Cyberattacks increasing, but you can do something
It’s a Friday morning. An employee at a company in Minnesota logs onto his bank account during his break to pay a few bills because it is payday. He notices that his paycheck was not direct-deposited. Fear creeps in. He immediately emails human resources to find out when to expect his paycheck.
HR responds, “Your paycheck was deposited and cleared this morning just after midnight.” Fear becomes anger: “What do you mean, I did not receive the deposit,” the employee replies. An investigation ensues and by midafternoon, it is clear a cyber-criminal hacked into the company portal and changed the direct-deposit information in the employee’s account to an account elsewhere in the world.
The technology company that owns the portal does not take responsibility and takes no steps to trace the hacker. According to their small print, it has no responsibility in these situations. The onus is on the employer. The company now needs to cough up the pay for the employee — again. In addition, the company has no idea if the rest of the employees have also been hacked and, if so, what that may cost them.
Cyberattacks in the workplace are out of control. In 2022, our company has seen multiple clients become victims of sophisticated hackers focused on infiltrating payroll systems. Hacking an HR system gives a cybercriminal access to financial information and personal data for identity theft.
It is affecting companies of all sizes. In December 2021, Ultimate Kronos Group, one of the largest payroll and time and attendance systems in the world, revealed that one of its cloud-based time and attendance systems was exploited by hackers.
According to a May 2022 article in Forbes, half of U.S. businesses still have not put a cybersecurity risk plan in place. As cyberattacks grow in both number and sophistication, organizations are increasingly under the gun to protect themselves from being compromised, the article says. Though companies have increased security budgets and adopted more advanced defenses, keeping up with the threats that will surface over the next few years will be a challenge. Many methods to protect information are inconvenient and deter companies from practicing them.
According to our own cybersecurity insurance provider, Chubb, small businesses are more at risk than ever. Hackers count on the fact that smaller companies are less sophisticated and do not follow fundamental steps to protect their data against hackers. Core steps include:
Understanding what data is sensitive and what is not. For example, it’s more than customer credit card information and company financial data. HR information — like employees’ direct deposit information or social security numbers — could be hackable.
Educating employees. Training must be ongoing. Employees need to be reminded consistently to watch for phishing emails, avoid opening unexpected email attachments, and make sure the sender’s email address matches the person it represents. All it takes is one misguided click during a hectic day to give a hacker unfettered access.
Making sure that your platforms and partners are savvy and sophisticated enough to employ the processes needed to assure an abundant level of security.
In addition, steps required for our employees — and encouraged among our clients — include:
When working at an unsecure location, which is more common than ever with hybrid work, be careful about what you work on. Do not access financial platforms, including checking your own bank account information. Free wifi stations are typically unsecured, meaning someone can easily hack into your system.
Use two-factor authentication where you receive a code (typically to your mobile phone) to confirm your identity. Yes, it annoys me but I have become Zen with it. The tradeoff is simple: authenticate or risk being hacked.
Encrypt as much as possible. Set up automatic encryption of your email and attached documents.
IT support company Ascendant USA also recommends the following:
Install and renew antivirus software and firewall protection
Create strong passwords and change them often
Back up data so that you have access to it should it be lost or destroyed in an attack. It will be especially helpful if you fall victim of a ransomware attack.
Determine how remote employees are set up to be safe and secure working from home or a non-office location.
Finally, Chubb advises having a security plan in place for your data to protect against the high-cost aftermath of an attack. Our cyber insurance rate rose by almost 50% this year. Many organizations have seen increases upwards of 100%.
Don’t take chances — set yourself up for security now. You will not only be protecting your organization’s information, but the personal information of every one of your employees.