| | AUGUST 20179CIOReviewfraudster initiates contact with the closing professional and poses as the receiving bank for the wired funds, often using a false name to increase the legitimacy. The fraudster will confirm that the funds were sent to an account flagged as suspicious--and assures the professional on the other end that the funds will be returned within a few days. This action often tricks the professional into not contacting the actual receiving bank to freeze the funds and provides the fraudster sufficient time to move the funds to another account or source.As a business owner or a member of the leadership team at a large organization, what can you do? Talk about these schemes with your finance department, HR and your CEO. Ask them to be suspicious about emails that seem out of the ordinary or that come from unusual email addresses. If you get one, don't hit reply, pick up the phone and call. Create a culture where caution is encouraged. Consider implementing dual authentication for money movement (wires, ACH, etc.) above certain thresholds. Verify changes in payment information to vendors/suppliers. Be judicious with the information about your company and employees that is available online. Finally, have a response plan for what you would do, quickly, if you do fall victim. This should include your bank and also law enforcement. Security "Hygiene"Business Email Compromise and wire transfer fraud are just a couple of cyber risks that businesses face. With threats changing daily, we recommend you implement good security "hygiene." These additional tips are meant to help you prevent an attack and if one does occur, to get back to business quickly: 1. Implement the BasicsSmaller businesses may not always have the luxury of a large information security budget. Use your resources wisely and take these basic, low cost steps. · Maintain security patches--outdated systems are extremely insecure· Remove or strictly control administrator/privileged accounts or access rights· Use "strong authentication" (e.g. one-time PIN tokens) for remote access to the network or remote email· Ensure anti-malware controls are in place for email, servers, workstations· Log and monitor systems and networks2. Educate End UsersTraining the end users--your employees and your executives--is paramount. Teach employees what kind of emails and hyperlinks to avoid, what type of passwords (or stronger authenticators) to use, and what information should never be sent over email. Remember that to keep pace with emerging cyber threats, employee education must evolve constantly.3. Have a Game PlanEvery business needs to have plans and protocols in place before an incident occurs. Response planning and recovery drills ensure that all relevant parties are notified of an incident following which, they will know what to do. Include your counsel, communications team, executives, and Board and law enforcement partners when planning and exercise your plan. You can file a complaint with the FBI at IC3 if you've been targeted by BEC or another scheme.4. The Buck Stops HereAssign one person, by name, to be accountable for your information security program. For smaller organizations, this might be an added responsibility for an existing person. That person needs to understand your risk tolerance and ensure controls are put in place to manage to it. 5. Stay EngagedThe cyber landscape changes daily. Join an Information Sharing and Analysis Center if your industry has one. Threats are all around us. Every second of every day. The cyber security risks continue to grow in scale and sophistication. Start with these basics. While I have the role of chief cyber security officer at my organization, it is really everyone's job to protect the safety and soundness of our customer's information. Response planning and recovery drills ensure that all relevant parties are notified of an incident following which, they will know what to doJason Witty
< Page 8 | Page 10 >