Your Cyber Defense Plan

What you and your company need to know about cybersecurity now 

When it comes to managing cyber risk in 2021, Joe Granneman doesn’t mince words. “We’re losing the battle,” says Granneman, CEO of Illumination.io and author of 
“Cyber Risk and Security in the Equipment Leasing and Finance Industry,” the Equipment Leasing & Finance Foundation’s new study. “The ways we try to manage cyber risk no longer work, because it’s no longer possible to know all the risks. Our biggest adversaries 
today aren’t worms or viruses, but human beings who work fulltime to do harm for profit. You can’t put a mathematical model around that. The best we can do now is know when they’re in our system or network and doing damage.”  

“Our biggest adversaries today aren’t worms or viruses, but human beings who work fulltime to do harm for profit.”

Joe Granneman, Illumination.io




If that sounds dramatic, be assured—it is. Results from a survey done as part of the new Study show that an eye-popping 59% of participating companies have received one or more emails with fraudulent instructions for wire-transfers. Three postings in a single week on ELFA’s online community, “LegalTalk,” illustrate the problem and are reproduced below, without identifying information:  

1. “Be on guard for an email looking for counsel who can handle a medical equipment lease. I got one from someone claiming to be with a company on the web. Typically, a ‘broker’ sends a 6-figure check, saying the ‘client’ wants you to wire out the deposit and keep a retainer.” 

2. “Yes, I had that happen three times in the last six months. One ‘transaction’ was for the lease of oil-drilling equipment for a platform in the Gulf of Mexico. The others were for medical equipment.” 

3. “I received a Toronto Bank Cashier’s Check for $360,000 last week with instructions to take my retainer out and hold the rest in trust for preparation of a medical equipment lease. I had no such agreement. Same scam I’ve seen several times in the past year.” 

Innate Vulnerability 

Julia Gavrilov, Counsel at Moritt Hock & Hamroff LLP and a member of the Foundation’s Research Committee, says equipment finance companies are particularly vulnerable to fraud and other cyber risks due to the number of financial transactions run through their various departments. “We’re all getting more sophisticated technologically, and cyber criminals are as well,” she says. “Although new cyber-security regulations are continuously being enacted and a number of companies are complying, the landscape is changing quickly—and many equipment finance professionals don’t appreciate that full compliance with new regulations doesn’t necessarily provide for a sufficiently protective cybersecurity program.” 

The growing use of ransomware is one reason Gavrilov proposed that the Foundation conduct the study. “We were seeing more data breaches making headlines, and there were minimal to no prior studies that were performed on cyber-security risks that were tailored toward the equipment leasing and finance industry,” she recalls. “I wondered how our industry could be specifically affected and thought this could be the right time for a study that alerts ELFA members of all sizes that they are at risk, looks at our biggest challenges and gives practical advice on implementing processes to create a good cybersecurity base.” 

Gavrilov cites four major takeaways from the study. The first: clear explanations of the multiple ways in which equipment finance companies can be hacked. “Being able to see and understand the different mechanisms used to break into systems, such as ACH and vendor relations to name a few, really brings home the risks we need to consider,” she says. 

“We’re all getting more sophisticated technologically, and cyber criminals are as well.”

Julia Gavrilov. Moritt Hock & Hamroff LLP  




Second is the widened perspective the true case studies provide, helping readers envision their companies in similar situations. Third is the practical advice and recommendations given to help companies of all sizes and resource levels start building a solid cyber-security base. “While there has been a degree of fear instilled from hearing or reading about companies that have experienced data breaches, we don’t often learn what can be done to reduce the risk,” she explains. “This study sheds light on a number of avenues to pursue, including purchasing cyber-liability insurance, and reminding readers that there are third parties who will train a company’s IT and security professionals in cybersecurity.” 

Gavrilov’s fourth takeaway is the Study’s comprehensive section on compliance and regulatory updates. Along with details on landmark federal laws and regulations are notable state privacy and security acts and a discussion on doing business in the age of such regulation. “Having all of this legislation laid out is so valuable,” says Gavrilov. “It’s something every equipment finance company should know and keep on hand.” 
 

Double Danger?  

A discussion of relevant legislation points to another situation that Jeanette Dannenfelser, Vice President and General Counsel at Summit Funding Group, says is delivering a double whammy to equipment finance firms. “Companies in our industry perform business-to-business transactions, but we also collect personal information,” she observes. “The laws requiring us to protect that information are growing in number and scope, but I believe many attorneys in the industry underestimate the amount of personal data companies receive.” 

Among the data companies receive and usually keep on file are locations of equipment, contact information for certain individuals and details gathered by equipment inspectors. Says Dannenfelser, “All of this is in our systems, and our obligations to safeguard it are increasing. At the same time, data breaches are multiplying, and the threats are substantial. As companies, we need to educate ourselves on tactics used by fraudsters and train our employees as part of an overall cybersecurity program.” 

