Risk & Business Magazine Miller Winter 2019

SOCIAL ENGINEERING D o you have ironclad trust in your employees that handle your most sensitive financial data? The sad fact is that you may be forced to rethink this. In today’s sophisticated world of cybercrime, even the most loyal employees can be duped into unknowingly handing over critical customer information or other sensitive data. While hackers can enter your computer systems through a variety of ways—such as stolen passwords or network infiltration— some of their methods are even more devious, particularly the new trend toward what’s being called “social engineering.” In social engineering schemes, hackers take advantage of human weaknesses and temptations to get employees to click on specific links, allowing them to enter the user’s network and wreak havoc on their systems. They do this in a number of ways, such as by sending emails to employees with falsified sender information and tricking them to link through to “important information” related to their jobs. The idea of luring customers into giving up their banking or personal information to strangers has been around for decades—most people by now know to be wary of these requests. But now, businesses as well as consumers must be on hyperalert against these criminals who are constantly scheming to access networks containing valuable information, including everything from top-secret military information to confidential health records to personal financial data. Tricking someone into disclosing sensitive information of their own volition feeds off the human instinct to trust and be helpful—particularly in a work situation. Employees are trained to be responsive on the job and act respectful to customers and vendors alike. Criminals exploit this quality by using various forms of communication, such as email, the internet, the telephone, and even face-to- face interactions to infiltrate and defraud their targets. They may cultivate their source on an ongoing basis, beginning with information gathering, growing into a relationship status, and then diving into exploitation—all without the victim’s awareness. "IN SOCIAL ENGINEERING SCHEMES, HACKERS TAKE ADVANTAGE OF HUMAN WEAKNESSES AND TEMPTATIONS TO GET EMPLOYEES TO CLICK ON SPECIFIC LINKS, ALLOWING THEM TO ENTER THE USER’S NETWORK AND WREAK HAVOC ON THEIR SYSTEMS." Here’s one example of how it works. Say you are a controller at a private corporation, responsible for making regular payments to an overseas vendor for supply that is later incorporated into finished goods for sale in the United States. After regularly working with this vendor for some time, the controller receives an email purportedly from that same vendor describing an impending move to a new bank. The controller complies with the change request and sends along payment to the new institution. When the regular vendor comes forward seeking payment some time later, the buyer realizes a scam has taken place and is out a large sum of money. In this case, nobody hacked into an account or used technology to blindside someone without their knowledge. The victim willingly gave up identifying information and made payment to the criminal. Once businesses accept that it is virtually impossible to guard against these hackers, they need to take steps to protect sensitive financial data. Training should be an important component of this effort, with formalized classes for employees on when it’s OK to divulge confidential information and to whom, and when it is not. At the corporate level, sensitive information should be on a system different from the one that widely used information is on, and access should be restricted only to key personnel. Employees should be trained on what suspicious malware links may look like, and companies can even implement practice drills to assess employees’ preparedness. In addition, IT departments should force employees to change their passwords frequently and should be sure to implement software updates as soon as they become available. As wide-scale data breaches continue to get reported—whether committed by social engineering or more traditional means of hacking—more businesses are realizing the importance of a good cybersecurity insurance policy. These policies are designed to cover not just large businesses whose hacks receive the most press attention but any small or medium-sized business that safeguards sensitive customer, vendor, and employee information. Your insurance broker can help you determine whether your business liability policy can provide enough protection in the event of a serious data breach or whether a separate cybersecurity policy is needed. These policies provide coverage for a number of different risk factors, including network infiltration, regulatory breaches, data loss, business interruption, and losses due to social engineering schemes. While policies differ widely with respect to their specific coverages and premiums—premiums usually depend in large part on revenues—talk with your broker to understand what coverage you need to protect yourself, your staff, and your customers. + 7

Risk & Business Magazine Miller Winter 2019 | Page 7