Business Cybersecurity Guide

Imagine arriving at the office to discover that cyberthieves have locked down your company's computer network and are demanding that you pay ransom before they'll release it.

Who would you call? What would you do? Would you be able to conduct business? Would you pay the ransom? How would you shore up your network after the incident to make sure you weren't hit with another ransomware attack?

This kind of scenario may sound far-fetched. But it is increasingly common. And it is just one scenario among many that small businesses, like their larger counterparts, need to consider in an era of rising and increasingly advanced cybercrime. If you assume your company presents too modest a target for online crooks and hackers, you may be operating under a dangerously false and costly sense of cybersecurity.

In fact, while data breaches at global corporations grab the headlines, cyberthieves find small businesses highly appealing and have been escalating their attacks on them for years. Common threats include malware, ransomware, viruses, and social engineering weapons like phishing and more targeted "spearphishing" emails. And the Small Business Administration notes that internet crimes are constantly evolving.

Given the financial, operational and legal havoc that cyberattacks can wreak on a business, not to mention the damage to company image and client trust, these threats merit attention.

Keep reading to understand the cybersecurity threats affecting your business today, and how you can support your employees in protecting sensitive data.


Common Types of Cyberattacks

While traditional cyberattacks focus on company infrastructure, criminal hackers are now exploiting remote connectivity and often gaining entry though employee email.

Business email compromise is one of the great milestones in an attacker's approach because once they have been able to gain access to a business email account, they can glean more information by observing internal procedures and better understanding how your business operates.

What might a hacker learn from an employee's mailbox?

If the attacker were to gain access to the right employee's email account they could directly request and approve wire requests.

Fraudsters also may alter information on wire requests, launch an attack on another client or the bank itself and continue to identify high-value targets.

Email Compromise

Among the numerous cyber scams that City National's business clients have reported recently, the most common include:

  • Fraudsters using an employee's hacked email account to send a wire transfer request that looks like it had originated inside the company, or criminals purporting to be vendors and requesting changes in wire instructions for future payments.
  • Criminal hackers using employee email to send a fraudulent ACH request.
  • Fraudsters sending a forged PDF letter to a company's customer asking that a payment be redirected to a different bank.

Most people aren't looking for phishing attacks from those they consider trusted senders. So when a client's email account gets compromised, it is more difficult to recognize the fraud.

How can you and your employees learn to recognize a suspicious sender?

It's tricky, but these messages often arrive out of the blue and appear to come from company insiders whose names you don't necessarily recognize.

They may open with greetings such as, "Hi, I'm Sally from the help desk," said Barbara Allen-Watkins, president and CEO of cybersecurity training firm BAW Consulting Services and a former City National Bank senior vice president. This is often the case with spearfishing emails.

"Cybersecurity threats are becoming more and more sophisticated, and handling all this remote access is one of the biggest cybersecurity challenges facing companies today," Allen-Watkins noted, suggesting that mid-sized companies may want to divert revenue-generating capital to cybersecurity plans and efforts during this unusual time.

Phishing and Spear Phishing

About 90% of large-scale hacks start through some form of phishing, which includes any attempt to trick victims into sharing sensitive information such as passwords, usernames, financial information or credit card details for malicious reasons. In most cases, phishing attackers send emails requesting sensitive information that appear to come from an authentic organization. Phishing can also include emails that ask you to click a link, download a file or send money.

Another form of phishing is called "spear phishing." While phishing attacks go to large groups of people and hackers hope someone will fall for the scam, spear phishing targets a specific individual. Also known as business email compromise, spear phishing emails will be addressed directly to a specific recipient with a personal message that may appear to come from a superior or a representative of a reputable service provider, customer or other institution. This “new wave of old-fashioned social engineering" targets a specific individual to get confidential information or initiate a financial transaction under false pretenses.

Once an email account is compromised in this way, thieves can send out legitimate-looking invoices, wire requests, W-2 information and updated payment instructions.

