What is the value of your identity? We rely on it every day during interactions that involve building credit, making purchases, and signing off on significant transactions. As a CEO or high-level company officer, your identity allows you to perform similar functions on behalf of your organization. That makes it extremely valuable to hackers looking to exploit that persona for gain.

Most vendors will approach companies with solutions promising to relieve all of their security concerns. The problem is that hackers techniques evolve alongside technology, which presents a daunting challenge when it comes to keeping up with the latest threats.

Instead of focusing so much on finding one-shot or hands-free solutions to security, we believe in promoting a different mindset. Arming your workforce with valuable business-centered knowledge around the threat of bad actors can do more to protect you than the most advanced network tools.

An Organic Approach to Cyber Fraud Awareness

The ultimate goal for businesses should be creating security awareness throughout all levels of their organization. Your technology solutions should build on that knowledge and reinforce vigilance in protecting company data and finances. We are going to go through a few use industry use cases and discuss how better awareness could have prevented the situations.

Use Case #1: Exploiting Familiarity

Once someone has our trust, we become very easy to exploit. It could be a parent, or, in the case of a manager, the vice-president or company owner to whom they directly report.

Jane, a hard-working employee at a non-profit, received an email while on vacation from her boss, Mary. Mary needed her to wire $20,000 ASAP. Not wanting to neglect her duties, Jane forwarded the email to her assistant and directed her to send the money to the bank account in the email. The money made it into the account as directed.

Long story short, Mary never sent Jane an email, and the money ended up somewhere in Ghana, never to be recovered. What went wrong?

  1. Jane never questioned the email request and the lack of details around why they were sending the money.
  2. Her assistant never questioned Jane and just followed orders.
  3. There were no controls in place requiring validation for the payment or to check if the account was a valid one for the business.

Improved technology could have weeded out a spoofed email account and prevented the item from ever reaching Jane’s eyes. But any one of the above actions could have prevented cyber fraud.

Here are a few actions that could have stopped the situation even without advanced analytics or other security measures.

  1. The non-profit could have had a policy in place governing of valid bank accounts for business use.
  2. Employees at all levels should have been given regular comprehensive education regularly around asking questions about unusual expenditures and protocols on confirming payments with the person making the request.
  3. Payments over a certain amount should require some secondary validation.

As you can see, none of these suggestions require spending a lot on a new product from a vendor. Old-fashioned vigilance and business awareness could have stopped this theft in its tracks.

Use Case #2: Exploiting Your Identity

As we said at the start, identities are a valuable commodity for hackers. That is something Drake, owner of a T-shirt export business, found out the hard way. After years of steadily working to build his reputation, he was finally at a point where he expected to start turning a significant profit.

After going through his P & L ledger one day, he discovered that he spent $100,000 more on supplies than expected. Some deep digging turned up $132,000 in payments to a supplier he did not recall using for any orders. A conversation with his CFO revealed that they authorized the payments after receiving an email from Drake confirming the orders.

Unlike with Jane, this was not a case of fooling the CFO with a single spoofed email. Hackers successfully obtained control of Drake’s email accounts and used it to set up a trail of correspondence between themselves and Drake’s email to deceive the CFO. Examination of the emails would appear legitimate.

The complexity of Drake’s case ultimately boiled down to his unawareness of hackers sending correspondence under his name without Drake’s knowledge. His case also exposes a critical flaw the frequent reliance on electronic communication for business transactions.

A phone call to Drake from the CFO before cutting the check could have ended this quickly. Drake could also have made a habit of checking his outgoing correspondence for any unauthorized emails.

Don’t Get Laser-Focused on Technology

We focused on these use cases to highlight how much we rely on technology when it comes to warning us about threats, and how it can let us down. That has led to companies losing millions each year as they continue falling prey to socially-engineered security threats.

Orange Crew believes strongly in the value of good security architecture. We believe even more strongly in our role as proponents of security education within organizations. It takes more effort than sending out a computer-based training (CBT) course one a year for employees to dutifully check off as having completed. There needs to be continuous engagement on reinforcing best practices at all levels when it comes to knowing the company and standard policies around data and financials.

Your security partner should be committed to helping your workers understand the impact they have on security, not just on figuring out how to configure the controls on the latest protection software. Some approaches your organization could take include:

  • Making sure developer receive training on validating third-party applications into company software
  • Educating data professionals on the configuration of cloud-based infrastructure and laying the groundwork for always following best practices
  • Underscoring the financial risks that come with cyber leaks
  • Making collaboration on security concerns across departments part of the company culture

Are you interested in learning more about how you can protect your company from real-life cyber fraud and other security threats? Contact Orange Crew at (888) 670-5066.