Whether you’re a consumer hunting for gifts or a business preparing for peak sales, here’s what you need to know to stay safe.

Common Holiday Scams to Watch Out For

Fake Online Stores

Scammers create realistic-looking websites that mimic popular retailers. These sites often advertise luxury goods or electronics at steep discounts to lure shoppers in.

Red flags:

1. Unfamiliar URLs or misspelled brand names
2. No contact information or vague return policies
3. Requests for payment via gift cards or cryptocurrency

Social Media Ad Scams

Fraudsters may use stolen logos and polished designs to promote fake products or stores. Always verify the seller before clicking on an ad. Visit the retailer’s official website directly instead of following embedded links.

Phishing Emails and Texts

Scammers send fake order confirmations, shipping updates, or urgent requests for payment. These messages often impersonate trusted companies like Amazon, USPS, or PayPal.

Don’t click on links in unsolicited text messages. Instead, log in to your account directly through the company’s official site.

Gift Card Scams

Scammers may ask you to pay for items or bills using gift cards. Others tamper with physical cards in stores, stealing the codes before they’re purchased. Only buy gift cards from trusted retailers and never use them as a form of payment for goods or services.

Fake Marketplace Listings

On platforms like Facebook Marketplace or Craigslist, scammers post attractive deals on high-demand items. After payment, the item never arrives. Use secure payment methods and avoid transactions with sellers who refuse to meet in person or provide verifiable details.

Tips to Protect Yourself

• Shop smart: Stick to reputable retailers and check for HTTPS and a lock icon in your browser.
• Use credit cards: They offer better fraud protection than debit cards or peer-to-peer apps.
• Avoid public Wi-Fi: Use a VPN or secure network when shopping online.
• Enable alerts: Set up transaction notifications with your bank to monitor suspicious activity.

Scammers thrive on urgency, distraction, and emotional decision-making, three things that are all too common during the holidays. Whether you’re buying gifts or running a business, a few extra seconds of caution can save you from costly mistakes.

Let’s make this season joyful and scam-free. If you suspect fraud or need help securing your accounts, reach out to Choice Bank. We’re here to help.

The post How to Avoid Holiday Shopping Scams appeared first on Choice Bank.

According to a recent survey by Howdy.com, a staffing and recruitment company, an estimated 1 in 6 workers say they pretend to use AI, and 1 in 5 feel pressured to use it even though they are uncomfortable doing so. This disconnect between reported and actual engagement with AI reveals that many employees feel pressured to adopt technologies they don’t fully understand or trust, often without adequate training or support.

Employee Adoption of AI

While AI holds immense promise for improving productivity, decision-making, and innovation, its implementation is not without pitfalls. Employers eager to stay competitive may inadvertently rush the process, assigning AI-related tasks to employees without assessing their readiness or providing clear guidance. This can lead to misuse, inefficiency, and even resistance, undermining the very goals AI is meant to achieve.

Moreover, forced adoption can foster a culture of fear or dishonesty, where employees feel compelled to fake it rather than admit confusion. This can skew internal metrics and stifle meaningful feedback that could improve AI integration strategies. To harness AI’s potential responsibly, organizations must approach their rollout with intentionality, balancing enthusiasm with empathy and innovation with education.

6 AI Training Mistakes to Avoid

Training employees on AI tools and concepts may allow an organization to become more competitive, but it’s easy to overlook key factors that can hinder adoption and effectiveness. A successful AI training program requires thoughtful planning, clear communication, and ongoing support. The following are six common mistakes to avoid when training employees on AI:

• Assuming familiarity: Many organizations roll out AI tools under the assumption that employees are already tech-savvy or will “figure it out.” This overlooks the wide range of digital literacy levels across teams. Without assessing baseline understanding, employers risk alienating those who feel overwhelmed or underprepared, leading to disengagement or misuse of the tools.
• Implementing one-size-fits-all training: Generic training modules often fail to address the specific needs of different roles. For example, a customer service representative may need hands-on experience with AI chatbots, while a data analyst might require deeper insights into machine learning models. Tailoring training to job functions can help ensure relevance and increase adoption.
• Assuming AI works for all tasks: One of the most counterproductive assumptions in AI adoption is believing it should be used for every task, regardless of context. Not every task benefits from automation or algorithmic assistance, and forcing AI into every workflow can diminish trust and reduce overall effectiveness. Instead, managers should collaborate with employees to identify specific tasks where AI can genuinely add value. This targeted approach can improve productivity and help employees see AI as a helpful tool rather than a burdensome requirement.
• Overwhelming employees without teaching contextual use of AI tools: One of the most common missteps is introducing AI without helping employees understand where it fits and where it doesn’t. Without clear guidance on appropriate use cases, employees may either over-rely on AI for tasks that require human judgment or avoid it altogether out of uncertainty. Effective training should go beyond tool functionality and focus on decision-making: when AI can enhance efficiency or insight, and when manual processes or human expertise are more appropriate. This can empower employees to use AI thoughtfully, not just habitually.
• Failing to stay up to date on AI developments: AI tools and platforms evolve rapidly, often with significant changes to capabilities, interfaces, and best practices. When organizations fail to stay informed about these updates, they risk using outdated methods, missing out on efficiency gains, or even introducing security vulnerabilities. Employees may unknowingly rely on deprecated features or overlook new functionalities that could simplify their work. Employers should build regular check-ins, update cycles, and learning opportunities into their AI strategy to keep both leadership and staff informed.
• Neglecting to create an AI policy: In the rush to adopt AI tools, many organizations either overlook the need for a formal, written AI policy or hastily create one without updating it as technologies rapidly evolve. Without clear guidelines, employees may be unsure about what’s permitted, what’s confidential, and how AI should be used responsibly. This ambiguity can lead to inconsistent practices, data misuse, compliance risks, and even ethical concerns. A well-crafted AI policy helps set expectations around usage, accountability, and limitations, ensuring that employees understand the opportunities and boundaries of AI in their roles.

