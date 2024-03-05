BY Stu Sjouwerman4 minute read

Citigroup is being sued over its mishandling of online scams. Victims allege that Citibank did not have robust cybersecurity controls in place and failed to respond to red flags. As a result, scammers infiltrated customer accounts using phishing schemes and were able to execute fraudulent wire transfers. Remember the hack involving SolarWinds? The company and the security chief are being sued for alleged cybersecurity neglect ahead of the 2020 Russian cyberattack.

These incidents are not isolated ones. We’ve seen cases where employees launched class action suits against their own employers for violating duties and not providing employees with adequate cybersecurity training. In these cases, employers have been sued for things like negligence, breach of implied contract, invasion of privacy, breach of fiduciary duty, and violation of trade law practices. HOW THESE SCAMS WORK AND WHY BUSINESSES ARE BEING HELD ACCOUNTABLE Cybercriminals and scammers leverage several different phishing tactics to target businesses and their employees. These include sending potential targets a fraudulent email (a.k.a., email phishing), sending an SMS with a malicious link (a.k.a., smishing), and making a phone call and impersonating a trusted organization or individual (a.k.a., vishing).

Subscribe to the Compass Newsletter. Fast Company's trending stories delivered to you daily Privacy Policy | Fast Company Newsletters

When victims interact with or respond to these malicious emails and messages, they can lose their identity, their account access, and other sensitive information to cybercriminals. Threat actors can use stolen credentials to infiltrate organizations, install ransomware, impersonate individuals, breach confidential systems, and extort money from employees. Moreover, if an employee’s identity is compromised and attackers use it to carry out a business email compromise (BEC) attack, then it is probable the courts will hold the organization liable because it ostensibly allowed the breach to happen. When customers or employees share confidential information with any business, they expect the business will do what is necessary to safeguard them from scams and data breaches. If customers discover that the business did not perform due diligence to curtail fraud and phishing, or they didn’t adhere to cybersecurity laws and compliance mandates, they may have legal recourse to hold the business accountable. HOW CAN BUSINESSES REDUCE THE THREAT OF ONLINE SCAMS?

A cyberattack or breach isn’t just a legal or technological risk. It’s a financial risk, it’s a compliance risk, it’s a reputational risk, it’s a privacy risk. It is highly advisable that organizations adopt the following best practices and recommendations: 1. Ensure Your Employees Undergo In-depth Cybersecurity Training Employees are the weakest link and the last line of defense. No amount of technology controls will work if employees aren’t vigilant when operating online. That said, employees are also the strongest defense against phishing and social engineering scams.

Make sure employees receive regular (not just annual) cybersecurity training in the form of phishing simulation exercises, classroom training, regular communications and reminders, webinars, and gamification—anything that will help engage and reinforce security best practices. 2. Have Comprehensive Policies And Procedures In Place One of the fundamental pillars of a robust security program is having clear security guidance and procedures. Employees must understand what is expected of them from a cybersecurity perspective, what tools are available to them, and what security procedures they must follow when a threat is encountered. They must be taught and instructed not to trust anything at face value, and to verify the identity of a sender if they find any communication suspicious or out of the ordinary. They must learn about the potential risk to the business if they are not careful with their actions. Finally, they must also know that the employer could hold them liable if online misconduct resulted in a serious incident.

advertisement

3. Equip Employees With The Right Tools Along with appropriate technical defenses like threat detection, intrusion prevention, and phishing-resistant multi-factor authentication, it is imperative to arm employees with tools like password managers so they can improve upon security practices. Organizations may consider introducing a hotline to the security team, deploying AI chatbots that provide recommendations and nudges on security best practices, and installing a “phish-alert” button in their mailboxes. LAWS AND COMPLIANCE STANDARDS NOW MANDATE CYBERSECURITY TRAINING

In the U.S., there are more than 50 federal and state regulations that now mandate security awareness training. What’s more, leading compliance standards like PCI-DSS, HIPAA, GLBA, FISMA, and CMMC require that organizations deliver comprehensive and regular cybersecurity training to employees. Obviously, during a legal investigation, if it is found that a business did not pay heed to the advice issued by lawmakers and did not offer appropriate protections, procedures, and security awareness initiatives, then that business may be held responsible for a security incident. Consumers lose billions to social engineering scams every year. Historically, consumers have paid a steep price for being a victim because it was easy for a business to say, “Hey, it’s you who wasn’t paying attention, it’s not our problem.” This is changing. Businesses are increasingly being held accountable, liable, and responsible for security-related damages. The information provided here is not legal advice and does not purport to be a substitute for advice of counsel on any specific matter. For legal advice, you should consult with an attorney concerning your specific situation.

Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.