“The purpose of spear fishing is to reach those people who have the credentials or the access authority that the hackers need in order to gain access to the system and get as much data as they can," said Allen-Watkins.

How to Prevent Phishing

Train employees to always check and verify the sender of an email or a caller is who she says they are before releasing confidential information.

Wire Fraud

Wire fraud typically happens in two different forms that are often associated with a phishing email. The first is when a fraudster impersonates you to conduct a financial transaction in your name. They may send an email to a colleague asking them to make a payment on your behalf.

The second common scam is when a fraudster impersonates someone you trust to communicate to you. In this case, the criminal might intercept a legitimate wire transfer and ask you to change the wire instructions at the last minute.

Scammers may pose as colleagues, clients or someone else with whom you or your company has done business recently. Their goal is to get your confidential account information and exploit it, or convince you to wire funds to them. In some cases, if they have access to your mail or invoices, they may pretend to be a vendor asking for funds to be wired to a new account.

In either scenario, the money ends up in the wrong hands. Unfortunately with wire fraud, it's difficult to resolve once the wire transfer has taken place because the money becomes untraceable.

How to Prevent Wire Fraud

Because wire fraud most commonly happens as a result of phishing or spear phishing, look for wire fraud red flags and always utilize at least two sources of verification before initiating a transfer.

Malware and Ransomware

Symantec Corporation, a nationally recognized security consulting firm, estimates that one out of every 131 emails contains malware, which is a virus, worm, Trojan horse, ransomware, spyware, adware, scareware or any type of software intended to damage or disable a computer or computer system. Usually, the objective of malware is to steal passwords or intercept or redirect internet traffic, enabling the criminal to access a financial system using the victim's credentials.

A specific malware known as ransomware is one of the newer and more malicious forms of fraud.

Ransomware occurs when a computer receives a malware infection that encrypts the data and prevents you from using your computer until you pay a fee — or ransom — to the attacker. Hackers will commonly request payment in bitcoin or another form of cryptocurrency that is difficult or impossible to trace.

How to Prevent Malware and Ransomware

Every business needs a cybersecurity plan that helps anticipate and mitigate problems with malware and other hacks. The plan may include regular updates to all computer systems and specific best practices to which employees are required to adhere. Business owners should consider engaging expert consultants and purchasing cybersecurity insurance to avoid potential problems.

There are a few preventative actions you can take to prevent ransomware and limit the impact of an infection. Keeping your computers up-to-date with system patches and antivirus updates is vital.

As an added precaution, utilize one of the many cloud-based services that offer data storage options for a low cost. Storing your data securely in the cloud acts as a buffer against the possibility of losing data to a ransomware infection locking your computer. If you do experience a ransomware situation, you may not need to pay the ransom to retrieve your information if you're able to restore your data from a safe backup.

In all cases, consider contacting law enforcement in the case of a ransomware infection to advise and assist. Digital ransom is a crime that law enforcement does take seriously.

Having an understanding of the various forms of cyberattacks that can hit your business is the first step to avoiding or minimizing such events. You may also consider talking with your bank, cybersecurity company and other business partners to help you create a plan to prevent and mitigate cyberattacks on your business.


How to Protect Your Company's Data

Every company should have a cyber-incident response plan, said Allen-Watkins.

"If you have a plan in place, you and your employees will know exactly what you're going to do if an attack happens. You'll be able to recover faster, and it'll cost you less money," she explained.

Some key red flags and responses to cybercrime that you should communicate to your employees include:

  • Looking for unanticipated changes in payment information or communications, such as new wire instructions, account numbers or emails or new requests for advanced payments and direct deposits.
  • Watching for anomalies, like an unexpected phone call from a client or supplier who usually communicates by email.
  • Understanding that any random, unsolicited email asking you to click a link, download a file or provide login credentials — usernames and passwords — or other sensitive information is likely a scam.
  • Helping the company secure the greater information system by using multi-factor authentication for account logins.
  • Calling to verify any unexpected changes made to client or vendor email accounts, phone numbers or payment instructions, and looking for misspellings in websites, email addresses and hyperlinks. For instance, employees should know to hover their cursor over email and website links to make sure they match the domain from the business that purportedly sent the message.

