be from our CEO requesting overnight delivery for two $10,000 checks. By sheer luck, she was also watching a security awareness training video and realized what was going on. This attack is called CEO Fraud, and it’s up 50% in just the last year.
You Have More at Risk Than Money
The scenario above would have cost us money, but there is so much more at risk than that. A cyber-attack can:
- Disrupt your normal business activities and cause a significant loss in productivity
- Damage your client relationships by causing loss of trust in your business
- Result in negative online reviews that prevent you from gaining future business
- Cause you to incur fines if the attack results in breaking the law or breaching a contract
- Ruin lives if personal data or credit information is stolen in the attack
How Can You Prepare?
Cyber-attacks are getting more advanced every day. The best way to prepare is by educating your human firewall. This means training employees, understanding who is most at risk, and having policies and procedures in place to maximize security.
- Train and designate experts in your business that can help evaluate suspicious emails. Some people have a knack for sniffing out phishy emails, leverage their skills.
- Make simple rules. Our rule is “3 strikes, and you’re out!”. If you can find 3 things in an email that seem out of place, flag the email and ask for help.
- Any non-routine financial transfers or checks should be confirmed with others via phone call. This is how banks handle it.
Once your staff is trained, test them regularly. There are many services out there, such as knowbe4.com that will automatically send out email campaigns to trick your team. This is how we reduced our click rate from 37% to under 1% in six months.
Finally, have an action plan for what to do in the event of a breach, and practice executing it regularly. Part of this plan should include cyber insurance. As with any insurance policy, your cyber insurance should be your final line of defense.
If you have any questions about the best cyber insurance policy for you, give us a call at (916) 984-3000.