Stimulus Tech Talk Podcast: Insider Tips to Avoiding Employee Cyber Security Risk
Did you know the number one risk factor when it comes to cyber security is your employees? That's not to say that your employees are trying to hack into your system, but employees are frequently tricked into putting your company info into the wrong hands.
What are the most common cyber security risk factors for employees?
Phishing attacks are frequently aimed at employees including lower level employees, managers, executive level, and of course at the business owners themselves. Criminal criminals will contact an employee to try to get them to click a nefarious link, input credentials into a bogus website, or simply provide company information to the wrong person. That could even be done via a phone call from a hacker posing as a company vendor.
Employees will unwittingly provide the info because they are trying to do good job. If they are being asked to complete a task, they will do it and frequently not having to ask for help gives an employee an even greater sense of accomplishment.
What is a phishing attack?
A phishing attack occurs when a cyber criminal attempts to get someone to do something they wouldn't necessarily do in order to gain private information. Phishing attempts can be made on people inside a company or to individuals. The term phishing is used because the hacker basically casts out a line by sending an email asking for something to see if someone will take the bait.
How can a business owner help prevent phishing attacks on employees?
Training is the most important step in preventing employees from falling for phishing attacks. Everyone inside a company should have training on how to spot phishing emails and even more importantly should be trained a specific processes for handling different types of email requests. Having checks and balances in place, particularly when it comes to financial transactions and handling the private information of your clients and customers.
For more on this topic, listen to this episode of Stimulus Tech Talk: Insider Tips to Avoiding Employee Cyber Security Risk or watch on YouTube.
Stimulus Tech Talk Episode 11 Insider Tips to Avoiding Employee Cyber Security Risk transcript
00:00:00:00 - 00:00:30:03
You're listening to Stimulus Tech Talk, a conversation-based podcast created by Stimulus Technologies. It covers a range of topics related to business and technology. Welcome to Stimulus Tech Talk. [Sherry Lipp] I am Sherry Lipp, marketing manager at Stimulus Technologies, and I am here with Stimulus Technologies CEO Nathan Whittacre. And today we're going to be talking about employee vulnerabilities when it comes to cybersecurity.
00:00:30:03 - 00:00:57:14
Good morning, Nathan. [Nathan Whittacre] Morning, Sherry. [Sherry] So to get started, you know, in your experience, you've worked with a lot of companies, So what do you, what do you consider to be the biggest threats when it comes to employees and cybersecurity? [Nathan] So we often say as cybersecurity professionals that the employees are the biggest risk, and it's because of the actions that they take.
00:00:57:15 - 00:01:24:27
You know, a lot of times, you know, employees are thinking that they're doing the right thing or they're going through their normal workday. And hackers are aware of, you know, what different employees inside the company does. And so they they assess what the employees do on their regular workday, and they can specifically target the employees with spear phishing attacks or, you know, different social engineering attacks.
00:01:25:05 - 00:02:02:20
They get employees to do things that they don't necessarily or would do on their own. And it's it's very common. It happens a lot through whether it's emails or phone calls, even letters. You know, hackers are figuring out ways to get employees to do things that they they shouldn't do. And it is still the biggest vulnerability for companies to date, probably bigger than anything else. [Sherry] And what liabilities do employers face when it comes to employee security breaches?
00:02:02:20 - 00:02:25:17
And is it does it make a difference if they've provided training that employees aren't following or something like that? [Nathan] So, I mean, when we look at risk inside companies and and I've spoken to different insurance brokers and insurance agents about this and you know, you think, you know, the insurance companies are very well aware of what's going on in the industry.
00:02:25:19 - 00:03:06:11
And they look at it kind of two different ways. When insurance companies are providing coverage for companies, they're often providing either employee liability or employee theft insurance or on the other side, cyber crime or cyber liability insurance. And the cyber crime insurance is usually there for the attacks against the systems. So preventing, you know, a vulnerability a hacker gets in through a port on a firewall or through an unpatched server or some other technical way that they're getting into the system.
00:03:06:13 - 00:03:40:21
But the employee liability or employee theft insurance is when hackers are able to get employees to do things that they wouldn't necessarily do, like I mentioned. So, for example, if an email comes in to to an email to a user and a user clicks on a link that they shouldn't, let's say the employee says, you know, I am X, Y, Z manufacturing company, here's an invoice for the products that we shipped, and maybe it's a vendor that this company generally works with.
