Client Login
toll free: 800-225-3242    office: 301-718-4637

Ask the Experts: Requiring Cybersecurity Training | Maryland Benefit Advisors

Question: We are a small company—40 employees. Are there policies we should have in place for cybersecurity? Can we make employee training on cybersecurity mandatory?

Answer: Companies of all sizes are smart to be concerned about cybersecurity, especially in light of the recent WannaCry ransomware attack. There are steps you can take to reduce the risks as the first line of defense against data breaches, malware infiltration, and various other security risks. Employees are your first line of defense and ensuring that they are trained to identify and report suspicious emails and other security threats is important. The decision on whether cybersecurity training should be mandatory is yours. You can consider assigning employees a training course and allowing them ample time to complete it or adding it to new employee onboarding activities.

It’s a good idea to train employees to:

  • Be skeptical—if they receive an email, view a webpage, or see a social media post with a too-good-to-be-true offer, they should think before clicking.
  • Report suspicious emails—give employees concrete information on how to report emails that may be phishing (attempts to get employees to share confidential or sensitive information) or fraudulent.
  • Ask questions like:
  • Do I recognize the sender’s email address?
  • Do I recognize anyone else copied on the email?
  • Is the domain in the email address spelled correctly or is it simply close to the actual URL (like versus
  • Would I normally receive an email from this individual?

Remind employees that they should never click on a link in an email or open an attachment until they are absolutely certain that the link or attachment is valid. You can consider a simple reminder like “Think! Don’t click!” that you include in informational emails about cybersecurity.

Finally, we do recommend having a published cybersecurity policy. Include it in your employee handbook and be sure to review it with current and new employees. Your policy should include guidelines for:

  • IT assets and mobile devices.
  • Access control.
  • Maintenance of antivirus software.
  • Contractors, vendors, and outsourcing.

In addition, the policy should include information about the repercussions of noncompliance.

Originally published by

What Employers Should Expect in Cybercrime | Maryland Employee Benefits

hacker at work with graphic user interface around

Cybercrime is an industry—and a very profitable one at that. The FBI estimated that just one component of the cybercrime industry, ransomware, generated $209 million in revenue during the first three months of 2016, putting it on pace to be a $1 billion business by the end of this year. Based on that, DataGravity estimated that just this component of the cybercrime industry is more profitable than 69 percent of the companies on the 2016 Forbes Global 2000 list.

So, where is cybercrime headed over the next year? We, at Osterman Reserach, believe that changes in this industry are most reliably based on a “follow the money” approach, since businesses represent a more lucrative source of income for many cybercriminals and so are more likely to be attacked than individuals. Consequently, here are four key areas in which we think cybercriminals will ramp up their attacks during the next 12 months:

1. CEO Fraud

CEO Fraud is a highly specialized form of phishing attack that the FBI estimates has cost US businesses $2.3 billion over the past three years. In one type of CEO Fraud attack, a cybercriminal will send an email to a senior executive in a company, requesting either a wire transfer to a trusted supplier or some type of sensitive data, such as employee W-2 records, often using a bogus domain that is similar to the actual corporate domain. Cybercriminals will study their victims’ websites, email correspondence, the CEO’s travel schedule and other information so as to be as effective as possible in fooling the recipient of the email into complying with the request.

We believe that CEO Fraud will increase because it is difficult to detect using traditional anti-phishing or anti-spam filters, because targets of these attacks often are not sufficiently careful about evaluating these requests, and because CEO Fraud is highly lucrative for cybercriminals. The FBI estimates that a successful CEO Fraud attack generates an average of $25,000 to $75,000 from the victim, but some attacks have netted cybercriminals millions of dollars.

2. Spearphishing

Spearphishing is another targeted type of phishing attack, but one that often is used to install malware on a computer used by a senior executive within a company, such as the CFO or CEO. The goal of cybercriminals in a spearphishing attack is to obtain something of value, such as the CFO’s login credentials that he or she uses to access the corporate financial accounts. By installing malware like a keystroke logger on the CFO’s computer, cybercriminals can gain access to financial accounts and withdraw large sums in a very short period of time. Some companies have seen hundreds of thousands of dollars stolen within the space of 30 minutes, and many times the bank that released these funds is not able to recover them.

Although everyone is potentially vulnerable to spearphishing, we believe the most susceptible to a successful attack are smaller organizations that have not invested in employee training and that don’t have the same level of security infrastructure in place to detect spearphishing attacks. We expect spearphishing attacks against these firms to increase.

3. Ransomware

Ransomware is a particularly insidious form of malware that will quickly encrypt all of the files on a computer and render them inaccessible until the victim pays a ransom. It is virtually impossible to decrypt the files once they are encrypted, since cybercriminals normally permit only a small window of time in which to pay the ransom (normally a few days) and the encryption can almost never be defeated. We believe that this will be one of the fastest growing areas of cybercrime for three reasons: 1) ransomware “kits” are available at very low cost, enabling just about anyone to become a ransomware author; 2) ransomware authors can score big wins, as in the case of Hollywood Presbyterian Medical Center that paid $17,000 in Bitcoin to recover access to its files in early 2016; and 3) businesses and individuals often don’t take the relatively simple steps to be able to recover from ransomware or prevent ransomware—namely, having recent backups of their data and being careful about what they click on or open in email.

4. Attacks on things

Finally, one of the big growth areas for cybercrime over the next 12 months will be attacks against things—the so-called “Internet of Things.” These include business security systems, closed-circuit television systems, medical equipment, point-of-sale systems, fuel-monitoring systems, lighting systems, televisions, thermostats, appliances, cars and a host of other systems. Gartner estimates that by the end of 2016 there will be 6.4 billion things connected to the internet, and that by 2025 this number will swell to nearly 21 billion objects. Most of these things are highly vulnerable to attack and can be used to cause damage to more traditional systems, like computers and servers.

So, what can bad guys do if their infect your things? In January 2014, Proofpoint discovered that spammers were able to infect a variety of smart appliances, including a refrigerator, and use them to send 750,000 spam messages. In October 2015, security researchers found that cybercriminals had created a botnet of about 900 surveillance cameras and used them to launch a denial-of-service attack on a major cloud service. In February 2016, Nissan had to disable the app used for its Leaf automobile because it was vulnerable to attack by cybercriminals. And this is just the tip of the iceberg.

In short, these are four key areas that we believe will be major threat vectors for businesses during the next 12 months. While traditional cybercriminal activities like sending spam and phishing attempts will definitely continue, these are four areas about which to be most concerned.

 Originally published by ThinkHR – Read More