[December 2022 Newsletter] Cybersecurity Governance & Happy Holidays!
Look, as business owners and executives, I believe #1 responsibility is RISK MANAGEMENT.
In Cybersecurity we talk about data or risk ownership vs. stewardship or custodial responsibility. Your MSP, technology provider, IT Dept., i3 Business Solutions is the data custodian or steward of your – our clients’ information or technology. You, the executive, owner, client owns the risk for your business, information, data, and technology.
As custodians, we recommend controls and governance to mitigate the risk of a cybersecurity incident. There are various cybersecurity controls: administrative and technical are 2 of the primary. Essentially, policy and technology.
We generally trust the technical control category delivering layers of technical security: MFA, Antivirus - EDR, backup, firewall, M365 Defender ATP, and Password management. Many of you trust these layers & controls to protect your company.
But, for all the layers of technical cybersecurity, you – our clients are getting killed by Business Email Compromise (BEC), spoofing, spear phishing, and social engineering. According to the Verizon DBIR 2022 Report: “This year, 82% of breaches involved the human element. This puts the person square in the center of the security estate with the Social Engineering pattern capturing many of those human-centric events.” This looks like this:
- Giving Admin access, logins, and passwords to the wrong person.
- Accounting, purchasing, or financial mistakes sending $$$ to the wrong account or person.
I’m aware of two examples in the State of Michigan in just the last week where $100s thousands were transferred to the wrong accounts. We have a responsibility to you our clients and ourselves to mitigate this risk.
I cannot express enough my concern for this risk – both inside i3 Business Solutions and at your company or organization. Therefore, looks like cybersecurity phish testing, training, and education are a necessity.
It also looks like financial policy, and governance – controls must include:
- Require VERBAL approval for any ACH – Direct Deposit Acct. # / Routing number changes.
- Never change passwords or account #s, based on incoming phone calls, texts, and emails.
- Never click on links from emails or texts.
- Never act based on urgent incoming phone calls, emails, texts … because – say:
“I’ll call you back or log into your known website to make any changes”
- Again, pick up the phone to call your known phone number or contact to verbally hear their voice before making any changes.
- We know our clients, vendors, CC, bank websites – google their phone #
- Brian Abraham or I will do a live or Teams presentation to any client or anyone listening to this vlog or reading the blog or email about these risks and how to manage them.
- i3 will deliver financial or accounting administrative policy guidelines to help mitigate this risk.
Call – Email – Text or track us down on the website
Mike Ritsema, i3 Business Solutions wishes you a SAFE & Merry Christmas and a Happy New Year