Thursday, January 19, 2017

A not-so-subtle reminder about the need for cybersecurity training

I feel like I’ve written a lot lately about the need for cybersecurity training for employees (for example, here, here, and here). Yet, as long as employees keep opening unknown emails and clicking on strange links, we need reminders of why this training is necessary. And, just this past week, the Cleveland Metropolitan School District offered a great teachable moment.


WEWS reports that CMSD teachers were victims of an email spoofing scam resulting in their direct-deposit compensation being sent to an unknown third party. The scam affected 61 employees and resulted in the diversion of more than $100,000 in payroll.

As a result, CMSD CEO Eric Gordon sent the following priority email to all District employees:

Good evening CMSD Educators, 
This morning we became aware of an incident that affected the financial information of a small number of our employees in that some of our employees were the victims of an email spoofing scam that resulted in their direct- deposit compensation being directed to an unknown third party. We have already taken steps to prevent additional malicious activity, reported this incident to law enforcement, and have called in experts to help resolve this problem now and for future pays. Meanwhile, paper checks have been printed for those who were affected and we are in the process of delivering those checks now. 
I want to remind all employees of ways to keep your CMSD account and your personal information safe. First, please remember that CMSD will never ask you to change your network password via email. The only way your password can be changed is by logging directly into the “login dialogue box” when you first turn on your computer. Also, please always use a network password that is specific and unique to your CMSD account. Do not use a password that you may also use on other accounts such as your online banking or any other financial accounts. Finally, if you ever have a reason to question whether you should follow a link received in your email, please call the Help Desk and speak to a person who can validate the request. 
I will be updating everyone about this issue as soon as more information is available. In the meantime, if you have a question about your individual payroll, please contact the Help Desk by phone at 216-838-0440 or by email at WDPayroll@clevelandmetroschools.org. Support will be available between 8 am and 3 pm on Saturday and Sunday, and 6 am to 8 pm on Monday to assist.
My apologies for the difficulties some of our employees experienced today. I deeply regret that today’s event occurred. 
Sincerely, Eric Gordon

A mass email to your employees is not a quality substitute for comprehensive and meaningful cybersecurity training. It only takes one employee to click on one unknown link in an email to compromise your entire network and all of its stored information. CMSD got lucky. This breach only impacted 61 employees and only cost $100,000. It could have been a whole lot worse. Indeed, according to the latest IBM Cost of Data Breach study, the average data breach costs an U.S. employer a staggering $7.01 million.

“The cyber” is the biggest threat facing employers in 2017 and beyond. Call your attorney and make sure that your employees are equipped with the knowledge to protect your network from cyber attacks. Ignoring this issue is simply a risk your business cannot afford to take.