Andrew Cotter, Executive Vice President at Somerset Capital Group, Ltd., urges all ELFA members to read the Foundation study and act on its recommendations to assess and upgrade their company’s data-handling policies and cybersecurity program. “No one is safe,” stresses Cotter. “Fraudsters have unlimited time and opportunities, and if they want to get into your data, eventually they will. This in-depth study includes case studies we can relate to and actions we can all take to increase our protection.” 

What It Takes 

Although many equipment finance companies employ IT professionals, far fewer have cybersecurity experts. Granneman explains how the two differ. “IT engineers build systems and processes to make things work. Cybersecurity experts look at what’s been built and figure out other ways it can be used. They think like adversaries to find vulnerabilities in your processes and people,” he explains. He believes even the smallest companies need cybersecurity advisors who regularly assess and evaluate systems and advise on necessary changes.  

At the same time there are preventive steps companies can themselves take, such as training workers to spot unexpected changes in ACH protocol, errors or inconsistencies in client or partner emails and other red flags. “We had one criminal use a client’s full name and email address, then add a re-direct in the ether that we couldn’t detect,” says Dannenfelser. “But we noticed changes in grammar and word choice that tipped us off.”

“As companies, we need to educate ourselves on tactics used by fraudsters and train our employees as part of an overall cybersecurity program.”

Jeanette Dannenfelser, Summit Funding Group 



  
Dannenfelser suggests companies regularly audit their list of firms and individuals emailed and perform a kind of multi-factor authentication (MFA) on all new vendors and clients. “For example, call them right after they call you, and make this part of your compliance program,” she says. 

Granneman recommends moving your data to the Cloud. “But make absolutely sure you’ve done the lockdown,” he cautions. “And if you’re using Office 365, set up MFA and double-check to make sure it’s working. You still have to harden and secure your Cloud infrastructure when you move to the Cloud, and unless security is embedded into it, you’re just handing criminals an opportunity.” 

Cotter says that overall, equipment finance companies must learn to see cyber risk not as a technology issue, but as an ongoing issue of people and processes. “We need to understand that these threats are constant, that we will be attacked, and that we must know our response and be prepared to deliver it immediately,” he says. From regularly reviewing communication and funding procedures to teaching employees to identify those areas, companies can raise awareness and reduce risk.  

Improving Safety at Home 

It’s no surprise that working from home creates additional opportunities for cyber criminals. Any time home devices and/or networks are used, the opportunities for infiltration increase. “We don’t allow our employees to use their own computers when working from home,” says Cotter. “When you’re at the office, you’re in a walled-off, controlled environment. But at home, when you have Xbox, other devices and other files on the same network you’re using for work, it’s like doing field surgery in the middle of battle.” 

In addition to using MFA to log into company systems—and any system involving finances—Dannenfelser suggests companies evaluate the ways they exchange information with partners and clients. “If you have transactions you discount with a partner lender, review the disclosure agreements you have with them,” she says. “Then review your contractual terms with customers and vendors. If any of these parties are hacked and your company falls victim to the exchange, who will address the problem and pay for it? Contractual terms that protect you are critical to your company’s well-being.” 

“We need to understand that these threats are constant, that we will be attacked and that we must know our response and be prepared to deliver it immediately.”  

Andrew Cotter, Somerset Capital Group, Ltd. 

Hope On the Horizon 

Today most equipment finance companies are battling cybercrime by themselves, but Cotter expects this to change. “Every single one of us has to find a cybersecurity vendor, put up better firewalls and install software and procedures to protect their networks. While the largest organizations have already done it, I think companies will develop partnerships with the FBI and other organizations to alert them to red flags and data breaches,” he says.  

Already, federal mandates have emerged for oil pipeline security, and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is leading a coordinated effort with public and private sector-critical infrastructure partners to enhance the security of the nation’s critical infrastructure. Cotter thinks these moves are a good beginning, and that equipment finance companies need much more. “Is there a poster in my office telling me what to do if we’re breached? Is there an 800 number for me to call to deal with it? If we share information with other companies for cybersecurity, is there a contact person to alert if our systems raise a red flag? This kind of information needs to be available to all organizations,” he says.  

Because today’s data systems aren’t housed in one place but are interconnected to multiple softwares, services and the Cloud, Cotter says companies will also need a way to authenticate software updates to ensure the absence of malware. “When you read the Study, you’ll understand,” he says. “The successful insertion of malicious code into a software company’s product suite gave criminals access to the systems of more than 18,000 organizations, including the Pentagon, when they downloaded the latest update.” 

To learn more about the evolving states of cybercrime and cybersecurity, see the “Additional Resources” box. Then follow Cotter’s suggestion and at your next board meeting, discuss creating a budget for people and processes to address and monitor cybersecurity. Whatever you do, don’t walk away. “It’s our job to defend and protect, knowing others continually look for ways into our systems to extract funds,” says Cotter. “Read the study, get the tools. And every day, fight this battle.”