00:03:40:21 - 00:04:14:24
And so the accounts payable person gets the invoice, opens the PDF, and then, you know, puts it into their system to pay along with the link to pay it, and then employee ends up clicking on a link that doesn't go to XYZ vendor, it goes to some other payment processing site. The employee puts in a credit card or maybe a DCH transfer information, and then suddenly the hacker has credit card numbers or bank account information and is able to withdraw funds or charge funds or whatever it may be.
00:04:14:24 - 00:04:37:04
And and with that type of hack, it might be quite a while before they realize that that money didn't actually go to that vendor. And a lot of times, especially with ACA or wire transfers, you know, you only have a few days potentially to get that money back. There is some more recourse with credit cards, but in the end, it's the employee that made the mistake in that instance.
00:04:37:06 - 00:05:20:20
And so that employee after an employee liability insurance is what covers it. So the insurance companies look at it as the employees are making the mistake and causing the problem. And I think the biggest risk, you know, with your second part of the question is what happens if you're not providing training or if you're providing training and the employees aren't doing it and I think, you know, insurance companies or compliance in general, as Leia and I talked about a couple of weeks ago, you know, when you look at compliance, most of the regulatory agencies are looking to you as a company of what kind of plan you put in place, and then they'll judge you
00:05:20:20 - 00:05:58:27
by how well you're following that plan. So if you tell the insurance company or you tell the regulator that you train your employees, you have annual training, weekly training, monthly training, whatever you decide to do to keep you compliant, and then you as a company don't follow through to ensure that training is happening. The insurance company may deny coverage or you may be liable for some type of failure of complying with that regulatory compliance, even though, you know, maybe you had that that plan in place, you had the systems in place.
00:05:58:27 - 00:06:24:13
But if you are in ensuring that that you're in compliance with your own plan, then you're highly you're much more liable than if you didn't obviously put that in the plan at all. So it's important that whatever plans you put in place that you're following through with those plans and ensuring that the employees are getting the right training.
00:06:24:16 - 00:06:47:21
Now, if they if you have a plan in place and you have the training offered, you have the training enforced and the employee still does something wrong, that's where an insurance will kick in or that's where you might get a slap on a risk from a regulatory agency. But you're doing everything you can. You can't eliminate all risks, but you can mitigate them.
00:06:47:21 - 00:07:00:08
And if you're doing everything you can to follow an approved plan and you still fall victim, then you're in a much better position than you would be otherwise.
00:07:00:10 - 00:07:31:13
[Sherry] Along those lines, what do you think an employer could do to kind of foster that that culture of staying vigilant? Because sometimes you start something and everybody's enthusiastic, but as time goes on, people get lax. How do you what steps do you suggest to keep that going long term? [Nathan] I think you have to have a champion in your organization that really understands what needs to happen and is fully committed to ensuring that it happens.
00:07:31:13 - 00:07:53:15
Because if you put a plan together, great plan and like you said, just follow it for a little bit or put it on the shelf and you don't have anybody following through. It's, you know, 99% of the time the training will fall off. And so you have to have somebody inside your organization, especially if you're dealing with employees.
00:07:53:15 - 00:08:17:19
You know, maybe it's your H.R. internal H.R. Person or your controller or somebody inside the organization that has the authority to enforce those. And they're pulling reports and they're ensuring that that's following. You know, that's followed up and, and it without that follow through, I can tell you that employee training is not going to happen because it is an of time and cost of the company.
00:08:17:21 - 00:08:47:24
But it is so important to have it have it in place. [Sherry] And how can an employer go about developing this type of plan? [Nathan] So there's a lot of companies out there that offer software and systems that that provide the training, that provide feedback and reporting on the training. Stimulus has worked with a company and part of our security plans.
00:08:47:26 - 00:09:14:29
We offer that training because we feel that it's so essential that, you know, if there's a company out there, there's a lot of that that doesn't have our systems work where you should. But if you don't, there are there are a lot of companies that offer this type of service directly to, to companies for for cost. I also recommend, you know, if you're in specific industries, maybe look for a company that has specific training for your industry.
