No one suspected the man in a FedEx uniform …

No one suspected the man in the FedEx uniform.

He walked into offices in the Phoenix, Arizona area asking the receptionists for directions. Pretty common.

But if there wasn’t a receptionist, he quickly slipped a USB stick into the running front desk computer to download malware that spread across the company’s IT network. He did it a number of times over a two-week period, recalls Lynne Pace, CFO and VP of finance at Danson Construction.

The malware “just rode in the back of their programs and watched how everybody communicated: How the emails went, how the finances went … Twelve to 18 months later that’s when the barrage started ” — including convincing employees to wire money to bank accounts controlled by crooks.

“It took a long time for them to figure out they’d been hit,” she said. “The crooks got a lot of money just because of one man dressed in a FedEx uniform.”

This story at least shows how physical security is as vital as IT security in any organization.

Pace told the story to reporters as part of a panel arranged by Sage Group for the release today of its online cybersecurity survey of 2,100 owners of small and medium-sized businesses in eight countries. The release was timed to be part of Cyber Security Awareness Month.

Those surveyed included 500 owners of SMBs or non-profits in each of Canada and the U.S..

Among the findings:

— 48 per cent of respondents had been successfully hacked in the past 12 months;

— of those, 25 per cent had been hit more than once;

— 69 per cent said cyber security is part of their businesses’ culture, but most only discuss it when something changes or goes wrong internally;

— 46 per cent said their firm doesn’t use firewalls, even though 84 per cent claim familiarity with them;

— 42 per cent said their firm doesn’t backup critical data;

— among Canadian respondents, only 39 per cent said their firm has security education and training for employees;

— 52 per cent of all respondents want more support from vendors and governments with cyber security education and training.

“While our research highlights [SMBs’] genuine concern for cybersecurity, they seek guidance to comprehend and mitigate risks beyond the misconception of it merely relying on firewalls and tools,” noted Ben Aung, Sage’s executive vice-president and chief risk officer.

The discussion panel also included Shawnee Delaney, CEO of Vaillance Group, a U.S awareness training firm; Lauren Boas Hayes, senior advisor for technology and innovation at the U.S. Cybersecurity and Infrastructure Security Agency (CISA); Michael Cheong, CFO of the United Way of Greater Toronto; Sage CISO Gustavo Zeidan and Sage CTO Aaron Harris.

Pace’s story sparked Delaney to speak of the need for organizations to have a cyber security awareness program. Managers may have to have an “uncomfortable conversation” with employees about what conduct isn’t acceptable, she added.

Executives also have to manage an employee’s cybersecurity suitability through their entire employment lifecycle, she said, including deciding if a job applicant’s attitude to cybersecurity makes them a right fit for the organization.

Cheong said United Way of Greater Toronto is trying to convince staff that cybersecurity is not just “an IT thing” but a facet all employees are accountable for. The organization has created a cybersecurity playbook, a roadmap to help establish, monitor and improve its cyber posture. Each staff position has a cybersecurity profile so awareness training can be customized.

The program, he added, has huge executive and board support.

Since starting the awareness program two years ago, the probability of the organization being breached because of employee actions has dropped to 10 per cent from an estimated 15 to 20 per cent, he said.

Pace talked about the importance of small business owners swallowing their embarrassment and talking to each other about lessons learned from cyber attacks.

She also said awareness training has to be geared to particular age groups of employees.

Asked why small businesses still aren’t getting the message after 20 years of Cyber Security Awareness Month, Delaney blamed firms for not being creative in their employee awareness training. There’s still an attitude among owners that a data breach “can’t happen to me,” she added.

The biggest problem in the construction industry, Pace said, is many are family businesses with owners who don’t see data breaches as a problem. Older owners, she added, hate computers.

Cheong said management has to believe that cybersecurity spending is an investment. “It allows you to sleep very well at night.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now