The following Lessons Learned was submitted by a CAM Member company that wishes to remain anonymous.
There are probably lots of things we all wish we could go back and tell ourselves in the past, prior to making a huge mistake or failing to take the necessary precautions to prevent something bad (or embarrassing), right?
For my recent “lesson learned”, I wouldn’t have to go too far back in the old time-machine. But, since I cannot, maybe my lesson will prevent you from learning it the hard way.
Almost a year ago, we were alerted to a possible bank fraud by one of our clients. In doing our investigation, we realized we had been hacked. Hacked, not by some nefarious underworld criminal with a cool accent, but by several phishing emails. The emails were designed to resemble something legitimate, but instead tricked several company email account holders into trying to log into their Microsoft account, which then let the phishing-scam-evil-doer access these email accounts and download pretty much everything.
How bad could this really be, you ask. Well, we had Cyber Liability Insurance. Had, because once we notified them of the claim, our insurer dropped us as a customer. But, no worries, we have it again at a mere 6X the price as the old policy with less coverage and astronomical retainers (retainers = basically self-insuring the first chunk of the cost of the claim if we have another…fun, right?).
Many thousands of emails were searched by the two law firms and a cyber-forensics vendor we had to engage to manage this claim, and it was discovered that several hundred of the emails that had been phished contained protected information, including names, birth dates, and social security numbers, for employees, past employees, deceased past employees, relatives and family members, customers, etc. It’s a long list. Each of these people whose information was stolen was notified of the data breach by mail (along with their respective state agencies, which is required in many states) and offered a year of credit monitoring and a 1-800 number they could call for more information by yet another vendor. Even with the 1-800 number out there, however, most of our current (and past) employees called direct to our office for more information. There were lots of unhappy questions & lots of phone calls.
Some of the best practices I wish I knew:
- Multi-factor authentication, on basically everything, is a good thing.
- Phishing testing and training your workers what phishing is and what to look for is a very good thing…both office and field workers’ accounts where accessed, so everyone needs this!
- Phishing training/testing is expensive.
- Encryption for all email accounts is more expensive!
- A Cyber Breach, like we had, is so expensive and time consuming, I strongly encourage you, dear reader, to never-ever have one.
Information is power…I wish I had some of this information before I needed to know it. Just sayin’!
Don't Be a Victim
Join nationally recognized cyber security expert Nick Espinosa on July 26, 2022 for a webinar titled Hacking the Hackers. Nick will take a deep dive into the threats that corporations and governments face such as Dark Web exposure, types of hacking attacks, and a look into the foundational concepts of how to create a well-defended organization.
Nick is highly regarded across the country for his cybersecurity expertise and his ability to help companies better defend themselves from the next cyber attack. All contractors, large or small, will learn some practical steps to improve on their current cyber and tech security practices.