"I trust my employees."
That's all well and good; however, trust is not enough to deter fraud as much as we would all like it to be. In fact, trusting your employees without effective controls puts you at higher risk for some types of fraud such as skimming and embezzlement. It is not insulting to your employees to implement good processes. We can help you with how to implement new controls for minimal feather-ruffling.
"She's been with me for years."
We have heard this phrase for almost as many years and it is often correlated with indications of embezzlement. Embezzlement is one of the more difficult types of fraud to pursue because it can involve such a strong personal violation. Many victims have had their trust violated and feel responsible for allowing it to occur at all. Embezzlement is not the fault of the victim. A combination of factors enable embezzlement, but they often begin with very small violations of basic controls.
"My data is not important."
At the very least, your data is important to you. You want to access it. That makes you a perfect target for a ransomware scam. Ransomware is software (or bits of code) that prevent you from accessing your data unless you pay the person who is running the software on your machine. Ransomware scams happen often to organizations of every size and to individuals. They can be debilitating, especially if you have access to someone else's data (through a shared drive, for instance). Our Cyber Hygiene course explains ransomware and other types of cyber fraud schemes. In it, your employees will learn how these cyber attacks occur, who the targets are, who the perpetrators are, and how they can best avoid becoming a victim.
"I changed my password after I saw it was a scam."
We've heard this many times in presentations where a person has clicked on a link in an unsolicited email. The person realizes they shouldn't have clicked the link and hurriedly changes his or her password. It's never clear which password the person hurriedly changed but it doesn't matter, either. Once the link is clicked, your network has been compromised. Viewing the website is inconsequential. Even viewing the website in private mode doesn't matter. You've already been compromised. It is the link-clicking itself that matters; this allows malware, spyware, ransomware, or other malicious code to be installed. Read our Foundations articles for basic information about BEC. Our Business Email Compromise course explains how this and other methods work, who perpetrates them, and who the usual targets are. Empower your employees, customers, and vendors to recognize an email fraud scam to prevent becoming a victim.
"I don't do anything on my phone."
Yes, you do. You make phone calls, use it to receive those little codes for 2FA, verify your identity, check emails, and much more. All of these activities make you and your data a valid target for cybercrime. Read our Foundations articles for basic information and take our Cyber Hygiene course to learn how to avoid becoming a victim. Our article about SIM swapping, which is more social engineering than it is cybercrime, details how a few good guesses can net a hacker millions of dollars by taking over your phone through your service provider.
"My IT folk handle that stuff."
He doesn't. Your IT folks do not push buttons, click links, or take your calls. When we hear this phrase from the C-Suite, we all exchange knowing looks. Your IT department has a very different function from your security department. While the two should communicate, they are separate functions. Ultimately, you are responsible for your own security. Your organization's security is only as strong as its least informed employee. Learn the basics in our Foundations articles and learn even more in our Cyber Hygiene Course.
"We're too small for separation of duties."
This is another phrase we hear often that results in an exchange of knowing looks. Often, this phrase is an indicator of skimming, payables or receivables schemes, ghost employees, or vendor billing schemes. One of the simplest, most basic controls is a separation of duties. The person that receives the check should not be the person that deposits the check. The person that approves a bill payment should not also be the person that approves vendors. Read our Foundations articles for more simple controls you can implement yourself.
"This is how it's always been done."
This phrase can indicate an unwillingness to explain anomalies, an inability to accept what has happened and address it, or a difficulty in implementing basic controls. Often, we hear this phrase used to explain away a valid concern. In some cases, we see fraud begin as simple incompetence that later grows into an intentional act to deceive and deprive. When that happens, this phrase tends to appear.