Email Compromises: Cyber Security at Work

It's not just the job of IT staff to ensure online safety at work. A culture of cyber security includes ALL employees knowing how to protect themselves and the organization while striving to understand how cyber risks change as the business grows or adds new functions. This month, Woodruff Sawyer is joining up with the National Cyber Security Alliance to spread the latest news and best practices for personal and workplace cyber security.

In its 2018 Data Breach Investigations Report (DBIR), Verizon Enterprise tracked 1,450 security incidents that exploited human error or negligence.  Phishing alone accounted for 82% of those incidents. From malicious emails sent from compromised MailChimp accounts to tax scammers masquerading as tax associations, attackers are finding new ways to exploit our human desire to click an interesting link or open an intriguing email.

Impact on Business

Good cyber hygiene extends far beyond your personal laptop, cell phone, or email account. Businesses both large and small have been attacked at the weakest point of their security program—their employees.  According to a report by specialist insurer Beazley, business email compromise (BEC) attacks increased 264% in the first half of  2018 compared to the same period in 2017. A frequent target of these email attacks are companies utilizing Office 365, the cloud-based productivity suite from Microsoft favored by many businesses.

Business email compromise attacks are an efficient way for an attacker to monetize their hacking exploits, causing extensive damage to an organization in the process.  Gaining access to an employee’s email account can lead to fraudulent wire transfer requests or spoofing attacks on your clients, which involve an attacker redirecting funds or goods intended for your organization to their own financial accounts. Gaining email account access can also allow a hacker to view all of the employee’s emails, potentially exposing large volumes of confidential corporate information or the personally identifiable information of customers and employees.

Where to Begin?

Employee cyber security takes place both inside and outside the workplace. From security awareness to password management, cyber security starts with understanding where your information is vulnerable and taking steps to safeguard it. Here are the best places to start.

• Multi-factor authentication (MFA): Multi-factor authentication is a security process that authenticates your identity with two or more pieces of evidence that identify you.  This often includes something you know (like a password), something you physically possess (security token or phone) or something biologically unique (your fingerprint). Common examples of MFA include using a bank card with a PIN, or when logging in to email requiring both your personal login/password and a one-time password sent via text.  This prevents a hacker from accessing your network using a username and password that could have been compromised in a separate breach.
• Password Management: Speaking of passwords, make them strong. When creating a password, the rule of thumb is to use 12+ characters and combine letters, numbers, and symbols.  When all three types of characters are used, it takes a brute force hacker approximately 2 hours to crack a 9-character password, 1 week to crack a 10-character password, 2 months to crack an 11-character password, and 200 years to crack a 12-character password.  In this context, length clearly matters. Favor longer passwords and add complexity to make them extra secure.

According to OpenVPN, 25% of employees use the same password for everything. That’s a danger not only to your own cyber safety but to that of your company. Each account or application should have its own unique password. We know that generating and remembering complex passwords can be a hassle, so consider an online password manager. You can find dozens of reputable options that will generate, store, and encrypt your passwords, allowing you to only remember a single password to that manager.

• Employee education: Cyber security education should be a staple of every new employee orientation, and these trainings should be updated and repeated regularly. Exercises that are short, repetitive, and integrate phishing simulations ensure security practices stay fresh in employees' minds and show them what potential exploits look like.  Many cyber insurance carriers offer access to employee training as a value-added service when a cyber insurance policy is purchased.
• Proper Patching: Don’t ignore application and software updates. Because cyber exploits are constantly changing, software developers are continuously updating their products to address new security concerns and patch known exploits, not to mention adding new features and functionality for your safety.  Having a regular cadence for testing and applying software patches is key to maintaining proper security within your organization.

Insurance Can Help

The cyber insurance market has responded to the security threat of employee error in multiple ways, including both true risk transfer and value-added services which can aid in mitigation and incident response.  In the case of business email compromise as a result of a phishing attack, the insurance market has responded positively to these risks. Coverage can be found for these compromises in the following ways:

• Breach Response Costs: Gaining access to an employee’s email may potentially expose both customer and employee personally identifiable information (PII) or protected health information (PHI).  State laws in all 50 US states require notification to individuals when their personal information is improperly accessed, lost, or stolen, and every good dedicated cyber insurance product will cover these breach response costs.  Breach response costs include legal costs, notification costs, costs for an IT forensics firm to assess and contain the breach, credit monitoring costs, setting up and managing a call center, and the costs of a public relations firm handling any media fallout.
• Social Engineering Fraud: This coverage grant in many cyber policies will cover lost money or securities as a result of fraudulent wire transfer requests.  This can extend to your organization’s transfer to a fraudulent account and/or your client’s transfer of funds (intended for you) to a fraudulent account as a result of a compromise of your network.  This coverage grant is typically sub-limited to smaller amounts and not always offered by some carriers.
• Legal Liability:  Often, cyber incidents can lead to legal liability in the form of regulatory investigations, contractual liabilities, and class-action lawsuits.  The cyber insurance market provides coverage for defense, indemnity, or regulatory fines and penalties arising out of a security incident, including business email compromise.

To learn even more about how to protect yourself online visit Stay Safe Online, powered by the National Cyber Security Alliance.