No one suspected the man in the FedEx uniform.
He walked into offices in the Phoenix, Arizona area asking the receptionists for directions. Pretty common.
But if there wasn’t a receptionist, he quickly slipped a USB stick into the running front desk computer to download malware that spread across the company’s IT network. He did it a number of times over a two-week period, recalls Lynne Pace, CFO and VP of finance at Danson Construction.
The malware “just rode in the back of their programs and watched how everybody communicated: How the emails went, how the finances went … Twelve to 18 months later that’s when the barrage started ” — including convincing employees to wire money to bank accounts controlled by crooks.
“It took a long time for them to figure out they’d been hit,” she said. “The crooks got a lot of money just because of one man dressed in a FedEx uniform.”
This story at least shows how physical security is as vital as IT security in any organization.
Pace told the story to reporters as part of a panel arranged by Sage Group for the release today of its online cybersecurity survey of 2,100 owners of small and medium-sized businesses in eight countries. The release was timed to be part of Cyber Security Awareness Month.
Those surveyed included 500 owners of SMBs or non-profits in each of Canada and the U.S..
Among the findings:
— 48 per cent of respondents had been successfully hacked in the past 12 months;
— of those, 25 per cent had been hit more than once;
— 69 per cent said cyber security is part of their businesses’ culture, but most only discuss it when something changes or goes wrong internally;
— 46 per cent said their firm doesn’t use firewalls, even though 84 per cent claim familiarity with them;
— 42 per cent said their firm doesn’t backup critical data;
— among Canadian respondents, only 39 per cent said their firm has security education and training for employees;
— 52 per cent of all respondents want more support from vendors and governments with cyber security education and training.
“While our research highlights [SMBs’] genuine concern for cybersecurity, they seek guidance to comprehend and mitigate risks beyond the misconception of it merely relying on firewalls and tools,” noted Ben Aung, Sage’s executive vice-president and chief risk officer.
The discussion panel also included Shawnee Delaney, CEO of Vaillance Group, a U.S awareness training firm; Lauren Boas Hayes, senior advisor for technology and innovation at the U.S. Cybersecurity and Infrastructure Security Agency (CISA); Michael Cheong, CFO of the United Way of Greater Toronto; Sage CISO Gustavo Zeidan and Sage CTO Aaron Harris.
Pace’s story sparked Delaney to speak of the need for organizations to have a cyber security awareness program. Managers may have to have an “uncomfortable conversation” with employees about what conduct isn’t acceptable, she added.
Executives also have to manage an employee’s cybersecurity suitability through their entire employment lifecycle, she said, including deciding if a job applicant’s attitude to cybersecurity makes them a right fit for the organization.
Cheong said United Way of Greater Toronto is trying to convince staff that cybersecurity is not just “an IT thing” but a facet all employees are accountable for. The organization has created a cybersecurity playbook, a roadmap to help establish, monitor and improve its cyber posture. Each staff position has a cybersecurity profile so awareness training can be customized.
The program, he added, has huge executive and board support.
Since starting the awareness program two years ago, the probability of the organization being breached because of employee actions has dropped to 10 per cent from an estimated 15 to 20 per cent, he said.
Pace talked about the importance of small business owners swallowing their embarrassment and talking to each other about lessons learned from cyber attacks.
She also said awareness training has to be geared to particular age groups of employees.
Asked why small businesses still aren’t getting the message after 20 years of Cyber Security Awareness Month, Delaney blamed firms for not being creative in their employee awareness training. There’s still an attitude among owners that a data breach “can’t happen to me,” she added.
The biggest problem in the construction industry, Pace said, is many are family businesses with owners who don’t see data breaches as a problem. Older owners, she added, hate computers.
Cheong said management has to believe that cybersecurity spending is an investment. “It allows you to sleep very well at night.”