The number of different hacking methods that can expose your business is intimidating for anyone who isn’t a cyber security expert. And I get it, we love to avoid thinking about anything that we don’t understand or scares us. Relying on a secure VPN for work from home employees is one the most overlooked safeguards, but it isn’t always enough. And leaning on an amazing IT team/vendor won’t be able to cover the financial loss after a data breach.
Prior to being a commercial Insurance Broker for 16 years, I ran multiple companies. And as a previous president/owner, I understand the heavy burden that comes with balancing mitigating risk and reward.
A lot can change in 16 years, but the sleepless nights remain the same. And today, Cyber is the hot topic keeping business owners up at night. My real life experience on the insurance buying side as well as handling countless data breach claims has taught me that owners should protect their business from 3 different hacking methods.
Socially Engineered Donation Hacking
Hackers will steal an email between a non-profit employee and a prospective donor. The hackers posing as the donor went back to the non-profit and requested to have them send them their wiring instructions so they could initiate a donation.
The donor thinks that this is all on the up n’ up wires $85,000 to the non-profit. The non-profit follows up on the donation only to be told that the wire was initiated, but they hadn’t received the funds. The donation/monies were now in the hands of hackers and long gone.
The Extortion Approach to Data Server Hacking
Hackers in the Eastern Bloc get into a company’s server and steal data. The company receives a knock on the door from the FBI telling them they have been watching these Eastern Bloc guys for months, and your company got hacked. The IT department says, “no way we have the best firewalls, and we watch the action daily.”
The FBI says, “go to this day and time, and you will see that a packet of information was taken,” and sure enough, something was taken. The company bought a cheap laptop, went to a Starbucks, and transferred $40,000 to get their packet back. At the end of the day, nothing of importance was taken, but this $100M company thought they were secure.
Social Engineered Accounts Payable Hacking
A hacker gets into the server of a non-profit and intercepts an email from the CFO to an Accounts Payable person. After a few days, the hacker sends an email to the A/P person making the email & attachment look like it’s from the CFO. The hacker instructs the A/P person to send a check to XYZ Company and without double-checking with the CFO cuts and sends the check.
A few months go by, and the hacker tries the same thing, and this time the A/P person goes to the CFO and asks if he wants her to send another check to XYZ Company, and he says no and he then finds out what had happened several months prior. The lesson here is the hackers try many ways to get into the company and learn patterns such as when a CFO typically works from home, or they steal the company A/P list and ask for payment on a specific invoice be wired to them.
The Bottom Line
The bottom line is all these Cyber claims and losses could have been avoided by following strong internal controls. Strong internal controls include using the company’s VPN while working at home while having the best internet security systems/firewalls in place. Remember there are also 1st party claims that are internally driven, the attack can come from a disgruntled employee who set off a Trojan or his/her last day of work.
If you know of a company that has a fear of the Cyber-attack, please have them contact me so I can consult on best practices going forward and put the insurance coverage in place.