May 8, 2019
Don’t Be the Victim of a Nigerian Prince
You wouldn’t knowingly send money to a Nigerian Prince but ransomware and phishing attacks are becoming more sophisticated. Smaller companies are especially vulnerable.
By now, everyone who has heard of the Nigerian Prince emails knows they’re a scam. You’re told you just need to pay the so-called prince a small advance fee for helping him make a transfer of millions from his Nigerian bank account to yours and he’ll reward you handsomely. Of course, after you pay the advance fee, there will either be more small fees to pay or you’ll never hear from him again. Or he may even steal everything in your account!
Believe it or not, variations of this, known as the “advance fee” scam, are still alive and well. According to Uzi Scheffer, CEO of cyber security firm SOSA, there are two reasons small business are especially vulnerable to this and similar “phishing” scams.
- Since large companies are usually better at protecting themselves against cybercrime, scammers see small firms as the path of least resistance.
- Small firms usually don’t have a formal internet security policy, making them even easier targets.
Attacks are getting more sophisticated
Regardless of the type of phishing expedition involved, about two thousand cases of banking malware attacks take place every day in the U.S. alone, stealing financial data without the user even knowing. Using malicious software, called malware, embedded in e-mail attachments like documents, hackers nest themselves into their victim’s financial data. Once they’ve settled in, they need only about 10 minutes to steal or, as with ransomware, cause financial mischief.
Ransomware results from downloading infected files that were attached to an email or obtained from suspicious websites. The ransomware then locks the device it was downloaded onto until a ransom is paid.
There are numerous kinds of sophisticated threats like these out there. Scheffer recommends that every business, large or small, should take the following steps to lower its risk of falling victim to a cyberattack. General policies should be implemented first, followed up with a routine of taking certain simple precautionary actions on a regular basis.
General policies:
- Adopt a cyber security strategy. Almost every business now makes sales online, even small brick and mortar operations. To ensure even the most modest platform is properly protected, there should be a clear set of directives regarding what should and should not be done online, how to make the devices secure, etc.
- Identify your system’s vulnerabilities. This is often part of the underwriting evaluation when purchasing cyber insurance. It’s also often a good idea to bring in a professional to point out how best to reduce cyber risks. Unfortunately, only a small percent of small business owners bothers to hire a consultant for such an assessment, but doing so will most likely pay off big in the long run.
- Diversify security measures. Since there are many different types and sources of threats, no one tool can provide a complete defense. You need to deploy a combination of tools, including firewalls, spam filters, automatic data encryption, backup and more.
Regularly scheduled action items:
- Make sure employees are trained in basic cybersecurity measures. Studies show that 90 percent of all cyber security breaches are the result of human error, primarily from non-IT staff members. To minimize threats, staff members should know how to implement the firm’s cyber security strategy, how to recognize online threats such as suspicious e-mails, how to identify if a device has been hacked, etc.
- Ensure cybersecurity tools are updated on every device used in the business. This should also apply to laptops and mobile devices that are often connected via external Wi-Fi networks.
- Download software updates for your operating system and applications. OS and app providers regularly issue patches for newly discovered security threats which must be installed as soon as they are available.
- Back up important data in multiple locations. With the rapid growth of cloud computing, this has become a relatively easy step to take to ensure that a breach in one site will not cause irreversible damage to the rest of your business.
- Enforce strict employee access procedures. Employees might find some of these rules a nuisance, but you should stress how important they are for maintaining the integrity of what is, given all its vulnerabilities, a very fragile system. Make sure every staff member has their own user name and password. Passwords must be changed regularly and must be complex. Hackers have tools for discovering commonly used passwords (12345, abcde, etc.) in a matter of minutes. Physical access and authorization to download software needs to be limited as well.
“Even if you take all of these steps, there is, of course, no guarantee that your company or store won’t fall victim to a cybercrime,” says Scheffer. “Perhaps the most important element that needs to change is the false sense of security. Many business managers and owners are complacent, which is exactly what hackers are counting on.”
Of course, even with a good cyber security plan in place, your business still needs a failsafe to protect it against cyber risk. So, please be sure to read our Cyber Liability Insurance Policies article.