Last week the CEO of one of our client companies sent an email to the CFO simply asking if the CFO was in the office and if so to please respond that they were. The problem was that the CEO never wrote the email. There was nothing “wrong” with the email except that it sounded a little formal and that is what tipped them off that something wasn’t right. This was the start of a sophisticated phishing scam. Thankfully, this company was on their toes and stopped the scam immediately but another client wasn’t so lucky two years ago. In that case, the scam passed through and a six figure wire transfer was initiated.
Phishing attempts, such as these, bypass sophisticated enterprise grade anti-spam and anti-virus software. The human element is something that cannot be automated or controlled, it must be taught. According to Lou Modano, Chief Information Security Officer at Nasdaq,
“The frequency and severity of cyber penetrations, as well as sophistication of hackers, has increased dramatically. What has not kept pace with that is the education level, the understanding of the impact of cyber security across all industries.”
In its 2015 Data Breach Report, Verizon reported that 23 percent of recipients of phishing emails open them and 11 percent open the emails and click on the malicious attachments. All it takes is one wrong click to launch an attack on your computer, or worse, your network… and just talking to your employees about it is not enough. The average retention of listening or reading is at or below 10 percent according to National Training Laboratories (Bethal, Maine). As silly as it may sound, companies have begun to run security drills much like the earthquake drills our children do in schools. According to another study by the Ponemon Institute, simulated phishing attack training yields up to a 37 percent return on investment.
The cost of doing business is always evolving and technology security must be treated just as, or even more importantly, as the locks on your doors and your alarm system. This industry, created by criminals, started with special hardware and software and now includes specialized consulting, new lines of insurance and personnel training. You must choose an IT strategy that covers it all, not as a “just in case” but as a “when it happens.” Just take a moment to picture yourself reporting a data breach to your clients. That alone should convince you that a higher level of security is a cost of doing business today.