When implemented thoughtfully, AI can be a powerful catalyst for growth, efficiency, and innovation across an organization. However, its success depends not just on the technology itself but also on how well people are prepared to use it. Avoiding common training missteps can help employees feel supported, informed, and confident. By investing in clear communication, tailored learning, and ongoing engagement, companies can create a culture where AI is embraced as a helpful tool rather than a source of confusion or pressure.

This HR Insights is not intended to be exhaustive, nor should any discussion or opinions be construed as professional advice. © 2025 Zywave, Inc. All rights reserved.

The post Avoiding AI Employee Training Mistakes appeared first on Choice Bank.

Know The Scam Warning Signs

1. Unsolicited Contact: Be wary of unexpected calls, emails, or messages.
2. Pressure to Act Quickly: Scammers often create a sense of urgency.
3. Requests for Personal Information: Legitimate organizations will not ask for information via phone or email.
4. Unusual Payment Methods: Be cautious if asked to pay with gift cards or wire transfers.

Follow These Tips to Protect Yourself:

• Lock your devices. Use a passcode or fingerprint to lock your phone or tablet. Use passwords at least 12 characters long.
• If someone asks you to pay by wire transfer or gift card, it’s probably a scam.
• Limit how much personal information you share online. Set your social media profiles to private. Only accept friend requests from people you know.
• Never click unexpected links shared via email, text message, social media, etc. A message asking you to click a link to confirm a package delivery or pay an overdue balance is likely a scam.

Common Scams

Telephone Scam

Scammers may call you pretending to be family members or from legitimate companies to steal your personal information. The scammer may even use technology to impersonate the voice of someone you know. Hang up if a call is suspicious and then call the alleged party back using their regular number. If the caller says they are from a technology company and says there is an issue with your computer, never give them access to your device.

Tips for Avoiding Telephone Scams:

• Be suspicious of any pressure to send funds via wire transfer or gift card.
• Talk to your banker before sending money for a second opinion – they can help you determine if the request is legitimate.
• Before offering your help to someone who claims to be in an emergency, hang up and call them back using their known telephone number.
• If a caller claims to be from an established organization, hang up and look up the number of the organization and call it directly

Gift Card Scams

Scammers might ask you to pay for services or settle debts using gift cards. They often claim to be from the IRS, a utility company, or even a family member in distress. They claim that immediate payment is needed. Once the gift cards are purchased, the scammer asks for the card numbers and PINs, allowing them to steal the funds.

Tips for Avoiding Gift Card Scams:

• Be Skeptical of Unsolicited Requests: If someone contacts you unexpectedly and asks for payment via gift cards, it’s likely a scam.
• Verify the Caller: If the caller claims to be from a legitimate organization, hang up and call the organization directly using a verified phone number.
• Never Share Gift Card Information: Treat gift card numbers and PINs like cash. Once shared, the money is gone.

Fraudulent Check Scams

Check scams often target senior citizens by sending them fraudulent checks that appear legitimate. Scammers may claim the check is a prize or a payment for a job. They ask the recipient to deposit the check and then send a portion of the money back to them. By the time the bank realizes the check is fake, the victim has already sent the money, which is often unrecoverable.

Tips for Avoiding Fraudulent Check Scams

• Be Cautious of Unexpected Checks: If you receive a check from someone you weren’t expecting, be suspicious.
• Verify the Source: Contact the issuing bank that sent the check to confirm its legitimacy.
• Wait for Confirmation: Before spending or sending any money, wait for the check to fully clear.
• Never Send Money Back: If someone asks you to send money back after depositing a check, it’s likely a scam.

What to Do If You Fall Victim to a Scam

1. Stop Communication: Cease all contact with the scammer immediately.
2. Report the Scam: Contact your bank and local law enforcement.
3. Monitor Your Accounts: Keep an eye on your bank and credit card statements for any unusual activity.
4. Consider a Credit Freeze: This can prevent scammers from opening new accounts in your name.

Who to Contact

• Contact your local banker to verify any suspicious communications.
• In most instances of suspected elder abuse and financial exploitation, contact Adult Protective Services by calling 1-800-677-1116.
• If someone is in danger or you believe a crime has been committed, call 911.
• For cases of identity theft, contact your local police and the Federal Trade Commission at 1-877-438-4338.
• For more information about common scams, visit: attorneygeneral.nd.gov/consumer-resources/common-scams/

Being in the know is the first step to protecting yourself from cyber fraud. Choice Bank is committed to providing you with up-to-date resources and tips to help you stay informed. Learn more at bankwithchoice.com/cybersecurity.