At the same time, Allen-Watkins recommended that companies hire third-party consulting firms to conduct cyber risk assessments. These assessments could help companies identify security gaps and make recommendations on proper tools to have in place to detect, deflect and destroy viruses.

From there, she suggested that firms obtain cyber fraud liability insurance and develop a cybersecurity training protocol. “Training employees is an ongoing process," she noted.

Companies should look at state and federal cybersecurity laws and at readily available guides, such as the National Institute of Standards and Technology cybersecurity framework, that provide best practices on guarding against, detecting, responding to and recovering from cyberthreats and attacks.

At the very least, executives and other employees should exercise caution when handling emails, texts or calls prompting them to click on links, download or open files or provide sensitive information.

If cybercriminals do breach your security systems, contact your financial institution right away, audit all accounts to look for any other fraudulent activity, follow any response plan you have put in place and file a report with the FBI's Internet Crime Complaint Center.


Use These Cybersecurity Tips to Protect Your Business

While the threat may seem overwhelming, there are many things organizations of every size can do to help avoid a security breach. Here are five of the best defenses.

Educate Employees

“Security, including cybersecurity, is not just an IT department or a chief security officer issue; it's a company-wide issue," said Joel Bagnal, president and COO of Vericlave. As a former senior advisor to former President George W. Bush for cybersecurity and counterterrorism, Bagnal said he knows how important it is to ensure that people are working together to combat cyberattacks.

Unfortunately, not all employees in a business are going to be equally aware of what constitutes a hacking threat, which is why making sure your staff can recognize potential security issues is essential.

Train all employees from the CEO to the lowest-level worker on good cyber practices, from recognizing phishing emails to proper data handling. Allen-Watkins recommended training staff at least twice a year.

Cybercriminals use social engineering attacks to trick users into giving up their credentials, or to click on a legitimate-looking email, she noted.

For example, educating your workforce about the dangers of email phishing (fraudulent emails that look legitimate but seek data or money) would be a huge first step in the right direction. Companies should consider implementing processes that allow employees to report suspicious emails and hosting a formal training program to educate employees on cybersecurity and develop awareness about the various ways attacks can occur.

Training can provide employees with the knowledge to identify red flags. For example, an email might appear as if it is coming from someone you know, but if you look closely at the email address, you might discover that it's slightly different or even completely different than that person's actual email address.

If you suspect that an email you receive is out of the norm in any way, simply verify it with a second source. Give the person a call or talk to them in person to confirm that they sent the original communication.

Providing employees with awareness of these types of tactics and the knowledge they need to handle the situation can help avoid cyberattack attempts. If a phishing event has previously happened within the company, develop a process to share the email details — what did the email want and who did it look like it came from — with employees who could be affected in the future.

Patch Software and Update Passwords Frequently

Top-of-the-line security software, including firewalls, network breach detection utilities, and anti-virus and malware protection, is indispensable as a shield against cyberthreats. To thwart sophisticated hackers, however, organizations must make certain their software can keep up with evolving threats.

“Cybersecurity is never a single tool or policy to protect your company's assets," said Bagnal. “Testing the system and refining tools and processes to ensure you're improving your cybersecurity profile is critical to ensure the threat doesn't adapt and leap over your tools."

Proper password protection also plays a key role in system security. As much as we all hate constantly updating and memorizing lengthy new passwords, it's one of the best ways to protect individuals and businesses against cyberthreats.

As basic as it sounds, having a complicated password that people aren't going to crack very easily is extremely important. Additionally, be certain to avoid sharing passwords.

