The economic contraction caused by the Covid-19 pandemic makes it harder than ever for companies to take on additional expenses.
Faced with closure, many businesses are cutting benefits and salaries.
Furniture manufacturer La-Z-Boy cut salaries between 25 and 50 percent, Tesla has slashed salaries for some employees and furloughed others; dozens of media outlets have made deep personnel cuts. As austere as this may sound, as of August 1, more than a million small businesses have closed for good since the onset of Covid-19 in the United States.
While it may seem counter-intuitive, now is a very good time for small and medium sized businesses to consider providing their remaining employees with a wider array of employee benefits—specifically cyber and identity protection.
Time lost due to identity related crime is a productivity killer, and with reduced staffing that could be mission critical. Additionally, the financial risks to an organization from data breaches and cybersecurity incidents is still on the rise. A recent IBM/Ponemon Institute study calculated the average cost of a data breach at $3.86 million, or $242 per stolen record in 2020, an increase of over ten percent since 2014.
Not included in these costs are the increasingly widespread regulatory fines for breaches, including the European Union’s GDPR, the United Kingdom’s Data Protection Act, and similar laws in New York, California, and Colorado, as well as legal fees associated with lawsuits that tend to follow high-profile data breaches.
The message here for businesses may be unpalatable, but it’s clear: The cost of data breach prevention is a bargain compared to the cost of a successful cyberattack.
Here are three benefits employers should consider providing to stave off potential extinction-level cybersecurity incidents.
Identity Fraud Protection Services
Many companies will offer identity fraud and theft protection services to customers who have had their data compromised in a breach, but relatively few provide it as a benefit to their employees—just 25 percent as of 2019. This approach ends up costing businesses in the long run, according to CyberScout founder and chairman Adam Levin.
“If you don’t subscribe to an identity theft resolution service or lack a plan of action before you suffer a personal compromise, you will need to spend more time and more money than you are probably prepared to spend,” said Levin.
This often has a major impact on workplace productivity. Recent studies estimate that the average victim of identity theft spends 165 work hours trying to resolve the issue. That’s more than 20 work days, or $4,300 of lost productivity for a salaried worker making $50,000 per year. With 3.2 million cases of identity theft and fraud reported in 2019, that amounts to a massive loss of time and money for businesses.
Identity theft victims will typically use twice as much sick time and are absent five times more than average, and that’s not counting the potential loss of productivity if they happen to involve their co-workers.
“Everyone becomes a sleuth trying to help their friend out,” said Levin.
There are a variety of identity theft and fraud resolution services companies can offer their employees to help prevent this level of disruption.
Credit monitoring can track activity on credit reports from credit bureaus such as Equifax, Experian, and TransUnion. This helps to identify new financial accounts opened, changes in credit limits and other potential indicators of identity theft, but is not a panacea.
“Credit monitoring only warns you about activity that shows up on your credit report. But many types of identity theft won’t appear. For example, credit monitoring won’t tell you if an identity thief withdraws money from your bank account, or uses your Social Security number to file a tax return and collect your refund,” according to the FTC’s consumer website.
Identity monitoring services regularly screen a wide array of reports to see new activity associated with personal data, including change of address requests, arrest record searches, new utility payments, and transacted information on the dark web.
Identity Recovery and Insurance services help mitigate the potential damage following the exposure or theft of an employee’s identity. These services will often provide reimbursement for expenses to repair credit history as well as lost wages, child care, and fees for re-applying to loans that have been declined.
“Expert assistance is required when consumer or business accounts have been taken over, new accounts have been opened fraudulently for financial gain, or simply when someone has questions or needs to mitigate risk associated with identity theft,” said Matt Cullina, executive vice president of strategic partnerships at CyberScout.
Devices and Software
As of March 2020, nearly 60% of “knowledge workers” have been working from home, roughly double the number in 2019. While this has represented a major cultural shift for many workplaces, it’s also opened the door for a wide array of hacking and phishing schemes. One of the primary issues is that many workers are using their own personal, and often unsecured, devices to access crucial and sensitive data at work.
“[T]he short-term capital savings... is easily outweighed by the expense and reputational damage to an organization that’s possible when an employee clicks on malware, a phishing scam or other compromising media,” says Levin. “There are too many variables, and any personal device that connects to the company network where sensitive data is accessible has to be considered a liability, be it a phone, tablet or computer. Further, any cost savings may be negligible after the cost of security cleanup is factored in.”
Employees who are providing their own hardware often have significantly less oversight for what software is installed on their devices, and may be sharing devices with children who are easier targets for phishing and hacking.
Many companies that do provide their employees with devices neglect the installation of timely updates. A recent survey from DSA Connect found that 13 percent of workers use hardware that has not been upgraded for anywhere between three and five years. Older and unpatched hardware can represent a large part of an organization’s attackable surface.
“I understand why employers don’t necessarily want to spend money on upgrading their technology and many will be under pressure to cut their budgets due to the financial strain caused by coronavirus. However, they should not only assess the impact on employee productivity from not upgrading, but also the greater risk they face of suffering a cyber-attack and a serious data breach,” said DSA Connect Chairman Harry Benham.
The problem isn’t confined to hardware, either. Pirated and/or unlicensed software used by employees can also expose corporate networks to malware and leave them less secure.
“[M]any companies have a ‘don't ask, don't tell’ policy when it comes to unlicensed software,” said Levin. “If a business owner has an employee who is able to get their work done, there's not a lot of incentive to intervene or check if they've paid for all of the software used to do that work… any business depending on software it hasn't paid for is being penny wise, because the cost of a compromise can be astronomical--if not an extinction level event.”
Companies, especially those with remote workforces, should be willing to provide work-specific devices to employees. It provides a greater level of control as to whether or not it is being used securely, and mitigates many of the risks of BYOD (bring your own device) workplaces.
Despite the constant headlines about elite level hackers deploying state-of-the art malware, and ransomware, the primary cybersecurity threat to companies is the comparatively low-tech, yet ubiquitous, phishing email.
According to one study, 65 percent of companies and organizations in the United States have experienced a successful phishing attack within the last year, another shows that fully 22 percent of all data breaches are phishing-related, and yet another found that 68 percent of detected ransomware campaigns used spear-phishing attachments as their initial point of access into company networks.
“You know that time of day when work gets particularly hectic? Well so do practiced phishers and that’s often when the skillful ones strike. You’re focused on the tasks at hand, not whether that link in your co-worker’s email looks suspect,” said Levin. “Bottom line: Busy equals distracted, distracted equals vulnerable, and that’s when or why we may not see a phishy link for the security threat it is.”
The success rate for phishing emails directed at employees consistently shows the need for greater security training at every level of a company, especially since a recent study of U.S. workers found that only 49 percent were able to correctly answer the question “what is phishing?” and nearly 30 percent believed that “malware” is a type of hardware that boosts Wi-Fi signals.
Misconceptions and general ignorance of cybersecurity “are what feed the predators in this cyber ecosystem of trickery and human fallibility,” said Levin, who says that training and proper preventative measures can help minimize the threat.
Cybersecurity fundamentals including how to recognize telltale signs of a phishing email, using strong and unique passwords, how to enable multi-factor authentication, and the consequences of poor cyber hygiene should be a topic for training at every level of a company, from the C-Suite to the mailroom.