Cyber Criminal

No matter the size of your company, it is vulnerable to cyberattacks, says Scot Pflug, chief information security officer at FirstMerit Bank.

“Mid-sized and smaller companies are generally easier to infiltrate because they typically don’t have sophisticated prevention and detection capabilities, but that doesn’t mean that larger corporations aren’t at risk, too,” says Pflug.

Cybersecurity is not just an IT issue; it is an enterprise risk everyone must understand. “This is a business risk like credit, liquidity and operational risk, and it takes a full understanding of the potential impact of the risk to get the right level of attention to fund and identify mitigating activities to combat it,” says Pflug.

The most effective way to mitigate risk is education.

“Most attacks are attempted through social engineering and phishing to trick unsuspecting users into providing information, data or passwords to hackers by clicking on a link that grants access,” says Pflug.

Here are steps to mitigate the risk of a cyberattack at your business.

  • Educate employees about unexpected email or telephone requests. For example, an employee receives an invoice via email. She doesn’t remember ordering anything but clicks on a link or opens the attachment because she wants to be helpful. “She has just inadvertently let the bad guys in,” says Pflug.
  • Install virus and malware protection, and keep it current. Too many companies install it and forget about it, but it’s critical to stay current on virus and malware protection updates, and operating system security patches. Older versions of software are particularly vulnerable because vendors are no longer releasing new patches.
  • Limit administrative rights. Businesses commonly grant these privileges to employees, but that’s a mistake. “Not allowing users to log in with administrative privileges reduces the capability for malware to be installed,” says Pflug.
  • Use a dedicated machine for Internet banking activities. If you receive email or perform other browser-based activity and have clicked on a malicious link or attachment and then go to a banking site, a lurking hacker can steal your user name and password or take over the session with the financial institution. A dedicated machine reduces the likelihood of this type of an attack.
  • Create a phishing campaign. A vendor can create a fictitious phishing email and then monitor clicks. Employees who click on it are notified the activity is indicative of a phishing attack, and had this been real, a hacker would now have access to data. The user is then instructed to take a short online training course. Repeated tests should result in declining click-through rates.
  • Restrict the flow of outbound information from the network. If an attacker gets into the environment but doesn’t have an easy way to steal valuable information, it reduces the hacker’s effectiveness and adds to the methods in which detection of activity is possible.

In addition, FirstMerit offers IBM’s Trusteer, allowing customers to connect to its online banking with monitoring that alerts the user to password stealing, malware, session hijacking and other malicious activity. The service is free to FirstMerit e-Connect® customers and is available by clicking through the pop-up on our website or downloading from IBM directly at

“Security is never perfect; that’s impossible,” says Pflug. “The goal is to minimize risk and mitigate the impact by being secure and vigilant and having the right resiliency.”