Informed and Motivated Employees Are Your First Line of Defense Against Cybercrime

While cyberattacks caused by sophisticated cybercriminals and the advent of artificial intelligence (AI) make headline news, human error continues to drive most cyber events. According to Harvard Business Review (HBR), more than 80% of cyber incidents are attributed to end-user error. The worldwide cost of cybercrime was estimated at $10 trillion in 2023 and is expected to more than double in the next four years.

In addition, in a 2022 study by Stanford University, 90% of ransomware attacks originated through phishing emails to employees, according to an article by Maria Long, Vice President, Cyber Underwriter & Risk Management Portfolio Leader at Munich Re Specialty. And while most companies have beefed up their security controls to mitigate phishing incidents, employee education and training fall short. The same Stanford University study indicates that, even with increased cybersecurity budgets, less than 3% of these budgets are allocated to the human factor.

Phishing refers to fraudulent emails that fool users into exposing personal information or downloading malware. Cybercriminals are now deploying generative AI, deep fake technology, and CFO spoofing to craft personalized and convincing messages. They can use AI algorithms to collect and analyze data from social media, websites, and other sources to imitate legitimate communication styles and content. This makes it more challenging to discern genuine and fraudulent messages.

Phishing incidents result in financial losses, reputational damage, business disruption, and loss of clientele and potential business opportunities.

Prioritize Internal Phishing Awareness and Training

As the operations of logistics service providers continue to become increasingly digitized and intricate, ongoing security awareness and training, along with multi-layered security protocols, are critical components in any cybersecurity plan to mitigate and combat ongoing threats. Cyber education and training should be part of the company’s culture, which starts with top management. “Leadership must understand the implications of phishing attacks and the benefits of a strong cyber training and awareness program – integrating and aligning the ‘why’ with the mission and values of the organization,” says Long.

According to the National Institute of Standards and Technology (NIST), employees should view quality cybersecurity practices as good business and part of “how we do business here.”

A phishing awareness and training program should include the following topics:

• Typical phishing attack patterns
• Common cybercriminal strategies
• Typical phishing message characteristics (for example, the email may ask for confidential data or information, use a different domain, have links outside of the main domain, use incorrect spelling and grammar)
• The intent of the attacker and examples of successful outcomes
• Tips to avoid scam emails
• How to properly report phishing campaigns to both the IT team and authorities

Once the phishing awareness and training program is complete, it’s essential to test the knowledge of all employees. There are companies that provide a variety of real-world phishing examples, ask employees to identify risky messages, and offer steps to take in the event they receive such a message.

Training should also include regular, unannounced phishing simulations to help pinpoint weak spots and keep cybersecurity top of mind among the staff. These tests may consist of emails, text messages, or voicemails sent and monitored by the IT staff. Individuals who click on a link, download a file, or respond to a message may be led to appropriate training sites to help them improve their cybersecurity awareness and abilities. The team can also use the outcomes of such activities to improve training materials or design specialized courses on specific critical topics.

In addition, as increasingly more novel social engineering schemes are being deployed, ensure training materials are routinely refreshed to encompass these latest threats and address social engineering advancements.

Ongoing training is intended to empower employees to maintain good cyber hygiene, make good decisions, and feel that cybersecurity is their responsibility. As Long puts it, employee training builds a ‘human firewall’ in defending against cyberattacks.

Invest in Cyber Insurance

Cybercriminals are relentless, and even the most buttoned-up security and training can fail to prevent a breach. Cyber insurance provides logistics service providers with coverage to weather the financial impact of a cyberattack. A policy can be designed to offer an integrated solution that helps pay the costs for the following:

• Data loss and restoration
• Data incident response, including notification expenses, crisis management, and public relations
• Forensic fees
• Legal expenses
• Third-party liability
• Business interruption
• Loss of income as a result of the attack
• Extortion and ransomware payments
• Payments for fraudulent wire transfers

Protect Your Business with a Proactive Cybersecurity Strategy

Don’t wait for a cyberattack to expose your vulnerabilities. Empower your employees with comprehensive training, integrate advanced security protocols, and ensure you have the right cyber insurance in place.

Contact us today to discuss your cyber insurance options and safeguard your business.

 

Disclaimer: This information is provided as a public service and for discussion of the subject in general. It is not to be construed as legal advice. Readers are urged to seek professional guidance from appropriate parties on all matters mentioned herein.