Business Email Compromise: The Second Costliest Crime

/in ,

Originally Posted December 9, 2024.  Updated to add a link to a related article published by the Washington Post.

Cyberattacks, specifically Business Email Compromise attacks are back in the national news. This feature story on CNN.com covers the risk, nature, and impact of Business Email Compromise attacks on a national level.

Back in March of 2022, we blogged about Real Estate Cyber Security and the rapid increase in Business Email Compromise (BEC) attacks. We followed up in April of 2022, with a post Business Email Compromise – The Costliest Type of Cybercrime. The post explained how BEC attacks work and how you can prevent them.

Related Update: The latest housing scam: Using AI to impersonate your agent or lender, Washington Post, December 14, 2024.

Are YOU safe from Business Email Compromise Attacks?

A $2.9 Billion Problem

With 2023 adjusted losses exceeding $2.9 Billion, the FBI’s 2023 Internet Crime Report identifies BEC attacks as the second-costliest type of crime. In a recent survey by CertifID, more than half of the 650 homebuyers and sellers were not fully aware of these types of fraud risks.

While the victims in the CNN article believe the compromise was from the title company, these breaches often initiate with the real estate agent or brokerage. The fragmented system of real estate franchisors, franchises, brokers/groups, and agents, gaps in cybersecurity awareness and protections are common. Real estate is a rich target for these BEC attacks. Large dollar amount transactions and low security-vigilance among agents, buyers, and sellers attracts cyber attacks.

Your Business Email Compromise Risk

The scope of BEC attacks spans businesses of all sizes.  Your small business is a target because you are less likely to have adequate cybersecurity protections in place.  As a small business, you are also less likely to have procedural checks and balances in place. Your chance of identifying and thwarting a BEC attack is lower.

Business Email Compromise attacks may target payments you make, or those your customers make to you. In either case, a successful BEC can destroy your reputation, expose you to litigation and liability, and cost you tens of thousands of dollars.

Your Next Step

Your best next step is to evaluate how well you are protected from BEC attacks.  Use Referral Code 24RSA50 to request savings of at least 50% off our Rapid Security Assessment*. You can also schedule a brief, free call with one of our Cloud Advisors to discuss your cybersecurity risk and protections.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

* Discount RSA offer requests must be received prior to 3:00 PM EST on Dec. 31, 2024.

FBI 2023 Internet Crime Report

/in ,

Whitepaper | Source: FBI — This annual report covers the trends, prevalence, and financial losses across the many forms of cyber attacks placing your business at risk. Understanding your risks is the first step to protection you, your business, and your customers.

Read more

IT Safety for Sole Practitioners, Startups, and Smaller Businesses

/in ,

(11/19/24) – Your computer, and your IT services, are your business lifeline. Manage, protect, and secure them to protect your business. Here are affordable solutions to protect you and your business.

Read more

What is Pen Testing and Why You Should Care

/in ,

Penetration TestingCyber threats are evolving at an alarming rate, posing significant risks to your business. Penetration testing, commonly referred to as “pen testing,” is becoming a vital, proactive tool for assessing your risks.

Pen testing simulates a cyber attack on a computer system aimed at identifying vulnerabilities and testing the security of IT systems. Pen testing goes beyond electronic systems; it encompasses the entire IT ecosystem, including human elements and physical security. 

As cyber threats diversify, pen testing has become an important cybersecurity practice and an emerging requirement for cyber insurance.

Types of Pen Testing

Pen testing falls into various categories, each targeting different aspects of your business’s IT infrastructure:

  • External Testing:
    Evaluates vulnerabilities in the systems that are visible from the outside, such as web applications, servers, and network devices. It simulates attacks attempting to breach your network from the Internet.
  • Internal Testing:
    Examines what could happen if an attacker gains access to the internal network. It highlights potential damage and data exposure risks from within your organization.
  • Targeted Testing:
    A collaborative effort between your IT team and the testers, providing real-time insights into the attacker’s perspective and your response.
  • Blind Testing:
    Testers receive limited information about the target, mirroring the knowledge an actual attacker might have. This helps assess your organization’s security posture from an outsider’s perspective.
  • Double-Blind Testing:
    An advanced form of blind testing where neither the testers nor the IT staff are aware of the test. It evaluates the effectiveness of the security monitoring and incident response processes.

