You expect a lot from your employees. Namely, you expect their work to help bolster your bottom line, not take away from it. But a new lawsuit shows how an employee's unsuspecting mistake can lead to serious losses.
According to a report by Advisen, three employees of Medidata Solutions, Inc. were targeted in a phishing scam that ended with them inadvertently transferring $4.8 million to a criminal's bank account in China. The report states the impostor's scam was convincing at every turn:
- The e-mail appeared to be from a company executive.
- The email included the actual executive's picture and signature.
- The message was altered so it appeared to be sent from the executive's company e-mail address.
- The employees were instructed to contact someone pretending to be the executive's attorney.
So, the report continues, Medidata did what any company with a Cyber Liability Insurance policy with computer fraud coverage would do: it tried to get that lost money back from the insurer. The provider claims that its employees handed that cash over voluntarily, and given the policy's language, coverage doesn't apply. To which Medidata responded, "Here's a lawsuit for you."
It's an interesting turn of events: an obvious fraud being denied coverage because the employees were manipulated rather than the computer system. Sophisticated cyber exploits can quickly get out of hand if you don't train your employees properly.
Risk Management Isn't Just Good for Business – It's Good for Your Coverage
If the Medidata debacle illustrates anything, it's that your business is only as protected as your internal risk management efforts. Even when you have insurance, you need to manage and reduce risk proactively to truly keep your business safe.
As we covered in "Applying for Cyber Insurance? Talk to IT First," your insurance coverage may hinge on whether or not you actually implement the risk management strategies and training that your insurance application claims you do. In that instance, a nonprofit hospital system's application affirmed it encrypted its patients' data, but during a data breach investigation, the provider found it didn't and challenged its duty to cover the $4.1 million claim.
So your motivation here is twofold:
- You want to manage risks to keep data breaches and phishing schemes from happening in the first place because they can be nightmarishly expensive.
- If you put risk management first but still suffer a cyber attack, your provider will have a harder time denying an applicable claim because you upheld your part of the bargain.
Now for the next question: if the risk you need to manage is human behavior, where do you start?
On Keeping Employees from Falling for Phishing Emails
In a spear phishing attack, the con artist poses as an executive or a vendor and tries to get an unsuspecting employee to either give up login credentials or to transfer funds to their bank account. Of course, you don't want to tell employees to not respond to their superiors on the chance a message could be a fraudulent one. At the same time, how are they supposed to tell who is really emailing them when the message has all the hallmarks of an authentic email from the supposed sender?
In the post "23% of Small Business Employees Still Make This Critical Mistake," we discuss some tips for spotting sloppy phishing emails, but to guard against sophisticated attacks, you should...
- Inform employees about phishing scams so they know what to watch out for.
- Instruct employees never to give out login credentials online or over the phone.
- Let employees know they will never get a legitimate request from a superior for a fund transfer via email.
- Have employees run big expenditures by you for approval.
The Advisen report notes that compromised email scams have racked up almost 2,000 victims and $215 million in losses since 2013, according to the FBI's data. Give your business its best chance to dodge these tricks by staying informed and prioritizing employee training.