Propel provides innovative insurance solutions to thousands of companies across the country. We make it our business to know your world inside and out.
In mid-August 2014, about 140 employees of North Dakota State University received emails appearing to be sent by the NDSU human resources department.
“HR” gave employees a simple task: click the link to verify payroll information. The link sent employees to a website with a Russian domain name that appeared to be an NDSU website, but it was fake. Before the scheme was discovered, eight employees had entered their usernames and passwords, and $20,600 had been stolen from the university.
This is an example of “spear phishing,” a form of social engineering where cybercriminals exploit the trust of employees. These hackers target individuals within an organization looking for specific credentials not necessarily hoping to score large amounts of data. It only takes one successful trick for thieves to penetrate an organization’s firewalls and steal its data.
Consider this: if a hacker can steal $20,600 by fooling 8 people – less than 10% of those targeted by the spear-phishing scheme- then all of us should be on the lookout for these types of schemes. Even the best security infrastructure can’t keep up with clever and patient cybercriminals. They are always looking for new and better ways to fool poorly trained employees.
Ask yourself this: if a flash drive labeled, “Salaries” were left in an office break room, how likely would it be that at least one curious employee would insert it into their computer and try to read it?
Understanding that no organization is 100% safe, how can a business owner prepare for this type of data breach? Employee training is key. Employees trained to be aware of various schemes and the risks posed are at a reduced chance for accidental involvement. Organizations are well served to have a defined response plan, with clear lines of authority that include knowing who to contact: law firms, public relations, forensic consultants, credit monitoring agencies, and call center services.
Data Breach/Cyber Liability insurance pays for these services and the lawsuits that follow. Perhaps most importantly, it puts the policyholder in touch with the right experts at pre-negotiated rates, which allows organizations to react quickly and efficiently. All companies should be prepared, even if the only data stored is employee information. Even small data breaches can be very expensive and any company can be a victim.