Skip to main content

Cybercrime: Is Your Business As Prepared As You Think It Is?

This post details how cyber crimes can impact the organizational operations, mission, capabilities & reputation of any business.

Part one of a two-part article series on cybercrime

The list of major corporations that have been the victims of cyber attacks reads like a Who’s Who of blue-chip corporate America: Target, Home Depot, JP Morgan Chase, UPS, Coca-Cola, Sony, Anthem. Even the Veteran’s Administration has been hacked.
Due to these attacks, cyber crime has become a top priority for many corporations. But what about small and mid-sized firms? Are cyber crime and network security something you need to worry about?
“Yes, absolutely, without a doubt,” says Katrina Michalk, Executive Vice President, Cadence Bank Treasury Management Executive. “A cybercrime event can have a huge impact on the organizational operations, mission, capabilities and reputation of any sized business.”


A Cybercrime Gateway

According to Skip Westfall, former National Forensic Technology Services Practice Leader for Grant Thornton (link sends e-mail) and Co-Leader of its National Cybersecurity Practice, small and mid-sized firms are often the gateway to bigger targets for cyber thieves. 
“For example, we’ve seen this in the supply chain realm, where there are a lot of smaller companies that provide services to larger companies. These larger companies have to give them access to their networks and this can expose them to greater risk, particularly if the vendor or third-party supplier doesn’t have the necessary cybersecurity infrastructure and protocols in place.”
Cyber thieves can be creative in their attacks, Westfall acknowledges. In one instance, Westfall’s team found that hackers had difficulty gaining access to a multi-million dollar oil company so they sat outside the company’s headquarters and watched what their employees were doing. Many were ordering regularly from a Chinese restaurant across the street that maintained an online ordering option. The thieves installed malware on the restaurant’s menu system and were able to gain entry to the company’s systems through an unsuspecting employee.
Yet Westfall says corporate hackers don’t always target specific people. “Most often, they are sending out information requests at random to thousands of people within companies. They don’t know who you are — they’re just trying to get into the company’s IT system, and then they determine if you are a worthwhile target. Cyber thieves are trying to find any valuable corporate assets they can.”
Phishing emails are one of the primary methods cyber thieves use to try to steal sensitive corporate information and implant malware into corporate IT systems. Westfall says he has investigated about 40 phishing attacks in the past year alone. “The malware knows exactly what data to look for. It’s smart — and very pointed.”
Another point of vulnerability for many companies is social media, which fraudsters use to target specific employees who can help them gain access to a company’s systems and data. “Thieves can essentially build an org chart using LinkedIn,” notes Westfall. “They can determine reporting relationships and figure out who to target with their phishing emails.” 
In fact, according to the 2020 AFP Payments Fraud & Control Survey, wire transfer fraud decreased from 45% in 2018 to 40% in 2019. Still, wire fraud activity continues to be high, especially considering the percentage of organizations experiencing such fraud was only in single digits until 2012.


Westfall worked with a half-billion dollar construction company that, despite having the proper protocols in place, wired out $500,000 before discovering the fraud. “In most cases, we find there’s either a lack of controls in place or the controls are not followed to the letter,” Westfall explains.

“Other times, to gain entry thieves might simply call a company’s main receptionist or customer service department and say they’re a vendor that needs to get paid, who should they talk to?” adds Westfall. “Then they call back and explain they aren’t getting a response and ask for that employee’s boss. These staff members are trained to be customer service oriented, not combative, so they often provide the information without asking a lot of questions.”
Tricks like this make it clear that cyber crime is not just IT’s responsibility. “It’s a top-down initiative,” says Westfall. “Cyber crime efforts need to start at the top of the organization and filter down to every department and employee.”


Uncover Your Vulnerabilities    

The first step to protecting your business from cyber attacks is to perform a security assessment to uncover your vulnerabilities and determine the steps to take to protect against them. According to Michalk, the National Institute of Standards and Technology (NIST) has identified five core types of cyber crime functions: 

Identify — Determine which systems, assets, data and capabilities need to be protected.

Protect — Prioritize safeguards to insure delivery of critical infrastructure services.

Detect — Identify the occurrence of cyber attacks.

Respond — Take action regarding a detected cyber attack.

Recover — Restore capabilities impaired by a cyber attack.


Third-party vendor management is also critical, Westfall adds. “Lots of small and mid-sized companies deal with outside vendors or third-party suppliers with whom they trade data and provide access to their systems. You need to find out what sort of cyber crime protection they have in place and take an active approach to ensure that your vendors are as vigilant about cyber crime as you are.”
Please contact your Cadence Bank Treasury Management representative if you would like to discuss fraud protection and prevention in more detail.
Continue reading part-two of the article series on cybercrime.

This article is provided as a free service to you and is for general informational purposes only. Cadence Bank makes no representations or warranties as to the accuracy, completeness or timeliness of the content in the article. The article is not intended to provide legal, accounting or tax advice and should not be relied upon for such purposes.

Questions? We are here for you...

To ensure your safety, please do not include sensitive information in your submission.