Have a Cybersecurity Plan

“Companies should have an incident response plan," said John Gomez, chief executive officer of Sensato Cybersecurity Solutions. “They need a dynamic, living plan that addresses every vulnerability with probable attack scenarios and a detailed response protocol. It sounds like a lot of work, and it is, but how do you expect your staff to know what to do if it's not clearly outlined for them? Staff need to be familiar with their own responsibilities in the event of an IT security breach."

To be effective, cybersecurity procedures don't have to be overly detailed and complicated. For smaller companies with fewer staff and less complex IT systems, even a simple preparedness plan is helpful. It can be as straightforward as a one-page document that tells employees which company member oversees shutting down the organization's critical infrastructure or what third-party experts to call if a network is compromised.

Follow a Trust-But-Verify Protocol

Whenever a request comes through to provide sensitive personal or financial information, click a link, download a file or send money, always verify that the request is legitimate by verifying it with a second source.

If you received an email, for example, asking you to click a link to see tracking details of a package, but you know nothing about the package, pick up the phone and call the person or organization you believe is sending the email and ask them to confirm that they did in fact send it. This is a simple practice that should be followed by everyone within a company to avoid potentially costly mistakes.

Practice Cyberattack Drills

Of course, while a plan is an excellent start, in a real-world incident, a strategy is only successful if it can be properly implemented as quickly as possible.

“It's human nature to file and forget a plan," said Gomez. “That's why I strongly recommend businesses conduct organization-wide incident response training like the type of disaster response drills that fire departments or the police use. These drills build muscle memory so precious time isn't lost and staff and managers get to test out the protocols and procedures outlined in the plan and participate in a debriefing to discuss what worked and what still needs improvement."

Cybersecurity should become part of the company culture, so that employees aren't afraid to notify IT or management if they inadvertently click on something they shouldn't have.

“Sometimes an executive needs to say that," said Allen-Watkins.

The quicker you know about a breach, the quicker you can stop it, so a business with bullying executives who make employees fearful to report a problem "just can't have that culture anymore," she said.

"One of the most critical parts of a cybersecurity plan is to have an executive sponsor" who champions cybersecurity, she said. "It has to start at the top, cybersecurity is everyone's responsibility, from the boardroom to the mail room. It's not just an IT problem, and it must have support from the C-suite."

Segment Your Network

Another way for a business to prevent the corruption or theft of critical data is to divide the computer networks in order to limit loss in the case of an attack. In this way, critical systems in a company's network can remain unharmed even if another is breached or affected by a virus.

“I strongly urge businesses to segment systems containing highly sensitive data like account and customer information so if a breach occurs, traffic to those segments can be quickly shut off," said Gomez. “Segmenting systems is something many organizations think of as difficult and expensive, but it's necessary to keep an attack from spreading among devices or throughout a network. Segmentation cuts off access points through which an attack could go catastrophically organization-wide, spreading through devices and networks."

While it may be impossible for a business to completely avoid the threat of a cyberattack, ensuring that your management and staff are prepared and that your most vital data is protected can keep damage to a minimum.


Do Businesses Need Cybersecurity Insurance?

Cybersecurity insurance is emerging as a way for businesses to mount a vigorous response and get back up and running after the worst case scenario of a successful security breach. As the name suggests, cybersecurity insurance will cover the damage your business sustains in a cyberattack. These policies come as standalone offerings or as a rider to existing business insurance.

“The insurance is a great way for small and mid-size businesses to deal with a cyberattack," said Judy Selby, a lawyer who helps businesses evaluate cybersecurity policies. “These companies often don't have the financial and technical resources to deal with a cyber event."

Coverage is typically broken out into first-party and third-party policies.

First-party coverage pays for the cost of recovery in your own business, including legal bills, forensics, data restoration, lost revenue and crisis management. In addition, this insurance can help you deal with a ransomware attack, which is a fast-growing type of breach.

Companies may think they don't need cybersecurity insurance because they don't have customers' financial data," said Rocco Grillo, managing director of global cyber risk services at consulting firm Alvarez & Marsal. “But if there's a business disruption like a ransomware attack, a business could be brought to its knees."

