A large University in Edmonton, Alberta, Canada – MacEwan University with enrollment of around 20,000 students per year, was recently defrauded of $11.8 million because of a lack of cyber security and phishing awareness training. An employee failed to verify whether emails requesting banking information changes for a scheduled payment were real. This human error allowed money to be drained from the University coffers.
The first transfer of funds was on August 10 for $1.9 million; another on August 17 for $22,000, and a third on August 19 for $9.9 million. These large payments were supposed to have been made to a construction vendor. On August 23, 2017 the vendor called MacEwan to ask where the payments were.
Most of the money has been located and frozen in accounts in Montreal and Hong Kong. The University will likely get much of the money back because of quick government action.
David Beharry, a representative of the University explained that the scammers sent phishing emails that looked “legitimate.” There will be a lot of finger pointing over this large breach in such a large, public institution. But the real question is, how are we helping our employees learn the dangers of the new world of cyber threats?
A recent study by Kaspersky called the Human Factor in IT Security shows the impact of not educating staff. Current statistics show that employees actually hide cyber security incidents because they don’t understand the severity and implications of an attack – 29% of employees in VSBs, 42% in SMBs and 45% in Enterprises. Without education and clear training, employees will hide the very incident that makes the organization at risk.
If we can learn one thing from the breach at MacEwan University it is that educating employees on a regular basis is a very small way to dramatically reduce the risk of significant exposure and loss. All levels of staff need to understand the risks and the ramifications of their actions.
Stronger offers a customizable online compliance and security awareness training solution that helps organizations easily implement complete training programs. The training can be tailored to the needs of the organization and different employee roles – from end-users to IT managers.