Cybercriminals are costing businesses trillions of dollars a year globally.
I was on a TV show about artificial intelligence (AI) recently. The host, who is in the public eye, shared a cautionary tale. Because there are hours of video of her on the TV station’s site and YouTube, scammers had trained an AI on her voice. Her family received a phone call that sounded EXACTLY like her that went something like this:
“I’ve had a car accident and rolled the SUV. I got out okay, but the car burned, and my wallet was inside. I’m in the hospital and am starving. Can you please send $100 right away to nursebetty@gmail.com so that I can get some food in the cafeteria?”
Her family has a safe word. If a family member doesn’t use it in this kind of emergency phone call, everyone knows that it’s not them. For this example, I’ll make one up: “jalapeno peppers.” If it’d really been her, she might have said, “I’m in the hospital and am starving and want to have a pizza with “jalapeno peppers.” Her family then would have been certain it was her.
From 2018 to 2028, the annual estimated cost of cybercrime globally is up more than 16-fold. And cybercrime is often under reported as companies are embarrassed about being hacked and are worried about reputational risk.
Kelly Bradshaw, the former Chief Superintendent of the Royal Canadian Mounted Police (RCMP), notes that only 10% of fraud is reported.
And it’s not just companies that are risk, individual Canadians are losing $500 million every year to cyber fraud.
Do you have a safe word for your family? (Grandparents are particularly susceptible to this kind of scam).
What about every employee in your company?
Has everyone in your firm received cybercrime, phishing and ransomware training?
I was working with a TEC group a few years ago and one of the CEOs had hired a firm to train every employee. The course highlighted the tricks fraudsters use in phishing and spear phishing schemes and what employees should watch out for. The course was very engaging and successful, receiving high ratings from employees.
Phishing scams are generic attacks. Spear phishing is where the hackers have researched you and your company. It’s customized phishing. If you’re in accounting, for example, you might get an urgent message from the CEO asking you to transfer $2,500 to a supplier because they have complained to him, and he wants to keep them happy.
Two weeks later, the training firm launched a fake phishing attack. Even after this highly effective training, a staggering 20% of employees keyed in their login details. For me, this highlights three key takeaways:
1) Every employee needs cybercrime, phishing and ransomware training
2) This training can’t be just a one-and-done, but should be an ongoing initiative
3) It only takes one employee to fall victim to this and your systems can be compromised and shut down.
As a leader for your organization, you need to consider the consequences if your company can’t operate for three weeks.
Image source: https://www.statista.com/chart/27097/most-expensive-types-of-cyber-crime-us/
In my company, we have purchased comprehensive cyber insurance tailored to our business and industry. The insurance firm conducted vulnerability testing before offering us a policy and allowed us to mitigate deficiencies to achieve the lowest premiums possible. The insurance covers breaches, legal fees, and ransomware demands, plus the insurance company will help us if we ever do suffer security breaches.
The number and cost of cyber attacks are increasing,
The bad actors are now using AI tools to make their attacks appear more legitimate and increase their success rate. For example:
Cybercriminals don’t only target large organizations that can pay millions in ransomware. A 2021 report by the Insurance Bureau of Canada (IBC) highlighted that 41% of small businesses that suffered cyberattacks incurred costs of $100,000 and more.
I was working with a construction company executive team that wasn’t really worried about cybercrime and cyber risk. They perceived companies in the digital space like banks and insurance companies more at risk.
In August 2017, MacEwan University in Edmonton, Alberta, fell victim to a sophisticated phishing scam, resulting in the loss of $12 million. The fraudsters impersonated Clark Builders, a construction company working for the university, by sending emails that closely resembled legitimate communications from the vendor. These emails requested changes to banking information, leading university staff to unknowingly transfer $12 million of funds to fraudulent accounts.
As John Chambers, the former CEO of Cisco, used to say, there are only two types of companies: those that have been hacked and those that don’t know that they’ve been hacked. In other words, this means that companies must be eternally vigilant around cyber security.
Jim Harris with then Cisco CEO John Chambers at the Consumer Electronics Show, Las Vegas
Jim Harris has been working with TEC Canada for more than 30 years, making him the longest serving Canadian TEC resource. In February 2024 he was recognized as the TEC Speaker of the Year due to the mind blowing sessions that he’s been leading focused on artificial intelligence (AI) and Generative AI (GenAI). In 2025 he will begin offering TEC groups a new topic on Cyber Security given the rise in Cyber Crime.
Jim has led a strategic planning exercise for the CIO’s and CTO’s of Canada’s largest hyper-scalers (Amazon, Google and Microsoft) and leading IT firms in the security space like Palo Alto Networks for the Canadian Forum for Digital Infrastructure Resilience (CFDIR) for Innovation, Science and Economic Development (ISED) for the Government of Canada at the Canadian Centre for Cyber Security. He has also worked with CSIS (but don’t tell anyone).
© copyright 2024 by Jim Harris. All rights reserved. This article cannot be republished without the written permission of the author.
You can reach Jim at jim@jimharris.com or follow him on Linkedin.com at https://www.linkedin.com/in/jimharrisprofile/
For the latest updates, visit Jim’s website at www.JimHarris.com
As a TEC chair if you have a last minute speaker cancellation for your group, Jim is willing to fill in at the last minute. Topics include Cyber Security, The AI Revolution, How to Future Proof Your Organization, and Disruptive Innovation