Here’s a sobering thought: According to the IBM-sponsored 2016 Ponemon Institute Cost of a Data Breach Study, the average cost to an organization of a run-of-the-mill data breach is $4 million.
It’s even more sobering because any one of us could be the unwitting cause – or victim – of a data breach. Including you. Definitely including me.
Ever heard of spear phishing? I’d never heard of it before it happened here.
Last September I was 10 minutes from boarding a plane to go on vacation when I got a text from Alisa Morgan, HBG’s operations manager.
“Are you emailing me about a bank transfer to a client?”
I most definitely was not.
Alisa had received an email a bit earlier that appeared to be from me. It had juuuust enough detail and familiarity to make her think that, as unusual as it was, my request for her to wire money could be legit. Even the amount sort of made sense.
Fortunately, Alisa has a healthy skepticism streak and can smell something fishy a mile away. I hadn’t signed the email like I normally would to her. The greeting was just slightly …off.
Alisa knew my travel plans, and that I was flying that day. In case it really was me doing a last-minute piece of business and she couldn’t reach me, she emailed the fake ‘me’ back and asked them to verify ‘my’ identity with three questions that only she and I know the answers to. And then she sent the text.
Not surprisingly, she didn’t hear back from the scammer, but she certainly got a very concerned me. One security lock-down, email audit, bank call, and company-wide password reset later, we learned they hadn’t actually hacked my email account. They’d just managed to do a nearly-credible job of impersonating me to someone whom they guessed might have access to assets.
And that, my friends, is spear phishing: the disreputable art of impersonating someone just well enough to get a victim to give up account details, confidential information, or real money via bank transfer. Loathsome and lucrative.
The FBI’s Internet Crime Complaint Center (IC3) estimates that business email compromise (BEC) grew at a rate of 1500% from January 2016-June 2016, with losses estimated at over $3 billion during that period.
“BEC is a serious threat on a global scale,” said FBI Special Agent Maxwell Marker in an FBI alert in 2015. “They know how to perpetuate the scam without raising suspicions. They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.”
Losing information doesn’t just come from being tricked, though. It can come from simple carelessness. We might not be able to know when the threats are coming at us, but we can very easily help ourselves to be as secure as possible.
We all know not to send confidential information by email externally from our organization, but unless your organization has its own closed server that does not allow access to the outside world – and if you’re reading this online, that’s not you – you shouldn’t email confidential information internally, either, unless it’s encrypted.
Inside or outside, it doesn’t really matter
You might think, “I’m just sending our new major donor’s contact details to Susan in the office next door.” Which might be fine, unless Susan reads it (or re-reads it later) on her phone, or using a public wifi network at the airport, or in a Starbucks, or in her hotel room.
In that event, chances are good that that information is riding the rails internationally, bouncing from open server to open server. From your computer to California to Boston to China to India to Israel to Canada to Susan, all in the space of a few milliseconds. The internet doesn’t see borders. It just sends data along the speediest route using the least-busy nodes it sees. But in the blink of an eye your email can be syphoned off and saved as a snack for someone later to phish you or Susan. Or your new donor.
Unsecure email servers have been a hot topic recently in political news. No matter where you sit on that particular subject, I think we can all agree that taking security seriously is always the best option. Big breaches have a tendency to make us aware of things we may not have thought much about before, but once they’ve happened, we have no excuse for not taking precautions if we can.
Because you really don’t want to have your organization’s name be the first thing people see on CNN in the morning and forevermore think of you when “Spectacular Data Breach” is mentioned. Or be the person on the team who unknowingly gave the vault key to hackers that ransom your organization’s sensitive data back to you.
So how can you help protect yourself and your organization?
- Don’t send any sensitive data by email, even internally, unless you know that your email is encrypted. (and even then, consider not doing it in case your account becomes compromised). Our rule here at HBG is this: If the email (or piece of paper) has a name or a number on it, it’s sensitive data.
- If you don’t know if your email is encrypted and you must use that method of communication, create a document with the information, password protect the document, and email it to the recipient. Be smart here: emailing or texting the password completely negates the security; pre-arrange a password or call the recipient and relay it verbally. (Or, since you’re talking with them, just go ahead and share the information that way if you can).
- Many organizations have internal shared servers, and if yours does, use it. Simply create a folder, put documents you want to share inside, and tell the recipient where it is. If you need to share information externally, skip email altogether and use a secure file-sharing service like Dropbox or Nomadesk.
- Don’t share documents, names, numbers, or passwords through instant messaging programs unless you know it’s encrypted. (and even then…).
- If you print something with confidential information on it, use your shredder to get rid of it. Again, if a document has a name or number on it, play it safe and shred it when you’re finished.
- If an email looks weird, or doesn’t make sense, wait before opening any attachments. If your “colleague” is asking you to open attachments that just don’t sound kosher, or if they’re writing in a style that doesn’t quite sound like the person you know, call and verify that it really came from them. If you have an IT department, notify them that your organization may be being targeted by phishing.
- Keep calm, maintain a healthy dose of skepticism, and take time to really get to know your colleagues. Alisa’s quick thinking and BS-o-meter played an important role, for sure. Her demand for not one but three secret answers still makes me smile as I write this. It was another great illustration of the importance (and benefit) of communication, collaboration, and collegiality.
A split-second decision on your part really could alter your organization’s financial future. Playing it safe may be a short-term hassle, but you’ll never be sorry.