What are you doing tomorrow? Frank Figliuzzi, former assistant director for counterintelligence at the Federal Bureau of Investigation, wants you to block off your morning and plan how you're going to handle your inevitable cyberattack.
"This is the new robbery. This is the new 7-Eleven convenience-store stick-em-up," says Figliuzzi. "The time to make a decision is not in the middle of a crisis." Figliuzzi recently talked about how to protect corporate brands and reputation in the digital age with Gary Sheffer, a professor of public relations at Boston University. They spoke in a webinar by Smart Works Collaborative, an initiative on change and disruption in business from Westport, Connecticut, public relations firm Meryl Moss Media Group. Figliuzzi, author of The FBI Way: Inside the Bureau's Code of Excellence (Custom House, 2021), offered guidance that business owners and leaders of organizations of all kinds can use to protect against the growing threat of ransomware and other cybersecurity risks, including deep fakes. Here are some takeaways you can put to work today.
According to Figliuzzi, the best course of action that a leader can take now to protect against a ransomware attack is to assemble a crisis management team and an IT leadership group, review your insurance policy for cyberattack coverage, and talk with your insurers about it.
He says you should nail down the answers to these four essential questions:
- When do we pay?
- When do we not pay?
- What does insurance cover?
- How do we shore up our defenses?
To that last point, make sure your company isn't beholden to one single source of operations--and even run a redundancy practice drill to understand how vulnerable you may be to an attack.
What's more, ask your employees for input about the risks they see. You may hear about vulnerabilities you might have not realized yourself, Figliuzzi says. Once you have a list of possible risks, decide on a few that fall into the "moderate chance" and "moderate damage" categories. Then, start with those, and work your way up from there, he says. That's your plan.
Employees also need to know about deep fakes--realistic photos, audio, videos, and other counterfeit imitations generated with artificial intelligence. They're increasingly part of a typical financial fraud scheme. For example, Figliuzzi explains, an employee may receive a video showing someone who looks exactly like the CEO saying to move a large amount of money into an account by the end of the day. Similarly, employees are now receiving deep-fake phone calls that sound exactly like the CEO asking for money to be moved into an account, he says.
You need to make it clear to employees, particularly in financial areas, that the movement of money should never be generated by an incoming communication, but to always confirm it with you directly, Figliuzzi says. Tell your employees point blank: "'It's going to take your picking up the phone and going, 'I'm sorry to bother you, but did you just tell me to move a million dollars or not?'"
Remote-work cybersecurity risks
As companies bring employees back into an office setting after a year or more of remote work, more security issues could be on the horizon, particularly if your business isn't on the cloud or using a VPN, Figliuzzi says.
Figliuzzi advises businesses to start troubleshooting now. Ask your IT team about any cybersecurity risks they may have seen since starting remote work, especially as employees have used their own devices for work more at home. These may include attempted incursions on your firewall, an increase in outbound data, or a flood of attachments and emails sent outside of your system, he says.
"I predict as we move forward, we're only going to continue to hear stories of compromise and attack and vulnerability as people use their own devices," Figliuzzi says.