Cyber Risk. Cyber Fraud. Phishing. Virus. Malware. Denial of Service. Ransomware. It is mission critical that executives are aware of what these terms mean and what their responsibility is when it comes to protecting their organization, members, employees and clients from cyber attacks. In this Lead. Learn. Thrive. podcast episode, Raffa’s Nate Solloway talks with Martin Nash from EagleBank about what executives should be concerned about when it comes to IT security, why they should be concerned and what steps they should be taking to prevent cyber attacks.
The impacts that result from a cyber security incident will affect business. There could be legal, financial, regulatory and/or reputational impacts – all of these are important to those running organizations, not just to the IT departments. Executives are responsible and accountable for anything that goes wrong from a security perspective.
Cyber security professionals agree that cyber incidents are inevitable – it’s not “if” but “when.” Organizations should not think they are immune because they are small, nor should they think they are doing enough because they are a big organization. Organizations that only have four or five employees sized have been victims of cyber fraud and have lost thousands of dollars with relatively simple but effective cyber scams.
“If you have a bank account and you ever make electronic transfers, someone is going to try to trick you into transferring money to them,” Solloway explains. Cyber criminals have been shifting from larger institutions (like banks) to easier targets (like customers). In the last five years, there’s been a steady increase in attacks on businesses with fewer than 250 employees. They are tricking customers and employees to send money with a scam known as Business Email Compromise.
Nate Solloway and Martin Nash
One important lesson: People trust emails too much. The simple thing all organizations can do is to train employees to not trust email alone for financial transactions. (Same for personal transactions.) Always verify important transactions using a known phone number or even a face to face check where possible. Also, make sure people stop and think before clicking on links or opening attachments in emails.
Some simple controls organizations can put in place to limit this of the Business Email Compromise scam from succeeding:
- Make a requirement that any transaction requires two signatures.
- Get a second form of verification; not just emails.
- Set up controls with your bank on how you will transfer money (for instance, you will never make a request to transfer money via email alone).
“You can be the biggest organization, spend the most money on cyber controls and put all the controls in place, but if you have one employee who clicks on a link or opens an attachment, something is now in your environment and can wreak havoc,” shared Nash. “Educate your employees.”
Raffa does a 90-minute training once a month for new employees. It’s entertaining, informative and gives employees skills they can use at work and at home. There are also services that help train staff by sending a safe “phishing” email. If employees click the link, they are taken to a site that tells them about the consequences to the organization if that link had been malicious. About 17 percent of employees will clicks on the links before this training; after that number falls to 1-2 percent. It’s not about stopping people from clicking on links; it’s about getting them to pause and take a second to think before clicking.
Listen to the podcast to learn more about email scams, ransomware, The Internet of Things, disaster recovery and more (even Pokemon Go!).
To learn more about these issues and how Raffa may be able to help protect your organization, please contact Nate Solloway.
The Lead. Learn. Thrive podcast series grew out of our Raffa Learning Community effort and features interviews with interesting nonprofit and private sector leaders and those who help them Do More. If you would like to suggest a topic or a guest for an upcoming episode, please email firstname.lastname@example.org and include “podcast” in the email subject line.
Subscribe now via iTunes!