KeyBank Report: Fraud, Middle Market Leaders and Consumers
Cybersecurity is a term that means different things to different people. Today’s increasingly digital and online world means that more information is being stored and shared in ways that make it easier for criminals to exploit weaknesses in the protections that exist currently. From email scams and phishing to social engineering and business email compromise, there are cybersecurity risks for our personal data as well as for the data we control as professionals in the workplace. Nearly every day there is another story about a breach that exposes valuable information from a corporation, agency or group of people. Some of the biggest names in the world have been impacted, including Equifax, Target, Yahoo, Sony PlayStation, Uber, Home Depot, TJX Companies and more. The cost of these incidents is estimated to be in the billions of dollars, and the true cost is often not known for many years. Beyond the cost, the numbers of individuals affected is similarly shocking:
These statistics leave many people asking, “If the biggest companies in the world can’t protect digital data, how can middle market businesses and individuals ever hope to do so?”
Personal and business fraud is everywhere.
Fraud comes in many different shapes and sizes, and the criminals keep getting smarter and smarter. Most people today know not to respond to an email that promises unclaimed lottery prizes or millions of dollars from a prince in a distant land, but it’s much harder to recognize the intelligent and deceptive approaches that are becoming more common. It’s human nature in this environment to trust an email that appears to come from a boss or an external supplier. Likewise, the growth of social media and the willingness to unwittingly share personal information with friends and contacts unfortunately has made the jobs of the criminals that much easier.
Despite the frequency and severity of breaches, and the different methods hackers are using to commit cyberattacks, middle market leaders seem incredibly confident that they’re doing a good job at preventing attacks. Relative to other risks their businesses face, they’re less concerned about fraud overall.
So what is the big disconnect in perception vs. reality on this issue? In March of this year, only 50% of middle market leader respondents to the quarterly KeyBank Business Sentiment Survey said they were extremely or very concerned about theft of confidential client data (down 7% from the previous year). In addition, only 50% are extremely or very concerned about the security of their company’s mobile devices and only 42% are extremely or very concerned about payment fraud.
Middle Market Leaders’ Security Concerns – Extremely/Very Concerned
|Theft of your clients’ confidential data
|Security of your company’s mobile devices
However, consumers feel very differently. In fact, these business leaders’ seemingly low levels of concern stand in stark contrast to a recent PwC study that showed 69% of consumers believe companies are vulnerable to hacks and cyberattacks.
To put this consumer concern over fraud even more into context, we looked to FICO’s consumer finance trend research. They surveyed 1,000 U.S. consumers over the age of 17 and asked them to identify their top concern from a list of common threats. 44% rated identity theft and fraud as their top concern, 22% selected death of a loved one, and 18% selected their top concern as being the victim of a terrorist attack.4 This ranking helps illustrate just how real concern over fraud is.
Why do business leaders feel safer than consumers?
So why do middle market business leaders appear to feel so safe in an era of rampant cybersecurity attacks? Perhaps it’s because many of them employ a variety of tools and procedures intended to protect data and educate employees on the best ways to prevent problems. Or perhaps it’s a “that could never happen to my company” mentality. Whatever the reason, businesses need to place more emphasis on developing programs that ensure the use of the latest and most powerful tools for enhancing cybersecurity as well as working continually with employees to establish best practices for dealing with sensitive data.
The importance of education and awareness cannot be overstated. Hackers are developing new approaches daily in an attempt to circumvent software and hardware protections while tricking individuals into divulging key pieces of information that can then be put together to form a bigger picture that helps the criminals find openings. The training must be updated constantly and reinforced effectively to convince employees to take ownership of security and to think more carefully about every action taken. As part of this process, it is critical to empower employees to not only use common sense, but to stop and think before doing anything that could compromise data or security. Businesses should have very clear policies and procedures for critical activities, and employees should not be willing to take shortcuts, no matter who might appear to be asking them to do so.
How the bad guys are tricking us at work and home
Some of the ways that hackers are breaking through protections today are truly frightening. On the consumer side, hackers are taking advantage of known brands and organizations to trick recipients into engaging with links or sharing information. From fake emails warning of Microsoft or Apple technical issues to deceiving FedEx package notices or secure document delivery scams, consumers are under constant attack. Posting vacation photos on Facebook is another signal for criminals looking to exploit a consumer’s absence from home or take advantage of a susceptibility to uninformed, hurried decisions about what to send or what to share. Small pieces of information may not seem dangerous, but to anyone looking for an opening, all those small pieces are easily put together to create an opportunity.
In the business world, by tracking a company executive on Facebook or LinkedIn, hackers can find out when he or she might be traveling, break into their email, send a direct message to the accounting department pretending to be that executive and ask for an urgent transfer to be made to close a deal. Or the hacker might gain access to a vendor’s email and send a request to a company that appears to be completely legitimate. These scenarios are known as Business Email Compromise (BEC) and have the attention of the FBI’s Internet Crime Complaint Center (IC3). The IC3 reported that between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses, with incidents in all 50 states and in 131 countries.
Cybersecurity is an issue that spans both the personal and professional lives of most people. Many of us have seen or heard enough bad stories that we are more careful about what we share with others. At home, we don’t answer calls from people we don’t know, we ignore suspicious emails, and we never click on links we didn’t ask for. Plus, according to an article on Digital Commerce 360, 68% of consumers said fear has influenced their decision to make a purchase online. 40% of consumers said they did not complete a purchase on the web for the same reasons. But at work, it’s more complicated. In an effort to please employers and customers alike, some people will rush to fulfill a request without thinking carefully about the authenticity of the source. The best approach is to combine a bit of how we act as consumers with how we act as representatives of our employers or businesses and move ahead with caution.
What can you do?
The only way to avoid these kinds of breaches is to establish review and verification processes that are the same every time, regardless of who is asking or what the urgency might be. That’s why employees have to be encouraged to speak up, even in response to a request from someone above them in the organization. Often, a simple phone call or secondary contact could be enough to authenticate a request or expose a breach attempt.
Common sense may be the most powerful tool a company has to combat the rise in cybersecurity attacks. By combining the best tools with effective training on every level, middle market businesses will be better able to identify and oppose threats as they happen. It’s good for businesses to have confidence in their ability to protect important company and customer data, but that confidence must be based on a knowledge that the proper protections have been put in place and that employees know how and when to raise concerns.
Keep in mind that whether you’re acting in your personal life to help teach your teens or aging parents how to make smart choices that protect against fraud, or you’re acting in your professional life, helping to educate employees about the biggest risks, there are a few common sense tips that apply.