Benefits of Pen Testing for Businesses

Investing in pen testing offers businesses several compelling advantages:

  • Identifying Vulnerabilities:
    Pen tests expose weaknesses in systems, applications, and networks, allowing you to address them before they are exploited.
  • Prioritizing Risks:
    Not all vulnerabilities carry the same weight. Pen tests help you prioritize risks based on their potential impact and likelihood, guiding you on where to focus your efforts and resources.
  • Enhancing Security Measures:
    Insights from pen tests can guide the implementation of stronger security controls, such as multi-factor authentication, data encryption, and improved access management.
  • Boosting Cyber Insurance Prospects:
    Many insurers require regular pen testing as part of their coverage criteria. Demonstrating proactive security measures can lead to better terms and premiums.
  • Regulatory Compliance:
    For industries with stringent regulatory requirements, pen testing can help you assess compliance with standards like HIPAA, PCI-DSS, and GDPR. It can also help you benchmark against cybersecurity frameworks, such as CIS, NIST, and CMMC.

Getting Started

The best way to get started with pen testing is to perform a basic, preliminary scan of your environment. Referred to as a “Level 1” test, this snapshot provides a baseline assessment. From this assessment, you can determine what, if any, mitigation efforts are needed to improve your security, meet compliance requirements, and/or secure cyber insurance.

Your Next Step

Cumulus Global offers a free Level 1 Pen Test to qualifying organizations. Click Here to Request your test and to access related resources.

About the Author

Bill Seybolt bio pictureBill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management.

Pen Testing: What and Why

/in ,

Small and midsize businesses (SMBs) continue to face new security challenges and requirements. Pen (short for Penetration) Tests are quickly becoming a requirement for cyber insurance policies and regulatory compliance.

Pen Tests effectively identify risks, monitor cybersecurity progress, and validate compliance.

In this Coffee & Clouds online event, Cumulus Global CEO Allen Falcon will cover what is included in different types of  Pen Tests. He will discuss why you may want, or need, to include one-time Pen Test or a periodic Pen Test sequence in your cybersecurity program.

Invest 15 minutes to understand how to improve your cybersecurity and whether using Pen Tests is right for your business.

View the recording on-demand, and the Dunkin’ or Starbucks is on us.

Preparing for Your Cyber Insurance Renewal

/in ,

5 Cybersecurity Standards

As you approach your annual cyber insurance renewal, you can take specific steps to ensure you have appropriate coverage and reasonable premiums.

The cyber insurance market has matured greatly over the past two years and continues to evolve rapidly. Insurers have become significantly more savvy regarding risks, protections, recovery costs, and potential liabilities. As a result, carriers are more precise in their underwriting practices.

Reviewing your cybersecurity risks and protections is a wise investment of time and resources. In a recent blog post, for example, we outlined 5 minimum cybersecurity standards that – if in place – can significantly reduce your premiums.

Here is a roadmap:

Review Your Original Application and Security Declarations

When you first applied for cyber insurance, you completed an application and, in most cases, a security survey/questionnaire. If you have not formally asked to complete a new questionnaire, take the initiative to review and update your answers.

As a part of the review, document any changes in your cybersecurity protections. Make note if you added new protections or updated procedures.

If you’ve removed or replaced any cybersecurity tools, specify which ones and the reasons for the change. It’s important to track modifications as your needs and environment evolve.

Reassess your Cybersecurity Protections

Policy renewal is a great time to step back and reassess your cybersecurity. Compare your protections to industry, regulatory, and compliance standards relevant to your business.

Our eBook, Cyber Security Requirements for Cyber Insurance, outlines basic, preferred, and best-practice protections to consider before getting or renewing your policy.

As part of your analysis, consider completing new assessments, such as Penetration Testing and Security Audits of your Microsoft 365 or Google Workspace tenant. These evaluations can offer valuable insights, helping to inform decisions and set priorities for future cybersecurity improvements.

