Hacks and ransomware crimes are all over the news headlines. Seems like there’s a new one reported every day. Victims include federal government agencies, insurance companies, energy infrastructure, and computer system vendors. Those are some highly sophisticated players that have invested tons of money in cybersecurity. So, what chance does a small business have defending itself against all those sophisticated cybercriminals?
Bottom line, the tons of money that organizations invest in cybersecurity can go right out the window if the users – ordinary and fallible people – don’t follow safe system security practices. Systems are only as safe as the security knowledge and practices of the least knowledgeable system user. All it takes to open the door to a cybercriminal is one person clicking on the wrong link from an unknown source, or from a hacker masquerading as a trusted sender.
Believe it or not, periodic reminders of these low-cost cybersecurity tips will help organizations of all sizes and types to follow safe cybersecurity practices:
- Keep software systems up to date and use a good anti-virus program.
- Examine the email address and URLs in all correspondence to detect a scammer mimicking a legitimate site or email address.
- Ignore text messages, emails, or phone calls asking you to update or verify your account information and go to the company’s website to see if something needs your attention.
- Never open unexpected attachments until verifying the sender’s email address and use virus scan before opening any document.
- Scrutinize all electronic requests for a payment or fund transfers.
- Be extra suspicious of any message that urges immediate action.
Human action is a risk that can throw an organization’s cybersecurity investment right out the window. People who click before thinking can allow hackers in to do all sorts of expensive and embarrassing damage. By promoting a few low-cost cybersecurity tips, business or all sizes and types can avoid becoming a victim of sophisticated hackers and other cybercriminals.
Last week, I attended a cyber risk workshop offered by the local chapter of the Institute of Internal Auditors. One of the presenter’s slides listed data breaches that occurred so far in 2017, including Equifax, the Securities and Exchange Commission, and Home Depot. It’s pretty scary, especially when you think about what the cyber criminals are after – your money.
Fraud has existed for a long, long time. Technology gives criminals new opportunities to perpetrate bigger frauds more quickly than ever before. Organizations fight back by adding more technology skills to their fraud prevention and investigation teams. According to the Association of Certified Fraud Examiners’ (ACFE’s) In-house Fraud Investigation Teams: 2017 Benchmarking Report, building forensics and cybersecurity expertise is a big focus.
Of the nearly 1,500 anti-fraud professionals who responded to the global survey:
- 43% say their organization is seeking or expecting to add expertise in digital forensics to its fraud investigation team.
- 36% say their fraud team has cybersecurity skills, while 37% are looking to add those skills.
- Only 16% teams investigate data breach incidents frequently and 27% investigate them occasionally, indicating a possible lack of expertise.
Responding organizations cited that their fraud investigations were related to:
- Employee embezzlement (40%)
- Frauds committed by customers (40%)
- Frauds committed by vendors or contractors (32%)
- Human resources issues (30%)
IT security professionals often think that their organizations have the controls needed to prevent cyber threats that can lead to fraud. That is not enough! Everyone connected to your systems needs to understand and follow security practices and know why they are important.
Clarify your organization’s fraud controls and each person’s role to protect data and funds by:
- Documenting responsibilities for security and secure work practices. Security is part of everyone’s job.
- Training everyone about security and why it is important. People tend to follow procedures that they understand.
- Implement incident detection to locate and shut down attacks that can become data breaches.
Fighting fraud requires that organizations ensure they have adequate technology skills on their fraud prevention and investigation teams. Recent reports – as well as recent events — tell us that many organizations still need to beef up their cyber teams to protect our money from fraud.