A Wolf in Sheep’s Clothing

Editor’s Note: This article is the first in a series focusing on risk management practices for the pest management industry. The articles are based on presentations from the 2017 PestSure Safety and Loss Prevention Conference where PMPs gathered to hear the latest strategies for protecting their employees, customers and businesses from a variety of threats. In business for more than 30 years, PestSure is a nationwide association providing insurance and risk management services that is owned and operated by pest management professionals.

Editor’s Note: The identity of the company and its officials involved in this story have been withheld at their request.

It was a seemingly harmless email sent to employees from their CEO requesting they send him PDFs of their 2015 and 2016 W-2s for a wage and salary review.

Like at most organizations, when the CEO at this firm asked for something, people complied with the request. What no one realized was that the email came from a cybercriminal masquerading as the CEO looking to steal personal information.

By the time the company could react to the data breach, more than 200 employees were impacted and the company’s management team had to move into crisis management mode.

“We thought we were ready to combat any cyber threats until we weren’t,” said the company executive tasked with leading the response. “Our CEO never would have asked for that information but the cybercriminals created a phishing email that looked like the real thing.”

COMPANY REACTS. Once the management team realized the breach occurred they immediately took steps to mitigate the damage.

Working with their insurance carrier, the company offered credit monitoring services to all employees for two years, worked with their attorney to make proper notifications to various state agencies where their employees lived, and provided extra paid time off to employees to deal with the issue.

The impact on employees was direct and showed the warp speed at which cybercriminals work. False tax returns were filed, forcing ownership and other employees to meet with the Internal Revenue Service to reconstruct their returns and delay refunds.

“It was a disruption to the business but our employees took the brunt of it,” says the manager. “There was a seemingly endless to-do list of items early on that had to be done and done fast.”

Following the breach, the company enlisted the services of KnowBe4, a digital security awareness service, to conduct regular phishing testing and training, and the results have been positive.

“You have to rely on your employee training to raise awareness and reduce the risk,” says the manager. “You must be diligent and stay on top of it because everyone in your organization is vulnerable.”

PROACTIVE STEPS. What steps can companies take to reduce the risk of falling prey to a data breach?

• Have a professional cyber security plan in place. Have your IT manager or consultants lead the planning; involve human resources and accounting.
• Secure a cyber insurance policy. Talk with your insurance carrier about a policy that protects you and your employees in the event of a data breach. Dealing with a breach is expensive and insurance will help buffer the cost and provide you with valuable support.
• Control access to information. In the aftermath of the breach, the company took steps to reduce what sensitive information was shared through email or the company website. For example, the company’s payroll vendor provided employees with an app where they could access their W-2s, removing the company from the process and lowering risk.
• Establish a verification system for financial transactions. Today it might be counterintuitive to pick up the phone and call someone but a simple call to verify an email or online payment request from a coworker or vendor can save you time, hassle and money.

The author is a partner with B Communications and can be reached at jfenner@b-communications.com.