The last presentation at the recent YAC Sales & Leadership Conference was on cyber security and it included a demonstration of just how vulnerable an insurance agency or any other business can be to a cyber attack. One of the agents at the conference agreed to allow his agency to be the subject of a cyber attack by the presenters.
This attack did not involve a sophisticated attempt to penetrate the agency’s servers via their connection to the internet, as is seen most often in the movies and on TV. Instead, the presenters sent e-mails from what appeared to be the agent’s e-mail address to 15 or so employees of the agency. The e-mail contained only publicly available information about the agent and the agency. It also contained a link that asked the recipient to provide certain information, which if provided would have allowed a true hacker to access to all the information on the agency’s computer system. That link could have just as easily installed malware on the agency’s computer system with the same result.
Even though the e-mail was sent late at night and contained many typos, two of its recipients clicked on the link and one provided the information necessary to allow a hacker to gain access to the agency’s computer system. This result is consistent with the fact that the majority of successful cyber attacks on businesses involve employees doing something they should not have done. It also emphasizes the fact that cyber security is not just limited to having firewalls and detection software installed on an agency’s servers and desktops. While important to do, it is even more important for an agency to train its employees on what not to do when receiving and responding to e-mails during the course of the work day.
Such training should involve what warning signs to look for in the e-mails they receive that may indicate the e-mails are really from hackers trying to gain access to the agency’s computer system. Two of those signs were present in the e-mails sent to the above agent’s employees, late at night and many typos. Mismatched URL’s and misleading domain names are two other such signs (click here for a list of ten such signs.)
The damage that can be done by a hacker who has gained access to an agency’s computer system is limited only by the imagination of the hacker. Click here for an example of how the information in that system can be used to create fake e-mails to the agency’s customers that ask for money to be sent to a fake bank account. Click here for an interesting video from Hewlett-Packard that explains how printing a coupon sent to an employee by a hacker can result in the hacker gaining access to a business’ computer system.
It’s not enough to protect an agency’s computer system with firewalls and detection software. Its employees must also be trained to spot phishing e-mails, which training must be ongoing to keep up with the latest versions of such e-mails.