00:09:15:01 - 00:09:40:22
You know, if you're a CPA or if you're an attorney or a car dealership or whatever it may be, there may be specific training that needs to happen for that industry. And so look for a vendor that provides that. But, you know, any type of training is better than none. A lot of the compliance requirements require some type of reoccurring training, probably should be more than annual.
00:09:40:24 - 00:10:05:19
We offer up to a weekly training service. So I think the more often you're in front of people, the better. But you know, maybe the cadence either monthly or or quarterly, minimally, and then have some Q&A possibilities. You know, companies that can come in and do some questions and answers with employees because sometimes there's you know, employees may have specific questions around it.
00:10:05:19 - 00:10:24:07
So but, you know, don't do it. Try to do it internally. You're putting these materials together is a very onerous task. And there's a lot of companies that specialize in that. [Sherry] That was going to be my next question. So as far as like, know, you want to be prepared for something, especially if you have to deal with insurance.
00:10:24:09 - 00:10:45:25
So if you do want these training programs, does that help you document that, that you're providing this education to your employees? [Nathan] It does. And a lot of the insurance companies, we have to help our clients fill out their attestation forms of their renewal forms all the time. And we're seeing that more and more that employee training is required.
00:10:45:25 - 00:11:10:21
If you're not providing employee training, you may or may not be able to get insurance. And if you still can get insurance is probably higher premiums. So just having this training in place probably would reduce your cost overall of getting insurance because you're you're providing that training. And if you don't, then then you may or may not be able to get insurance anymore.
00:11:10:28 - 00:11:34:28
The other thing, like I mentioned in the beginning, if you say that you're providing the training and you're really not, if you don't even have a plan and you're just checking that box and say, Oh, we have a luncheon once a year or something, and we talk about, Hey, don't click on links, and that's your training. I can I can almost assure you that the insurance company would have a hard time paying out a claim if that's all that you're doing and you're calling that employee training.
00:11:34:28 - 00:11:57:18
So you have to have a, you know, a realistic program that's providing enough information to your employees to give them the ability to help prevent attacks. [Sherry] I can imagine that the training would involve, you know, kind of keeping up with the latest attacks rather than somebody who doesn't know, try and trying to figure it out on their own.
00:11:57:20 - 00:12:33:01
[Nathan] Yeah, that's, you know, really what's going on right now, too, is, you know, security systems are getting better. Email security vendors are building in artificial intelligence. A lot of companies are putting in 24/7 security monitoring of their systems, using, you know, call industry buzzwords, EDRs, NDRs, all the zero trust. All these things are being put in place. And so hackers are like, you know, trying to get around these tools today and coming up with sophisticated attacks that actually don't require much technology.
00:12:33:01 - 00:13:02:07
It's almost going back to, you know, pre technology days where where these hackers are using other methods, whether it's phone calls or even letters to get to get into systems without completely bypassing the security measures that people are putting in place inside their their companies. So, again, there's there's multiple, multiple ways of getting into companies and getting information.
00:13:02:07 - 00:13:29:13
And these tag vectors are getting much more complicated. So employees really need to be aware of what's happening today and not what just happened, you know, five years ago. [Sherry] When it comes to the insurance is this is standard for any business owner? Have you encountered businesses who don't have the proper insurance in place if they are breached? [Nathan] So we interview companies.
00:13:29:15 - 00:13:54:18
Whenever we bring in a new client, we do a security assessment for them. And these are some of the questions we ask is do they have employer theft or liability insurance? Do they have cyber crime insurance? And I would say especially the smaller businesses, a lot of them do not have these coverages in place. You know, they're thinking that they're general liability insurance.
00:13:54:18 - 00:14:19:07
You know, they they a policy that a million or $2 million worth of insurance and an umbrella policy in place. And that's good enough. And really those general liability insurance cover coverages are about, you know, the stuff you have you know your office being broken into or your equipment being destroyed. But they have exclusions for these type of things.
00:14:19:09 - 00:14:43:02
So I would highly recommend talking to your insurance agent to review your coverages, make sure that you have those too, the cyber liability and the employee theft insurance, because so many businesses don't have those. And whether you're one of them, you know, one owner just running it by yourself or you know, hundreds or thousands of employees, I think all businesses need to have some type of coverage.
