Business Journal Ask the Expert ColumnFebruary 2019

Despite the fact that cyber security represents the greatest high-tech threat known to most organizations, some of the most effective strategies and tactics to protect against cyber threats are incredibly low tech. Our mailbag this week featured several questions dealing with common sense, low cost, low tech additions to your cyber security plan that you can implement quickly and effectively.

Is There Any One “Obvious” Thing Our Company Is Probably Overlooking In Our Cyber Security Plan? Yes. Insurance. A study just released by Lloyds of London and Aon warned of the extreme potential costs and losses that could be incurred in the event of a coordinated, global cyberattack spread through malicious e-mail. Estimated economic damages for such an attack could reach nearly $200 billion.

Every day, we encounter organizations that are woefully underinsured and sometimes even uninsured. What many executives underestimate when considering cyber insurance include business interruption and “restart” costs, possible cyber extortion costs–particularly with ransomware—and incident response costs, which can escalate exponentially depending on the extent of the breach.

When reviewing your cyber insurance plan, be sure to include your Executive Committee, outside cyber security partner, Chief Information and Security Officers and Risk Management team. The goal is to look at the potential cost of a breach from every angle in order to properly assess financial impact.

Should Our Company Director Of HR Be Included On Our Cyber Security Committee?

Without question! Human beings are the most dangerous and most vulnerable elements of every organization’s cyber security plan.

Both organized cybercriminal organizations and foreign governments have increased their use of malicious insiders to steal everything from intellectual property and trade secrets to vast sums of cash to critical personal data. The threat is no longer only a major market concern, either. Secondary markets and small towns have experienced an uptick in malicious insider activity, due to the perception by criminals that smaller markets are not as well protected.

HR can play a critical part in stopping internal threats before they are hired. By using extensive background checks, including links to suspicious cyber activity at previous employers, ties to rogue nations and criminal organizations, and even dark net activity, a cyber savvy human resource

department can be the first line of defense against hiring a criminal whose goal is to breach company networks and systems from the inside.

How Can We Help Our Employees Spot Phishing Schemes?

Highly professional and sophisticated phishing schemes are on the rise. And phishing e-mails look and sound more legitimate every day. But if you know how to closely examine a phishing e-mail, there are little clues that usually reveal its fraudulent intent. Here are a few key items to examine when reviewing possible phishing attempts:

1. Always check the e-mail’s originating address. Don’t just look at the sender name, check the actual e-mail address. Usually, the reply address is a dead giveaway because it doesn’t correspond to the supposed sender or his/her company server.

2. Carefully examine sentence structure, grammar and language style. Most phishing schemes don’t originate on this side of the globe, so the person sending has poor command of the English language. If you find typos, misspellings, or peculiar use of language, chances are the e-mail is fake.

3. Look closely at company logos, addresses, and corporate identification within the e-mail. Quite often there will be subtle differences between what’s being used and actual company artwork, corporate colors and fonts, because the criminals don’t have direct access to company files. One of our clients recently identified a phishing ploy when an e-mail requesting a past due payment used a logo that was too small, along with an incorrect mailing address.

Final Thoughts. No matter what the situation, you can never let your guard down. The proliferation of cyber criminals targeting both large and small organizations never stops adapting and evolving, so you have to adapt and evolve with them to keep from becoming a victim. If you’re even remotely suspicious, consult your internal team and call in a third-party expert to help identify if you’re at risk.