Businesses face growing risk of cyberattacks, financial loss
An unwelcome guest has arrived on the doorstep of the propane industry: cybercrime.
In December, Toronto-based Superior Plus Corp. announced that a ransomware incident had impacted its computer operations.
In a prepared statement, the company said it had taken steps to secure its systems and mitigate the impact to the corporation’s data and operations. Such steps included temporarily disabling some computer systems and applications, and retaining cybersecurity experts to deal with the matter “in accordance with industry best practices.”
To date, Superior added, the company had “no evidence that the safety or security of any customer or other personal data has been compromised. Superior is committed to data safety, is taking the matter very seriously and asks its customers and partners for their patience as it seeks to remediate the situation.”
Costly fraud
Whatever the final resolution of Superior’s systems breach, the incident highlights a larger issue: Cybercrime is on the rise everywhere. Companies need to take effective security steps to counteract a national and global upsurge not only in ransomware attacks but in electronic fraud of all kinds.
While many thieves want money, others want data such as company marketing plans or customer information for identity theft. Losing control of the latter can be especially costly.
“The extent of liability for customer data loss depends on the severity of the incident,” says Diane D. Reynolds, partner at law firm McElroy Deutsch. “Not only may a breach require notification under state and possibly federal regulations but there are also costs involved with the ongoing need to monitor the results of the breach, clean up the system and deal with negative public relations.”
It’s not only large companies at risk.
“Criminals often target smaller businesses because their protections are typically not as strong,” says Mary S. Schaeffer, president of AP Now. “They are likely to have older, unsafe technology and lack the security personnel to keep software updated.”
Fueling the rise in cyberfraud is the growing digitalization of business transactions, a long-term trend given further impetus by a greater reliance on electronic communications during the COVID-19 pandemic.
“Flaws in firewalls and virtual private networks (VPNs), as well as in videoconferencing systems, have exposed more businesses to incursions,” says Robert M. Travisano, an attorney in the litigation practice of Epstein Becker Green.
The rapid expansion of devices on the typical employer’s computer network has given cyber actors still more opportunities.
The pandemic has increased risk in another way: “More people are working at home, sharing business computers with family members,” says Eric Jackson, consultant in the cybersecurity team at Withum. “This has created some serious security breaches.”
Not only do users log on to malware-infested sites they would not access at work, but family members may accidentally open email attachments that install damaging programs.
Wire fraud
Not every cybercrime involves high-tech skills on the part of the thieves. When an employee of a California business received an email from the CEO requesting an immediate wire transfer to a vendor, the transaction seemed routine. Only after the money was sent was it discovered that the vendor was not due such a payment. And worse, the funds had not been received.
An investigation revealed that the sender of the request had been a thief using an email address misleadingly similar to the targeted company’s top executive. The supplied banking credentials were actually those of the crook’s account in China. Acting quickly, the controller called the overseas bank to see if the payment could be canceled. What he heard allowed him to breathe a sigh of relief: Because the funds had arrived on a Chinese bank holiday, they had not yet been credited to the thief’s account. The company was able to recover its funds.
While that story has a happy ending, most businesses targeted by so-called business email compromise fraud are not so lucky. Of the 11 percent of respondents reporting losing money to such fraud in a recent AP Now survey, only 3.2 percent recovered all of the stolen funds. The fraud is increasing rapidly as thieves have learned to cleverly disguise C-level executives’ identities.
“Crooks know it’s very, very easy for people to miss slight changes in email addresses,” says Schaeffer.
As those numbers suggest, wire transfers and automated clearinghouse (ACH) transactions are juicy targets for thieves as the business world moves away from paper checks.
“The right procedures can help spot electronic payment fraud before the money goes out the door,” says Schaeffer. “That’s much better than trying to recover what’s been lost.”
The key word is “procedures.” Security experts say most business fraud stems from social engineering – a thief’s skillful engagement with a company employee.
“Social engineering is responsible for 70 percent to 90 percent of all successful digital breaches,” says Roger Grimes, a consultant at security firm KnowBe4. “Yet, the average company spends less than 5 percent of its cybersecurity budget to fight it.”