00:14:43:02 - 00:15:09:00
And it's relatively inexpensive, especially if you have these security systems in place. You know, it's worth a few hundred dollars or a few thousand dollars a year to have this type of coverage in place. [Sherry] And what should an employer or business owner do if kind of at the beginning to to decrease the likelihood of you know, employee, you know, security breaches?
00:15:09:07 - 00:15:45:05
Should they and should they check into employees beforehand? Is there like a background check that would give a signal? [Nathan] So it's one of the there's a couple of things you can do as an employer from a backdrop background check perspective. I'm not an H.R. professional. I've talked to, you know, our background company that we use. You know, obviously as a company, you want to make sure that there's no prior issues of theft issues on their background check that would come up in court records and things that you pull.
00:15:45:08 - 00:16:12:10
So that's actually a legitimate employee theft. The other thing is, as you know, there's work worker's comp claims and things that could come about, but it's really hard from a from a background check perspective to see if there was cyber crime that they were involved with in the past, unless they were the ones conducting it. What you can do, though, is, is do some searches online about, you know, their their information that might be available.
00:16:12:10 - 00:16:50:07
Because you know me as a business owner, I'm a higher target than somebody that's maybe working as a technician in my company or, or a salesperson or something like that. So there's definitely different risks depending on what level inside the organization. Obviously, you know, your accounting team is is high target. And what you can do is look to see, especially for existing employees, is do dark web searches on email addresses, on and on their accounts, to see if their information is available and or been sold out there.
00:16:50:10 - 00:17:19:29
And, you know, the major websites have been hacked over the years where information exists LinkedIn, Facebook, MailChimp, you know, these these places that aggregate a lot of information and places that we put information have been compromised, or at least their data is easily scraped so that they can build a profile on specific individuals. So I think it's important to monitor that dark web and seeing, you know, for your employees, existing employees and maybe even potentially future employees.
00:17:19:29 - 00:17:45:06
And if their information is out there and available, because what the hackers are doing is building these complex attack vectors and at employees to decide, okay, what information do we have and how can we use that against an organization? We're going to be doing a webinar here, kind of going through this in depth on social engineering and understanding what these attacks look like.
00:17:45:06 - 00:18:20:29
So we watch out, watch out for that. You can look on our Web page. We'll be posting that here soon, some recordings of that. But it's really interesting. These hackers take this information, build these complex spear phishing attacks against individuals using old methods like phone calls and, you know, like basic text information that they're gathering from individuals and then building these sophisticated attacks, because that's how they're getting into organizations today and completely around all the security tools that we put in place.
00:18:21:01 - 00:18:47:20
[Sherry] It's interesting and might not be something a lot of people think about. Any final thoughts on what employers and business owners can do as far as employee security breaches? As we wrap up. [Nathan] Yeah, I think, you know, there's this theory about default. The truth, and as humans, we want to trust individuals on the other side of a phone call or an email.
00:18:47:22 - 00:19:15:19
And, you know, we're always so busy. So we process things very quickly. We get an email, looks legitimate, we'll process a payment or whatever, whatever it may be. And I just encourage people to train your teams to slow down a little bit, verify information. You know this old adage of like if you get a bill that doesn't look quite right or something that happens, don't just call the number on that invoice of that bill.
00:19:15:19 - 00:19:46:26
You know, go back to the root. You know, if you have a contact number for a vendor or credit card company or a bank, call that number. Just take a moment to slow down and have a little little less trust. Unfortunately, I hate I hate saying that. But, you know, in business, you know, just assume that something that you're getting is not legitimate or could be wrong and just, you know, verify whether it's a bill from a vendor, verify that's a routine bill that you pay.
00:19:46:28 - 00:20:13:03
If it looks out of the ordinary, contact a vendor directly through your normal lines of credit. If you are normal lines of communication internally, you know, if an employee sends you something that feels a little off. Contact them directly. Don't just reply to an email, you know, pick up the phone and call them. There's just, you know, just taking that extra moment to verify the information and ensure that it's accurate makes a big difference.
00:20:13:03 - 00:20:46:25
So I'm just encouraging everybody to train your team to slow down a little bit on this stuff, especially dealing with money. And, you know, that's that will prevent a lot of attacks just by slowing down and verifying information. [Sherry] All right. Well, thanks so much, Nathan. That was really useful information, as always. And be sure to tune in to our next broadcast.