By Alex Soderstrom – Staff Writer, Orlando Business Journal (Nov 4, 2020, 10:33am EST)
For one would-be homebuyer, a few changes to some numbers wiped out $400,000 in an instant.
That was a story told to Regine Bonneau, CEO of Winter Park-based cyber firm RB Advisory LLC, by a Realtor during a cybersecurity event last year. The buyer received an email from the title company with wiring instructions for payment and closing costs. The buyer wired the money, but it never went to the title company, because the email was sent by someone posing to be from the title company.
The money was never recovered, Bonneau told Orlando Business Journal.
“Take the finances out of it,” Bonneau said. “Think of the emotional aspect of that loss. The happiness, all that is gone.”
Cyber scams like this threaten businesses and their clients across industries. There’s also evidence to show the number of attacks are on the rise, so it’s important for businesses to know what to do when a cyber attack happens, according to local experts.
“It’s typical to ostrich and ignore the problem,” Adam Losey, business attorney at Orlando-based Losey PLLC, told OBJ. “That’s when people get into real trouble.”
Started with an 'uh oh' moment
Data breaches start with an “uh oh” moment when someone realizes something is wrong, Losey said. If it’s verified that something was stolen, it’s time to call in experts.
That includes a forensics team that will determine what was taken, how the attacker pulled it off and how the data or money may be recovered, Bonneau said. Plus, an attorney typically oversees the entire response process, and businesses may work with a breach coach, who is sometimes provided through the company’s insurer.
This team of professionals is needed to help abide with data breach laws. There are notification deadlines if data is stolen, with Florida businesses required to notify the state's Department of Legal Affairs and those affected by the breach within 30 days of the event. Whether or not stolen data or money is recovered can depend on where the attacker is based, how quickly law enforcement is notified and the amount stolen.
After that process is over, business owners and managers will need to revisit cybersecurity policies to address weaknesses in the protocols. Those changes are typically influenced by the findings of the forensics team. Business leaders may also consider discipline for an employee who was tricked, which can be a tough decision, Losey said.
“Someone can be a model employee, but they do something bad over and over again and you have to fire them.” said Losey.
Hack attack
Cybersecurity was a growing industry and the pandemic has done nothing to slow down the number of attacks. In fact, there’s evidence there are more attacks on businesses as employees are dispersed between home offices.
For example, Losey said this year he has seen combined data breach losses in excess of $10 million among businesses he’s worked with. That’s higher than years past, Losey added. Earlier this year, Tonya Ugoretz, deputy assistant director of the FBI Cyber Division, said the law enforcement agency's cyber complaint portal receives four times the number of complaints as it did before the pandemic.
These attacks are a problem because they can result in lost money or data. Plus, the financial losses can be multiplied if a payment to a client is misdirected or intercepted. If a business isn’t insured for that attack, it’s on the hook for the money it lost plus repayment to the client, Bonneau said.