Ransomware, where hackers hold hostage a company’s IT system and data, is top-of-mind in the auto industry right now, but simple human error with business emails is still the biggest vulnerability in cybersecurity, and employee training is still the first line of defense.
“Ransomware is a huge, huge issue,” says Benjamin Tweel, senior cybercrime specialist within Bank of America’s Global Information Security team. However, even the more-sophisticated threats including ransomware often get their foot in the door via common, everyday threats such as phony, “phishing” business e-mails.
Tweel provided some tips and best practices for combating cybercrooks in a March 23 webinar hosted by the American International Automobile Dealers Assn., “The Auto Industry Under Cyber Attack.”
If there’s a single most important tip from Tweel’s presentation, it might be, “Don’t reply to an email requesting a change in payment instructions!”
It’s estimated that 90% of phishing incidents are caused by “human error,” when someone clicks or downloads something they shouldn’t have, Tweel says.
Once an intruder gets into a company’s IT system, it takes an average of 280 days to identify the intrusion, he says. “Let me say that again – 280 days. That’s a long time not to know somebody could be doing something suspicious on your network,” Tweel says.
Scammers may use that time to learn the ropes in an organization. The goal is to create an email which may even come from an actual executive’s own email account, ordering a subordinate to make an immediate payment outside the usual channels, typically under unusual circumstances.
For example, the executive is overseas – and in fact may be overseas. There’s some plausible-sounding reason why the payment has to be kept confidential. Above all, it has to be done quickly, before anyone has a chance to think it over, Tweel says.
Companies need to train employees to recognize fishy circumstances in the first place, and “empower employees to slow down the process without pressure” when they see warning signs, he says. It’s also a good idea to create a requirement that at least two people need to sign off on a payment.
The coronavirus pandemic has raised the threat level by forcing companies to switch to multiple, interconnected digital channels faster than they normally would have done, Tweel says.
Before COVID, corporations saw digital adoption as “a cost-saving investment, for the next three to five years.” With COVID, that time line is compressed to one or two years, and the focus is no longer just on cost savings – it’s on simply staying in business at all, he says.
In employee training, it’s important to make the training relevant and “engaging,” Tweel says. Rather than making employees feel like “the weakest link,” trainers need to make employees feel like “our strongest defender,” he says. “They’ve got to understand why it’s important.”