By Laurance A. (Larry) Selnick CTP, SVP,
Director, Treasury & Payment Solutions Sales
What would you do if a stalker followed you home from work every day for six months?
You’d take action—and you wouldn’t wait six months. But inside your computer, it could be happening right now.
Let’s say your admin gets an email from your address:
Hey Sammy: I’ve got a meeting with Jules at ABC Accounting in about an hour. Would you please shoot me the employee W-2 files? Thanks!
Samantha thinks it’s from you. She fires off the file. And in minutes, all that privileged data is up for sale on the dark web.
How did the cybercriminal know that you call Samantha “Sammy?” Or the name of your CPA and his firm? Or when you might be out of the office, opening a window of sneaky opportunity?
The thief has been hunkered down in your computer system for months, reading your email, noting important details, and crafting a crime using social engineering: manipulating the trust and responsiveness of the people who work for you.
CNN reports: “In the last 10 months, 140 local governments, police stations and hospitals have been held hostage by ransomware attacks.”
The question isn’t if you’ll be hit by a cyber crime. It’s when—and how much will the damage cost you?
Helping businesses avoid cyber fraud is a top priority at Webster Bank, although the solutions go far beyond the bank. We believe that awareness, education and readiness are crucial, as demonstrated through services like Positive Pay. This review of the current threats—and suggested best practices—can help you stay on top of the ever-evolving risks.
IT solutions experts weigh in.
I asked three IT specialists about the cybersecurity landscape today: Michael Gray, chief technology officer of Thrive Networks in Foxboro, MA; Daniel F. Charland, founding partner of NetCenergy of Cranston, RI; and Jim Parise, president of Kelser Corporation in Glastonbury, CT. Their companies are on the front lines of cyber crime.
“We have seen an unprecedented rise in business email compromise and supply chain fraud,” reports Michael Gray. “Customers are being impersonated by false personas and vice versa with vendors. It's social engineering matched with simple email hacking that is very sophisticated.”
“One of the most common issues clients face is ransomware attacks,” notes Jim Parese. “Cyber criminals have effectively weaponized email and code on websites that capitalize on employees’ vulnerability.”
“Organizations that have sensitive data have the most to lose,” says Daniel F. Charland. “Healthcare, legal service organizations and accounting firms are at the top of the list. The most common thread of attack is usually aimed at the general users or employee. Therefore, awareness training is critical. Remember that someone must open the door to let them in!”
Meet the new breed of cyber thief.
Today’s cyber criminals aren’t 14 year-old hackers from Eastern Europe or semi-literate princes searching for long-lost beneficiaries. They’re super-sophisticated business people whose full-time job is finding devious new ways to crack your data.
Banks have made life tougher for these thieves, with ever-evolving protocols to head off new attempts at cyber crime. Therefore, the bad guys have turned their focus on easier prey: the businesses themselves.
Of course, data breaches at giants like Anthem, Target or Equifax make the headlines. But some of the most prevalent crime never gets the same attention: attacks on small-to-mid-sized companies.
Why big thieves think small.
“We've seen more and more small businesses being targeted, especially those where senior leadership wears multiple hats,” says Thrive Network’s Michael Gray. “They are taking advantage of the hectic lifestyle of a small business owner. The attackers have also learned that emerging businesses have less controls than an enterprise.”
Kelser Corporation’s Jim Parise agrees: “Small and midsized companies across all industries are at much greater risk today than previously. Cyber criminals recognize that many smaller organizations typically do not have the resources that large enterprises do to secure their environment or have not taken steps to secure their data. This makes them potentially an easier target.”
Small business owners may not have the highly specified knowledge needed to address the issue adequately. Their staff doesn’t have the training necessary to spot fraud. Or worse, all too often, they assume “It can’t happen to me.”
It can—precisely because that’s the mindset the hackers are counting on.
Business owners may think cyber crime is an IT problem. It’s not. It’s a business problem. A data breach is a breach of trust with your customers—one that costs American companies $400 billion a year, according to inc.com.
“The most common failure we see”
NetCenergy’s Daniel F. Charland says,“The most common failure we see is the lack of an appropriate and tested Disaster Recovery Plan. You can have the technology in place, but if you do not have an organizational plan that explains who, what, where, and how users access the systems, then your systems may take much longer to recover. This can result in financial and reputational losses.”
What can you do about it?
The experts agree: Up-to-date knowledge and heightened awareness are key—for staff, for vendors and for the partners in your business.
“The reality is you do not need to be a large company to implement basic steps that will make your data more secure,” says Jim Parise. “Training employees, web filtering, robust antivirus/malware, offsite data backup, next-gen firewalls and device monitoring are all within the means of most organizations.”
Daniel F. Charland highlights these priorities as essential: “User education, email protection tools, system and file recovery capability, and tested and documented Disaster Recovery Plans.”
Michael Gray recommends best practices including“proactive training through a learning management system as well as mock phishing attacks. Tracking logins to email systems from foreign countries has proven to be very effective. Lastly, a mock security incident, typically referred to as a tabletop, can be very effective with internal non-technical teams.”
Some companies even use the services of an ethical hacker—a cyber expert who thinks like a bad guy but uses that knowledge to help protect businesses. (Some, like Frank “Catch Me If You Can” Abagnale or Kevin Mitnick, are reformed fraudsters themselves.)
Fighting cyber crime today requires an investment in specialized expertise and a commitment to ongoing training. Both are minimal, compared to the staggering risks of a data breach.
Low and high tech solutions.
Hand in hand with vigilance comes technology. Some of the best solutions are low-tech: confirming transactions and messages through a phone call. Simple, fast and effective.
From a banking standpoint, companies also benefit from services that give you important status updates for your transactions: for example, Positive Pay services to warn you about potential check or electronic debit fraud, or alerts to report account activity you need to double-check.
We recommend a more detailed review of your account set-up and cash-flow processes to mitigate the impact of cyber fraud. Please contact me or the treasury services officer at your local Webster branch to review the best practices we’ve learned and shared with clients.
Cyber awareness is a leadership mindset that managers need to instill in all staff, partners and providers. Webster can help by offering our Cyber Fraud Awareness program to your management team or trade association.
Start with our Fraud Awareness Checklist; just email me to receive your copy.
Everyone in your business—from finance and accounting to marketing and operations—should feel empowered to recognize the threat of cyber crime. That way, you can stop it in its tracks.
Laurance A. (Larry) Selnick, CTP, Director, Treasury and Payment Solutions Sales, at Webster Bank has nearly 40 years of experience in cash management systems and bank operations.
The opinions and views in this blog post are those of the authors, and are not intended to provide specific advice or recommendations for any individual. All loans are subject to the normal credit approval process.
The Webster Symbol is a registered trademark in the U.S.
Webster Bank, N.A. Member FDIC. Equal Housing Lender.
© 2019 All rights reserved. Webster Financial Corporation.