Earlier this week, readers of the Colorado Springs Business Journal received an email that looked — at first glance — like a request to update their email address.
In reality, it was a message designed to raise awareness about cybersecurity issues and the threat to all businesses, and to let readers know about the National Cybersecurity Center’s latest business training seminar.
Some things that should have tipped people off: the blurry CSBJ logo, next month’s date, the fact we don’t send emails like this.
Still, about 20 percent of the recipients clicked on the email. And if it had been nefarious, those businesses, nonprofits and home networks would have been compromised.
Not everyone saw the benefit of the email — some accused us of tacky marketing stunts for an event; some said there was too much of the real thing out there to waste their time with the fake phishing email. But others said they appreciated the effort to show that no matter how stringent the firewall or the antivirus program, the human link is the weakest.
For all too many businesses, people represent the biggest threat to their cybersecurity — clicking on links that seem legitimate, responding to email clones that seem like they are from the boss, allowing malware into the system.
Recently, I heard of a nonprofit whose human resources manager received an email from her boss who was out of town on a business trip. The email asked for the W-2s of every single employee. It was from the boss, right? So she emailed out the employees’ information — and put each of them at risk.
To add insult to injury, the nonprofit didn’t have cybersecurity insurance, meaning it had to pay for identity theft protection for every employee, past and present.
Cybersecurity should be a part of every business plan. How do you protect your clients’ identities; how do you safeguard the company’s accounting information, its bank accounts and your employees’ identifying information?
Unfortunately, too many companies try to go it alone, don’t have the right security protocols in place and have failed to educate employees about the dangers of cybercrime.
Experts say the costs associated with cybercrime will climb to $6 trillion a year by 2021. Much of that money is spent on trying to pay for identity-theft protection, covering client expenses and trying to rebuild corporate reputations as a trusted place to do business.
All the cybercrime — socially engineered attacks, fake Wi-Fi setups, false email links — means that cybersecurity should be top of mind, no matter where the email comes from. And for all the ways criminals are probing networks, prying at corners, checking out social media for the right clues and information about a business, there are ways to combat and correct errors to prevent unlawful and costly network intrusions.
About 80 percent of the 3,500 people who received the CSBJ email recognized it as suspicious. They didn’t click on the email; they were cautious. Those who did click were directed to a webpage that defined phishing attacks — and they were given information about the NCC’s upcoming oversight seminar.
The results don’t surprise Rodney Gullatte, owner of Firma IT Solutions and sponsor of the upcoming cybersecurity training. People, he says, never learn. And too often, businesses place cybersecurity — and paying for it — at the bottom of their priorities lists. He routinely works with businesses that have failed to safeguard clients’ personal information.
Through its education, research and a rapid-response component, the NCC’s goals are to help businesses learn how to protect networks, train employees to delete the suspicious email, and help formulate a response if the unthinkable happens.
The training in Colorado Springs is just one of several seminars across the state. Limited to 25 people, it’s an opportunity to learn from experts about the cyber criminals who are out there, their ever-evolving methods and where the biggest threats come from.
When: 8 a.m.-noon, Thursday, Aug. 10
Where: Catalyst Campus