A true story, guest post on cyber attacks by Harold Howell, Owner of Risk Solutions, Inc.
If you are a business owner who thinks cyber attacks aren’t a serious threat, you’d better sit down. Many people think these incidents are rare, too minor to worry about, or just something that happens to somebody else. But I’m here to tell the business world that these crimes are real and happening every day. I (Harold Howell) run a risk and insurance consulting firm—and we got hacked. And it wasn’t minor.
In this forum, I cannot discuss our clients’ experiences, but I can share what has happened to us….
Last year, our bank account was intercepted–hacked—whatever you want to call it, someone who should not have had access to it, in fact, had access. Someone looking to profit off their access. An absolute nightmare. The only good news is none of my clients’ information was taken, only ours, but the attack could have put us out of business. The culprit was even able to access our webmail and send out emails out as if they were actually coming from me! This felt like someone was in my house going through my stuff.
And this cyber hacker went big. The violator sent an email to a very high-level executive at my bank and requested a wire transfer for over $60,000! They wanted the funds wired to some unknown person in Arizona. My contact at the bank–who I have a great relationship with, thank goodness–thought this request was unusual, since I see her every week, and normally discuss large transactions in person. She called me to verify my request to transfer these funds. You can imagine my fear when I received this call. I happened to be standing up at the time, and soon found myself sitting down (like I asked of you at the beginning of this article).
The banker knew the next steps to take, including how to initiate an FBI investigation. Obviously, I was very lucky that I actually had a personal relationship with my banker, otherwise the request might have been processed without my knowledge. I would hope most banks would notice anomalous transactions and intervene, but there just isn’t any guarantee. I’m also glad we have cyber liability insurance, so that even in the worst-case scenario, we would only have lost our deductible (in our case, $5,000), not the entire amount.
How did all of this happen, though? As a property and casualty insurance agency, protecting risk is our business. We have always taken cyber security very seriously. We even insure against it, for ourselves and many of our clients. Now, hackers get more sophisticated by the day, but I was very comfortable with our security and our cyber crime prevention. So, where was the exposure? As it turns out, the criminal first gained access to a laptop belonging to an outside accountant we use. Our banking information was on that laptop, because the accountant was preparing to run payroll and financial statements. This is proof that no matter how secure you are, someone with your information can expose you—and all the while your doors were locked, your alarm was on, your motion detectors were running, and your guard dogs were awake.
In the end, we were lucky, as this could have been worse. I am grateful to my banker, the bank, and the FBI for their help in handling this crisis so well. But there was still a loss—as a business owner, my time is precious, and the amount of time lost to dealing with this cyber incident was damaging. And the stress that was caused by this exposure outside of our control had residual effects.
Business owners today need to be aware of the risk of cyber attacks. Obviously, proper security is a must, but security alone is not enough because it can never be perfect. We have closed the gaps in our system that the attacker exploited, but there may be others. Let’s face it, even the most secure fortress can be broken into. Ultimately, you also need a plan in place for what happens if your security is breached. That means having enough insurance, and it means maintaining good practice within your business and with those you do business with. Minimize the amount of damage that an attacker can do, and maximize the number of people who can and will help you fight back.
After all, you are not immune to a cyber attack. We weren’t.