Deploy Additional Protections

Based on your review and assessments, determine if you should modify your cybersecurity protections. As you consider changes, prioritize your choices and efforts. hYou can make low-effort changes, as well as changes that address higher-level, critical risks.

You do not need to address every risk and gap. Instead, focus on demonstrating improvements and prioritizing the most likely and impactful risks for your business.

Put Your Policy Out to Bid

Finally, put your policy out to bid. Avoid simply adding coverage or riders to your general liability business coverage.

Cyber insurance is a specialized coverage, and the industry has become more adept at evaluating risks and potential liabilities.  Partner with a broker who specializes in Cyber Insurance to market your coverage to multiple, specialty carriers. This will help you find the best balance between coverage and price.

Your Next Steps

If you are ready to move forward, here are four steps you can take today:

  1. Schedule time with one of our Cloud Advisors.
  2. Ask your Cloud Advisor about discounted and free Security Assessments.
  3. Evaluate options and deploy additional protections, if needed and appropriate.
  4. Shop your policy for the best plan and price with our partner, DataStream.

As always, our Cloud Advisors are ready to help. Contact us or schedule time for a quick online consultation.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Cybersecurity: Enough is Enough

/in ,

(9/24/24) – Beyond industry and regulatory requirements, your cybersecurity should match your business’s risks, needs, and budget .. and nothing more. This event focuses on affordably scaling your cybersecurity.

Read more

3 IT Trends We See Now

/in ,

Working with hundreds of small and midsize businesses, we often see trends in IT interests, plans, and initiatives. Given all the hype, we expected to see Generative AI as a big trend this fall. While our clients are interested in it and beginning to use it, Generative AI is not among the top three trends this fall.

Here are the 3 trends we see now.

3 Incremental Cybersecurity

With a never-ending string of cyber attacks, new regulations, and expanded expectations from customers, insurers, and others, your peers are reassessing their cybersecurity measures and making adjustments. 

Like your business, most small businesses have some cybersecurity measures in place. Adding incremental services is a fiscally smart way to increase prevention, fill gaps in protection, and ensure a more effective response. 

Universal multi-factor authentication (MFA), penetration testing, security awareness training, and improved recovery and continuity solutions are among the services your peers are adding.

2 Virtual Desktops

Remote and hybrid work are the norm. So is bring-your-own-device, or BYOD. The challenge is ensuring your team has a consistent user experience that is productive and secure.

Virtual Desktop, sometimes referred to as remote desktop solutions, provides a cloud-resident environment that is secure and effective. With a virtual desktop infrastructure (VDI), such as Azure Windows Desktop, your team accesses a secure work environment from any device with Internet access. Apps run and data remains in the cloud – only screen, keyboard, and mouse traffic touch the local device.

By removing the end user device from the security envelope, you do not need to put security software, or company data, on employees’ personal devices. You reduce the scope of your management (and the cost) while having more control over your environment.

1 Managed Cloud Services

Your IT and cloud services are more sophisticated and capable. Keeping current, ensuring the environment is secure, and helping your team use your IT services most effectively takes time. Instead of letting things slide, your fellow small business owners and leaders are moving towards Managed Cloud Services.

Managed Cloud Services, like more traditional managed IT services, put monitoring, management, administration, and support into the hands of experts. You get an integrated bundle of security, services, and support that matches your needs and your budget.

While Managed Cloud Services often comes with some increased costs, the enhanced value gained outweighs the cost.

Your Next Steps

Our Cloud Advisors are ready to help you assess if and how Virtual Desktops and Managed Cloud Services may benefit your team and business.

To assess and adjust your cybersecurity, check out these resources:

Our eBook, Cyber Security Requirements for Cyber Insurance, defines basic, preferred, and best practice cybersecurity for small businesses. 

We also offer multiple assessments to help you understand and benchmark your current cybersecurity, including:

These assessments are free with a Referral Code. 

Contact us or schedule time with one of our Cloud Advisors to learn more and obtain your Referral Code. 

About the Author

Bill Seybolt bio pictureBill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management.

Security CPR (Cloud Burst Ep. 01.03)

/in ,

Sept. 16, 2024

Read more