If you’ve ever attended one of our events, you’ve likely heard our presenters mention a company’s biggest risk is its personnel. We staff our businesses with the best, brightest, and most capable humans possible. We spend a great deal of resources training and educating our teams to ensure they have all the tools and resources necessary to do their jobs and serve our clients. So then, how is it that our most valuable assets also pose our greatest risks?
On February 17, it was reported that a small city in Ohio was the victim of a phishing scam that cost the community $219k. With all the warnings posted everywhere, you might think you would never fall for something like this, but it happens every day – to small and large companies/organizations alike. No one is truly exempt from these attempts.
How exactly did a city smaller than Manhattan, Kan. get swindled out of hundreds of thousands of dollars? Think about the world we live in today. The public demands transparency, and in an effort to comply, cities share project updates on social media. Road closures, repairs, major projects, etc. are all public information, along with the contractors and vendors. In this situation, an email was received from someone posing to be an existing vendor. They were able to persuade the accounting assistant to change the bank routing number. While this is standard work for that position, the employee failed to follow a verification protocol that was in place. One simple oversight cost the taxpayers $218,992.06.
In another recent example, an organization you might assume would be untrusting and overly suspicious of illegal activity, was duped and is now dealing with limited connectivity to its systems. While the Modesto Police Department in California is not reporting ‘exactly’ what happened, they have disconnected a portion of their computer network in an effort of precaution.
The reality is, ransomware is a growing concern for law enforcement agencies across the nation. In perspective, Modesto’s department employs 199 sworn officers, comparable to Salina and Olathe here in Kansas. But law enforcement agencies and municipalities are not the only ones being targeted. Unfortunately, as we mentioned, no one is exempt from these attempts.
One way is to implement an employee education program. Computer-based Security Awareness Training can teach employees how to identify phishing emails, while also conducting phishing simulations to identify an organization’s high-risk employees. When an employee is identified as high-risk, the company can assign additional training to the employee, which is a much better step than falling victim to an actual phishing attack.
Aside from training and awareness, an effective addition is the implementation of multifactor authentication (MFA). While this will not protect you from social engineering attempts, it does have a 99% effectiveness score for preventing cyberattacks. If you are unfamiliar with MFA, it simply requires you verify your identity using either an authenticator app or one-time passcode. While it may seem inconvenient initially, it’s a much better alternative than being locked out of your data for an interminable amount of time, facing extortion, and/or having email accounts compromised.
If you need assistance implementing training tools or MFA, please reach out to us. Our experts are here and happy to assist you with everything to implement security best practices within your organization.