Training the staff in preventive procedures can nip such fraud in the bud. One effective policy is the requirement that wire transfers be validated by a means other than email.
“Validation should be done by either picking up the phone and calling the executive using a known number, or if feasible by walking over to that individual’s office,” says Schaeffer.
The pandemic has made this kind of verification more difficult.
“Calling and verifying sounds easy in the abstract, but it can be exponentially more difficult when people work from home,” says Schaeffer. “Sometimes the right person is not readily available because of their schedule.”
Adding to the risk is the fact that home workers often have less than ideal technology.
“Accounts payable people have become accustomed to using two screens,” says Schaeffer. “When they get sent home, they may only have a laptop with a single small screen.”
The result of this technology mismatch can be costly errors.
“Just trying to enter data by going back and forth between applications takes longer and can create confusion,” adds Schaeffer.
The above conditions can lead to security breaches when targeted employees are pressured into quick action.
“Thieves will often request transactions when they know people are more likely to be overworked or harried,” says Schaeffer. “Employees need to be warned to be alert for such requests that come in late on a Friday afternoon, at the end of the month or anytime when thieves think they can trick somebody into failing to properly verify a transaction.”
Protect accounts
Good procedures can also guard against a variation of social engineering in which a caller, pretending to be a customer, requests bank routing numbers to pay an invoice.
“People are often only too happy to give out such information because they want to receive money,” says Schaeffer. “However, rather than using the provided information to wire funds into the account, the thief wires funds out.”
Businesses can obviate wire fraud by requiring account information be communicated only by designated individuals who directly dial the paying company using known telephone numbers.
“Another solution is to establish one bank account dedicated to wire transfers, and use it only for inbound transactions,” says Schaeffer. “At the end of the day, money from that account can be swept into the business’s regular account, which the bank has flagged to reject any wire transfers.”
In a reversal of the above fraud, a thief pretending to be a vendor will send an email providing routing numbers for a new bank account where all future payments are to be made. The account, of course, belongs to the thief.
“This type of fraud is exploding, and I cannot caution you enough to be careful,” says Schaeffer. “You need to get to the right person to verify that the request is legitimate.”
Again, verification should be done over a voice line using a known telephone number.
Schaeffer cautions that calling to verify changes in bank accounts or email addresses will only work if a company’s records are accurate.
“It’s more important than ever to enter valid contact information in the master vendor file when it’s first set up, and then update it regularly.”
Wire transfers are not the only electronic payment method at risk. Some thieves also use stolen ACH numbers to steal company funds. Banks offer a number of services to stem losses. An “ACH block” will prohibit all ACH transactions for a specified account. An “ACH debit block” prohibits only transactions initiated by payees. An “ACH filter” allows ACH debits only to those on a designated list of names. An “ACH alert” triggers a notification when an ACH debit arrives, which enables a staff member to accept or reject.
“I suggest putting ACH debit blocks on all accounts where debit activity is not needed,” says Schaeffer. “Limit ACH debit activity to one or two accounts, and check those accounts each day. Businesses have 48 hours’ time to notify the bank of any unauthorized transaction.”
Damaging malware
Experts also suggest businesses take the following measures to reduce the chances of being hit with ransomware, a form of malware which requires targeted businesses to make costly payouts to either regain access to encrypted data or prevent the release of business information to competitors:
1. Beware of malware-ridden emails. Phishing emails trick recipients into clicking a link to a toxic website or opening a compromised attachment. The result is the installation of a keylogger software that collects keystrokes for critical bank account information.
Solution: Train employees to handle all emails with suspicion.
2. Update hardware. Old computers and routers offer access points for hackers. “Anything older than, say, 15 years was designed without security in mind,” says Jackson.
Solution: Replace old equipment with new models.
3. Patch software. Outdated versions of operating systems or office programs are riddled with security bugs. “Unpatched software is involved in 20 percent to 40 percent of all digital breaches,” says Grimes.
Solution: Update operating programs with the latest versions.
Insurance policies
No business can eliminate the risk of cyberfraud. The right insurance, though, can lessen the blow when a breach occurs.
“Insurance can protect businesses from so-called ‘first party risk’ of their own losses,” says Reynolds. “Policies can also protect against losses to third parties such as customers and vendors, obviating lawsuits against the insured company.”
