Top Tips on Fraud & Cybersecurity: Is Your Company Prepared for When?

October was National Cyber Security Awareness Month, and Camden National Bank partnered with Launch Security and Bernstein Shur to offer expert advice on managing fraud and cybersecurity for local businesses. The Association of Financial Professionals (AFP) conducts an annual payment fraud and control survey. According to the 2016 survey results, published May 2017, a whopping 74% of corporate respondents reported that their company fell victim to payment fraud in 2016, making it the largest year on record. Fraudsters are continuing to succeed in their attempts to attack organizations. The main take-away: ongoing awareness and preparation are key.

Check out these top tips from Susan Giffard, Director of Treasury Management & Government Banking at Camden National Bank, Rob Simopoulos, Co-Founder of Launch Security, and Tony Perkins, Attorney and Chief Information Security Officer at Bernstein Shur.

What are the most common kinds of cyberattacks?

First, it is important to understand where cyberattacks come from and what they typically look like. Rob Simopoulos shared that phishing emails are the most common attack method, and attackers often work to disguise themselves as company employees, customers, or vendors. These emails can often be difficult to identify. According to the FBI’s public service announcement from May 2017, Business Email Compromises (BEC) and email account takeover is now a $5 billion scam that targets unauthorized transfers of funds.

Susan Giffard shared that criminals can do easy research on companies through public websites, press releases, social media, and more. Fraudsters will then look for ways to trick employees into believing emails with this information are authentic. Be on guard for payment scams—in particular, pay attention to requests that:

• Have a sense of urgency or a need for confidentiality
• Add a new supplier vendor contact representing the company
• Update a payment account
• Changes to payment instructions  or payment type (check to wire)
• A sudden change in business practice

Businesses are also seeing an increase in corporate payment fraud—primarily through fraudulent checks and wire transfers. According to the AFP’s 2016 survey, checks have been (and continue to be) the payment most exposed to fraud, but only 10% of the companies targeted incurred a financial loss as a result. Lack of positive pay and clerical errors were two primary reasons for financial loss due to check fraud. Organizations use positive pay to guard against check fraud; it is a well-established and effective method of protecting payments.

What can you do to prepare?
Susan recommends that businesses form a strong relationship with their bank – “Banks are constantly trying to stay one step ahead of fraudsters. It’s important to discuss the products and tips available to prevent fraud with your banker. Additionally, we encourage annual relationship reviews with your treasury management officer to include reviewing all online access and users, signers on accounts, email alerts and more.”

Use the most secure methods to send online wire transfers with dual controls from different computers plus multi-factored authentication Token device or token app. Preset wire transfer limits with your bank and add email alerts to someone outside of your accounting or treasury area for when wire transfers are executed. Businesses can apply the practical strategy of turning on a multi-factor authentication for all systems. Rob recommends the resource: www.turnon2fa.com to learn how to turn this feature on.

It is key for businesses to review and upgrade their service contracts with technology and service providers. For example, pay attention to contracts with the following:

• Data/document storage and “cloud storage” service providers
• Outsourced information technology service providers
• Outsourced billing and payment processing companies
• Financial institutions
• Contractors with access to offices and data and records storage facilities (for both electronic and physical records)
• Payroll and healthcare benefits processing companies

Tony Perkins advises, “These contracts should ensure that the parties responsible for the handling, processing and storage of sensitive data are both protecting data and agreeing to bear the liability and related costs in the event of a data breach due to their actions (or inaction).”

However, contracts cannot eliminate all risks of a data break or cybersecurity threat. Tony shared that businesses can also attempt to cover risk through cyberliability insurance. This kind of insurance has become more common an affordable in recent years, but the industry has not yet established standard coverage elements, and coverages can vary significantly. Working with an experienced insurance broker and a knowledgeable insurance coverage attorney is key. Sample areas of coverage include data loss, business interruption, breach notification, public relations, customer credit monitoring, and defense costs. But please remember: “one size does not fit all.”

Make cybersecurity part of your work culture. Rob advises, “All employees should receive ongoing awareness training on what to look out for. Cybersecurity should be treated as a core business function that runs through the entire organization. Business owners and executives need to lead the entire company through a change in ‘cybersecurity posture’ from top to bottom. Safety in the workplace has shifted through awareness training and HR initiatives, and so should cybersecurity efforts.” Some companies even test employees with simulated email phishing attacks in order to teach awareness and best practices.

What should you do if a breach happens?

Despite the best preparation, a breach may still occur. Tony shared that laws vary by state, but currently, 48 of the 50 states have data breach notification laws, and each is somewhat different. In general, state laws dictate what needs to happen in order to avoid liability for a failure to alert customers, clients and/or employees of a suspected data breach.

Tony recommends the following critical steps in the event of a suspected data breach:

1. Technical assessment of what occurred and steps to prevent further breach or harm
2. Appropriate team of responders – outside IT professional, attorney, C-level staff
3. Evaluate data breach notification statutes – you may need to comply with more than one state statute based on residence of customers and employees impacted
4. Appropriate notice to insurance carrier
5. Action plan based on findings, including potential notice to parties impacted
6. Potential notice to governmental officials or agencies depending on statutory requirements
7. Documentation of all steps taken and maintenance of records of all technical findings, notices and communications

After the initial response is completed, it is important to evaluate all aspects of your data technologies, service provider contracts, insurance coverages, and employee trainings. Tony recommends repeating these evaluations on a regular basis to stay on top of best practices and legal requirements.

In the fight against fraud, a little knowledge across your entire organization goes a long way. Plan for when you have fraud attack, and be sure to keep your company’s plan up to date.

For more information, please reach out to our panelists:

Susan Giffard, Director of Treasury Management & Government Banking at Camden National Bank

Rob Simopoulos, Co-Founder of Launch Security

Tony Perkins, Attorney and Chief Information Security Officer at Bernstein Shur