Scary Cyber Stories: Lessons from the Field (Part 2)

Cyber and information security breaches have been on the rise for the past several years, but due to the COVID-19 pandemic, such events have accelerated. With increased remote work and high employee stress levels, cyber criminals are taking advantage of vulnerabilities. In order to help organizations overcome emerging challenges and support them in their journey toward increased cyber readiness, we are sharing a series of scary cyber stories throughout October in recognition of Cyber Security Awareness Month. Don’t let these scary cyber crimes happen to your organization!

In part one of our Scary Cyber Stories series, we shared a cyber-related client story about how hackers were able to penetrate the company’s systems due to IT system weaknesses. This week’s story also involves a client that experienced a breach. However, this time the breach was not due to weaknesses in the client’s IT systems. Instead, it was caused primarily by human error.

Your employees are your single most important cyber risk element. Having updated IT systems is critical, but if employees click the wrong link or visit a malicious site, they are giving the hackers access to your networks. Hackers are well aware of this weakness and are continually striving to enhance their methods of tricking users to fall into their traps.

Earlier this year, hackers gained knowledge of our client’s payroll processing schedule. They studied the profile of the company’s chief executive and identified when she would be on an extensive travel schedule. Our client’s Payroll administrator received a fictitious email on the day of processing, supposedly from the travelling executive, to change her bank account information to a new one before the upcoming payroll run.

The payroll manager, not noticing the misspellings in the email address, went ahead and changed the account number and sent a reply email indicating that changes had been made and that the new bank account information was now updated in the system. Given this executive’s busy schedule, she did not realize that money was not being deposited in her account for six weeks – three payroll cycles!

This type of a social engineering trick happens quite often in many different settings and forms. The only fix for preventing such occurrences is making sure you have proper and updated policies for your cyber and information security-related business processes. You also need to ensure you are periodically training and validating users on the specifics of what to do, what not to do, and what to look out for. An effective training program will keep users updated on the latest cyber threats while emphasizing business-specific policies and procedures relevant to each user’s work requirements. It is also important to verify each user’s training effectiveness by conducting validation exercises such as periodic phishing campaigns and tabletop exercises to keep everyone on their toes at all times.

To help you develop a better understanding of your organization’s cyber and information security risks, our Technology Solutions Group has created a Complimentary Readiness Assessment. This assessment can lay the foundation for developing an effective cyber and information security plan for your organization, and help you avoid having a scary cyber story of your own to share!

Find out your cyber readiness score by taking this health check. Your scorecard will be ready in 48 hours for your review and planning.

***

If you would like to inquire about attending the above event, or you’d like to discuss your organization’s cyber needs, please don’t hesitate to reach out to Sassan S. Hejazi, Director, Technology Solutions, at Email or 215-441-4600.

Information contained in this alert should not be construed as the rendering of specific accounting, tax, or other advice. Material may become outdated and anyone using this should research and update to ensure accuracy. In no event will the publisher be liable for any damages, direct, indirect, or consequential, claimed to result from use of the material contained in this alert. Readers are encouraged to consult with their advisors before making any decisions.