Even the best insurance policy is no substitute for operating procedures that help stop cybertheft in its tracks. Employees from the CEO on down need to be trained on the most effective responses to these thieves.
“The one piece of advice I have is to be suspicious,” says Schaeffer. “Make sure everyone knows that if something looks a little odd, or if someone asks for something out of the ordinary, speak up. It’s better to go overboard on security than to go the other way.”
Reducing risk with cyber insurance
While no business can eliminate the risk of cyberfraud, insurance can save the day when a breach occurs. Many common commercial general liability policies already address some areas related to digital transactions. Security experts, though, advise seeking better protection.
“Cyber coverage in existing property polices is often limited,” says Robert M. Travisano, an attorney in the litigation practice of Epstein Becker Green. “Moreover, policies can differ from carrier to carrier. It makes sense to shop around for a dedicated cyber policy.”
The typical cyber policy will cover money lost to cyber thieves. In the event of customer data loss, policies may cover breach notification, credit and fraud monitoring services, and the costs associated with restoring and recreating data, as well as with hiring a public relations firm.
Especially important is coverage for business interruption.
“Statistics show that most businesses are not back to normal operations for at least one month after an attack,” says Diane D. Reynolds, partner at New York-based McElroy Deutsch.
Even the best dedicated cyber policies may have potentially costly coverage omissions.
“Insurance companies, God bless them, are really good at writing policies that are very precise and cover you for exact things,” says Mary S. Schaeffer, president of consulting firm AP Now. “If you haven’t checked your policy closely, you may not have the coverage that you think you do.”
And what seems good coverage at one point may not look so attractive down the road.
“As cyberattacks evolve, so will insurance,” says Jessica Averitt, a partner in the Houston office of law firm Baker McKenzie. “Companies need to review their policies to ensure adequate coverage in the post-COVID-19 world. For example, a few years ago provisions related to ransomware were rare. But after some recent high-profile attacks, such coverage is more common.”
Cyber policies can carry benefits that go beyond coverage categories.
“The insurance agency will get you in touch with expert incident response brokers who will get you back up and running as quickly and cheaply as possible after an attack,” says Roger Grimes, a consultant at security firm KnowBe4. “The insurance agency works with them because they are experts and they know how to do this better than anyone – and the insurance company saves money by using the best.”
The good news is that more carriers are entering the field of cyber insurance, increasing the competition for customers and helping improve terms and premiums. With a decade or more of loss history to analyze, carriers are fine-tuning their premiums to make policies more attractive.
“I have not seen any policies in the past year or so that I thought were overpriced,” says Reynolds.
An important caveat: The terms of a cyber policy will be invalid if the covered business cannot illustrate compliance with a good security plan. Insurance companies are tightening the screws in this area.
“We are seeing more carriers who will not even issue policies unless a business has security controls validated by a third party,” says Eric Jackson, consultant in the cybersecurity team at Withum. “And when an incident occurs, carriers will often send inspectors to investigate the insured’s security posture before paying a claim.”
Cyber defense quiz
How solid is your cybersecurity program? Find out by taking this quiz. Score 10 points for each “yes.” Then total your score, and check your rating at the bottom of the chart.
1. Have all personnel been trained on security protocols, including correct handling of suspicious emails?
2. Do changes in a vendor’s or customer’s bank account information for e-payments require verification by voice telephone call to a known number?
3. Do you require non-email validation of wire transfer or ACH requests?
4. Have you established one bank account dedicated to wire transfers and blocked such transfers on all other accounts?
5. Have you limited ACH debit activity to one designated account?
6. Have you established ACH filters, blocks and alerts where appropriate?
7. Do you regularly update vendor master files?
8. Have you replaced hardware older than 15 years?
9. Do you regularly patch software programs?
10. Have you taken out a comprehensive cyber insurance policy?
What’s your score?
- 80 or more: Congratulations. You have gone a long way toward securing your company funds and data.
- Between 60 and 80: It’s time to fine-tune your security procedures.
- Below 60: Your business is at risk. Take action on the suggestions in the accompanying story.