Cybersecurity insurance policies typically also have provisions for third-party coverage, which covers external claims that may result from a cyber fraud attack. For instance, let's say you're a jeweler with a robust ecommerce site. Hackers might make away with your customers' credit card numbers and your suppliers' banking details. No doubt, these third parties will hold you responsible for any losses. Third-party cybersecurity insurance can pay their claims plus the cost of credit monitoring to ensure that no further financial harm comes to those entities.

How Much Cybersecurity Insurance Should a Business Have?

Companies of all sizes and in every industry can fall victim to cyberattacks. Determining what kind of coverage that you need depends on your risk exposure.

“There are no standard cyber policies on the market," said Selby. “There are a lot of carriers writing different policies that have different terms."

Because there's a lot of competition in the cybersecurity market, there's room for negotiation, both over price and policy terms. Pricing depends on your industry, your exposure and what type of data you're holding. Health data, for example, is more valuable than credit card data and commands a higher price on the dark web.

The key is to identify your own risks and then find a policy that will protect against those risks.

“Traditional commercial insurance coverage may provide some avenues for coverage in the event of a cyber incident," Selby said. “But many insurers are vigorously fighting cyber-claims under non-cyber policies."

Grillo recommended identifying your business's most critical assets, what he calls your "crown jewels." Then evaluate your risks — both known and unknown, which a cybersecurity laywer, consultant or other professional can help you identify.

“You may not have sensitive data, but if your business is disrupted and you can't deliver to your end customer, it's going to impact your revenues and your reputation," said Grillo.

Some businesses may be vulnerable to regulatory risks. “You might get fined for misuse of data or not having proper consents for what you're doing with the data," said Selby. “If you've got that kind of regulatory exposure, you'll want broader coverage."


Having Cybersecurity Best Practices Is Crucial

Even with the best cybersecurity insurance, you've still got to do your part to prevent a cyberattack. “Just because I have fire insurance on my house, it doesn't mean I shouldn't care if my house burns down," Grillo added.

In fact, an insurer may not agree to underwrite your business if you don't have strong cybersecurity policies and practices in place.

“Insurers will likely want to ensure that a company has strong crisis management and disaster recovery plans and procedures in place before issuing a policy that provides coverage for business losses after a covered event," said Selby.

In general, there is no substitute for practicing something Grillo calls "cyber hygiene."

That means, among other steps, making sure your antivirus software is updated, that all patches are executed in a timely manner and that your network is designed so that patches can be installed at the network level rather than at each computer station, added Allen-Watkins.

Cyberhygiene also entails using strong passwords and security codes, and requiring multi-factor authentication —a process calling for at least two steps to verify the person's identity before they can sign onto the network.

Backup your data at least daily. With more frequent backups, you might lose only 15 minutes' worth of data in a ransomware attack, Allen-Watkins noted.

Good cyber hygiene also requires thinking about who can reach which parts of your network. Allen-Watkins recommended granting access based on job responsibility.

Limit where employees can navigate on the internet and their ability to plug into USB drives and take data unnoticed, she said.

“Why does Susie need access to payroll when she doesn't do payroll?" she said.

Even trusted employees with broad access need their own sign-on credentials. Spear phishing emails often target top executives — in small businesses, the partners or owners — and their assistants, Allen-Watkins noted.

That way, if an assistant accidentally clicks on a malicious email under his or her own credentials, it can be traced to that person, which can protect the company from being denied an insurance claim because the boss shared credentials, she said.

More broadly, Allen-Watkins recommended conducting background checks on all employees — nationwide checks, not just statewide — before they are hired.

This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting. 

City National, as a matter of policy, does not give tax, accounting, regulatory or legal advice. Rules in the areas of law, tax, and accounting are subject to change and open to varying interpretations. You should consult with your other advisors on the tax, accounting and legal implications of actions you may take based on any strategies presented, taking into account your own particular circumstances.