Parker Rains, Fisher Brown Bottrell Insurance
In the movies, cybercrime takes place in high-tech lairs with lots of big screens scrolling gibberish. Hackers enter complicated computer code from memory at lightning speed, and finally one declares, “I’m in!” Suddenly, all the secrets the company has hidden away become as easy to steal as it is to drag and drop.
In the real world, cybercrime doesn’t have to be all that sophisticated to create an extinction-level event for your business. The average attack costs businesses more than $720,000, including legal fees, security protocol reforms, reputation management and loss of customer loyalty. On top of that, businesses often shut down for 46 days or longer trying to resolve the issues. Would that kind of liability put you out of business?
For many business owners, the answer is yes. But there are steps you can take to protect your business. Dennis Blanton, managing shareholder of the Chattanooga office of LBMC, PC , connected me with his cyber experts, Jason Riddle and Marcie Angle, for a deeper dive on cyber risks. They helped me identify two common forms of cybercrime and shared several ways to mitigate the risk of falling victim to a cyber attack.
Business Email Compromise (BEC) Scams
This attack is so common it has an acronym. It works like this: A scammer creates a phony email address that is just similar enough to the real thing to fool an employee who isn’t paying close attention, often changing something as simple as a lowercase “L” to an uppercase “I”. The employee gets an email from his “boss” asking him to cut a check or transfer funds to a particular account. According to the FBI, more than 7,000 businesses and all 50 states were affected by BEC scams between 2013 and 2015. U.S. and international victims lost more than $1.2 billion to BEC scammers during that period.
This hack is particularly insidious because once you’re attacked, there’s not much you can do about it. Someone at your company clicks the wrong link and downloads a piece of malware. The program then spreads through your network, encrypts all your computers, servers and hard drives and offers to sell you the code to unlock your data. Hackers are literally holding your business for ransom.
Symantec cites an example in 2012 of a single hacker infecting 5,700 computers in a day using ransomware. The average ransom was $200 and nearly three percent of users paid it, giving the hacker a single day take of approximately $33,600.
Companies big and small have fallen victims to this scam. It has become so popular that hackers are selling turnkey extortion kits called “Ransomware as a Service” or RaaS viruses that nearly anyone can deploy.
So, what can you do to protect your business?
- Keep an eye on your assets. Not all assets are made equally and some types of data are more valuable to cyber criminals than others. Highly sensitive material, such as client data or private company files, should be held at the highest level of security. You should know where this data is stored and who has access, and ensure that proper protocols are in place for accessing the data.
- Establish protocols for cyber threats. A detailed disaster-response plan can prohibit further damage to your company — both from a financial and a reputational aspect. Outline step-by-step actions to be taken in the face of an attack, including who is responsible for seeing each task through to completion.
- Update your software. As new threats exploit vulnerabilities, security software companies create patches to fight off the attacks. Ensure that your company is safe by upgrading security systems frequently.
- Buy cyber liability insurance. Standard business liability insurance won’t cover the costs associated with a data breach. Cyber liability insurance covers notification fees, crisis management costs, regulatory proceedings (fines and penalties) and credit monitoring expenses for victims of the breach.
- Implement verbal confirmation. As BEC scams gain popularity, more and more business owners are going the old-fashioned route to confirm wire transfers — in person or over the phone. Make it a protocol for employees to receive verbal confirmation before transferring money so that you don’t lose out to a BEC scammer.
It doesn’t take a sophisticated hacker to fake an email address or deploy ready-to-use ransomware. Even novice cyber criminals hold the power to ruin your business’ bottom line, which is why now, more than ever, a strong cyber defense is imperative.
Parker Rains, a Chattanooga native now based in Nashville, is vice president of middle market business insurance firm, Fisher Brown Bottrell Insurance. You can reach him at [email protected], and visit Fisher Brown Bottrell Insurance online at www.fbbins.com.