Jarrett Kolthoff | December 8th, 2018

Business Journal Ask the Expert Column

What else does our company need beyond a strong firewall and highly-rated anti-virus software to protect our systems, data and financials?

For true protection against a breach, you need a comprehensive security protocol, that includes a human intelligence component monitoring your environment. You can have the most advanced hardware and software on the planet, but if you have a criminal threat who has infiltrated your organization, or rogue employee who plugs a portable drive into any computer in your office, you could lose valuable data, trade secrets, intellectual property or even large sums of money in a matter of minutes or even seconds. Too many organizations focus solely on technology and leave themselves vulnerable to other types of threats.

How can our organization improve overall data security without making our employees feel like they’re working in a police state?

Get employees actively involved with overall security and let them know that data and information security is everyone’s responsibility – and reward employees for good security measures or for identifying potential problems. Use security as a team building exercise that can boost morale and company pride. Giving employees responsibility for bettering the company will make them feel valued. The last thing a company should do is place its people under a microscope where they feel they’re suspect or not trusted. By making every employee at every level a part of the solution, you’ll immediately improve security and improve the workplace for everyone at your company.

Should our company be concerned about threats from mobile devices?

Mobile devices are the most widely ignored threat to organizations today. Most people now use their private devices for work functions, accessing systems, networks and enterprise data, while also checking social media, using their favorite apps and more. The problem is monumental, because there’s usually no set security protocol for personal devices. Hackers and cyber criminals can easily access mobile devices because most people fail to install adequate security measures on their personal equipment and often lose control of the physical device. So, anything that is accessed on a compromised personal mobile device represents low hanging fruit for criminals. That means, your employees could be unwittingly opening the vaults of your organization to potentially dangerous criminals. If your organization doesn’t have security standards and rules for mobile devices, you need to develop some and implement them at once.

What one area of cyber security do you feel is often most overlooked?

Business e-mail compromise, or BEC, is a skyrocketing problem that has jumped by 1300%since January 2015 with over $3 billion in identified exposed losses according to the FBI. BEC is a highly sophisticated deception tactic using e-mail contact with employees that appear to come from the company CEO, legal department or law firm, a trusted vendor or financial officer. Most commonly, an e-mail request for a wire transfer of company funds is made in what would seem a normal and acceptable fashion. The criminals will create a bank account with an account number similar to a vendor or trusted entity’s account. The targeted employee believes he/she is sending funds in what would be a normal transaction. Once the money is transferred, usually tens or hundreds of thousands of dollars, it goes directly to the criminal account and then is dispersed to “money mules” worldwide that drain the funds into other accounts that are virtually impossible to trace. This is a very real threat to businesses large and small. To help combat the threat, it’s best to use external monitoring teams that can work interchangeably with internal team members to identify possible BEC issues and implement new security policies on cash transfers.