Cybersecurity for Deals: knowing the path vs. walking the path
You’re crushed at work trying to close several deals at once. You go to your local cafe to get some work done and quickly leave your table to grab a coffee. With your computer screen open, unbeknownst to you, someone uses their cell phone to take a picture of your screen. The closing day comes and you get an email from your borrower with wire instructions for loan proceeds. You close and wire funds in accordance with your borrower’s instructions. Borrower calls asking where are the funds . . . you can imagine what happens next.
If you want to end the story now, go ahead and stop reading. You know hackers are out there trying to gobble up your information and you can continue to casually care about it.
But if you want to take the red pill and see how deep the rabbit hole really goes, follow me . . .
While an example like the above might seem extreme and implausible, think again. This is unequivocally the reality of the financial services industry today. Let’s review some startling facts:
- Fewer than 30% of businesses are using data encryption
- 52% of people don’t use passcodes on their mobile phone
- Your company has a 1 in 3 chance of getting hacked
For the last few years, IBM Security has released an annual report in conjunction with the Ponemon Institute outlining the costs associated with a data breach. The average cost of a data breach in 2019 is $3.92 million. In highly regulated industries, like financial services, roughly one-third of those costs associated with a data breach occurred after the first year following a breach. The largest portion of these costs is attributed to lost business. Negative publicity and federal or state laws mandating disclosure and reporting after a breach can cause financial ruin.
We know from events over the last decade that the financial services industry is a target for hackers. Ask around and you will find recounts of a firm that has dealt with spoofed wire instructions. Or just look at the news to see who has been affected:
- Banks (JPMorgan’s 2014 breach affecting over 100 million customers)
- Law firms (Cyber attack against DLA Piper crippling all phones and emails)
- Title companies (First American’s 2019 security oversight resulting in the exposure of over 900 million documents)
- Credit reporting agencies (Equifax’s 2017 breach affected almost 600 million people)
Yes, the number of examples is growing by the day. But what is most troublesome is that the list is filled with companies that have teams and multi-million dollar budgets dedicated to information security.
If you do not think you have been or will be exposed by a data breach, think again. Experts in the industry will tell you that being hacked is not a question of “if” but rather a matter of “when.” While you might think your company is taking necessary precautions, you also need to be mindful of your service providers and the security they use to protect the information you give them. Just look at Retrieval-Masters Creditors Bureau Inc., a collection agency formerly used by Quest Diagnostics. A data breach at Retrieval-Masters exposed the personal information of Quests’ clientele resulting in a large number of customers initially reporting fraudulent credit card charges. The financial impact of this breach recently caused the collection agency to file for bankruptcy.
So whether you run a small shop or work for a large corporation, each individual can do their part today to provide an extra layer of security around their personal and company information:
Recognize Business Email Compromise.
The FBI’s 2017 internet crimes report states that businesses lost approximately $1.4 billion as a result of internet crimes like business email compromise, a scam targeting businesses regularly performing wire transfer payments. Do you part to protect against BEC by moving conversations out of email and calling contacts to verify payment and wire information. Most title companies, for example, mandate their closers call parties to verify wire instructions received via email.
Protect your company and your network by identifying phishing scams.
Phishing scams employ clever social engineering tactics to get you to divulge information. When you are busy it is easy to let your guard down. Here are several ways to stay mindful of suspicious activities (courtesy of Nerds on Site):
- Requests for Sensitive Information. If asked for information you wouldn’t be comfortable with sharing, pick up the phone and call a known number to verify the request.
- Implied urgency. Always stop to think if someone is threatening you to stop a service or kill a deal without an immediate reply. Hackers will use this tactic to pressure a response.
- Images that aren’t quite right. If the images or layout of an email seem a bit off, it’s likely an attempt to fool you.
- Odd salutations. Look out for red flags such as, “Valued Customer” or “Important Client.”
- Suspicious domains. Malicious emails will use a domain that is close to the legitimate domain, but not spot-on. For instance, someone could use Capital0ne.com instead of capitalone.com to try and pull the wool over your eyes.
- Non-Standard Attachments. If the attached file is not one you recognize (like .doc for a word file, .xls for an Excel file, or .pdf for a PDF file), be suspicious.
Protect your accounts and passwords.
Solely using a password to protect an online account leaves a thin layer between a hacker and access to your business information. Always use multi-factor authentication when available to add additional protection to your accounts. Use a password manager like 1Password or LastPass to not only encrypt your passwords but also generate complex passwords. If you want to really up your security game, rotate your passwords every 90 days and, when possible, use single sign-on with platforms like Google or LinkedIn to minimize your attack surface.
Protect your devices.
Employ a clean desk policy at work so computers and papers are not open to view from third parties or visitors passing through your office. For devices that leave the office, use passwords, passcodes, and privacy screens. Remember to also never leave your mobile phone or computer unattended, especially without a security password in place. Activate your smartphone to auto-lock the screen after a short period of inactivity, like 15 seconds.
Now that you know the true state of affairs, how will you protect your data and your company? Start today with the steps outlined above and also by staying informed. Set some google alerts for relevant content or read a data security blog. Always remember that as long as you have money (doesn’t matter how much), data (usernames, passwords, documents, emails, etc.) and a job, you are an attractive target for cybercriminals. And the next time you walk away from your laptop, remember to close the screen before you grab your latte.
Originally published in the August 2019 issue of the Originate Report
For more information, contact firstname.lastname@example.org