Photo Credit: mavoimages

The post How to Protect Yourself From Scams and Fraud appeared first on Choice Bank.

But how can we tell what’s real and what’s fake?

What Are Deepfakes?

Deepfakes are videos created using AI that manipulate faces, voices, and movements to make it appear as though someone said or did something they never did. These videos often mimic real people with uncanny accuracy.

They are often used for:

• Entertainment (e.g., parody videos)
• Fraud (e.g., impersonating CEOs in video calls)
• Misinformation (e.g., fake political speeches)
• Identity theft or harassment

How to Spot a Deepfake

While deepfakes are getting harder to detect, there are still signs that can help you identify them:

1. Unnatural Eye Movement or Blinking
   Early deepfakes often failed to replicate natural blinking patterns. While newer models are better, you might still notice robotic or inconsistent eye movement.
2. Odd Facial Expressions or Skin Texture
   Look for strange lighting, blurry patches, or skin that looks too smooth or rubbery. Deepfakes sometimes struggle with realistic facial muscle movement.
3. Lip Sync Issues
   Watch the mouth closely. If the lip movements don’t match the audio perfectly, it could be a sign of manipulation.
4. Audio Quality
   Deepfake videos may use synthetic voices that sound slightly robotic or lack natural intonation. Background noise may also feel off or disconnected from the scene.
5. Head and Body Movement
   AI often focuses on the face, but struggles with syncing full-body movement. Watch for unnatural head turns or stiff posture.
6. Context Clues
   Ask yourself: Does the person in the video usually speak this way? Is the source trustworthy? If it’s a shocking or controversial clip, verify it through reputable news outlets.

AI Voice Scams

Criminals have also developed ways of weaponizing this technology by impersonating voices over the phone. Typically, AI voice scams are centered around a perpetrator using software programs to impersonate someone’s voice, often intending to steal money or personal information. Criminals may use the recordings to trick targets into thinking that someone they care about is in an urgent or dangerous situation and needs money fast. Alternatively, scammers may attempt to contact someone while pretending to be a person who can be trusted with sensitive information, such as a banking representative.

Why It Matters

Deepfakes aren’t just a tech curiosity; they’re a growing cybersecurity threat. They can be used to:

• Trick people into transferring money
• Spread false information
• Damage reputations or incite conflict

Being able to spot and report deepfakes is part of being able to protect your personal financial information online.

Final Tips

• Verify before sharing: Always check the source of a video before reposting.
• Stay informed: Follow cybersecurity news and updates.
• Educate others: Share what you learn with friends and family.

Being in the know is the first step to protecting yourself from cyber fraud. Choice Bank is committed to providing you with up-to-date resources and tips to help you stay informed. Learn more at bankwithchoice.com/cybersecurity.

Photo Credit: VAKSMANV

The post AI-Generated Videos and Deepfakes: How to Spot What’s Real appeared first on Choice Bank.

What is phishing?

Phishing is when an attacker sends emails pretending to someone else to gain personal or company information, like passwords and credit card numbers. Before we talk about ways to prevent phishing, let’s cover some common different types of these attacks.

Generic Phishing

The simplest form of phishing is when an attacker gathers as many emails as they can from the target organization and uses all of them in their attack. The attacking email will look generic in this case, but it will contain contents that an average user may believe.

In this example, the link that claims to be to the missed conference is malicious. The attacker’s goal is to get the target to click that link.

Spear Fishing
Spear phishing is when an attacker either gathers specific emails pertaining to certain roles in an organization or targets one specific person’s email.

In the event of a specific person, the attacker may have found relevant and unique information pertaining to an individual. For a small group, the attacker may target users that are on a team or in the same department of an organization, such as accounting, sales, customer service, etc.

In the spear phishing example below, the attacker has focused on a front desk staff member or an administrative assistant (spoofed to appear to be the person’s boss or another individual at their organization).

Whale Phishing
Whaling is like a spear phishing attack, except it focuses on targeting high-level management within the organization. One of the most common attacks is attempting to get a wire transfer.

Vishing
Vishing is the act of phishing via telephone (voice) instead of email. The attacker will call a victim to verify pieces of information from the victim, such as email or phone number. The attacker uses the data they already know to gain rapport on a call and ask for more sensitive information. For example, the attacker may claim to be a third-party IT vendor and, after verifying some of the victim’s information, may ask for details about the workstation, or even have the user install remote control software.

SMS Phishing
Attackers can send your mobile device a text message with a seemingly urgent message – a package cannot be delivered until it is confirmed, a streaming account will be canceled if you don’t click this link and confirm, etc. – or a promise of money or an enticing prize.

Once the target clicks the link it may load malware directly onto their device. The user may also be taken to a spoof page where they enter their credentials or payment information, which are then sent to the attacker.

How to Identify a Phishing Attack

Phishing relies on perceived urgency and emotional response, but if you train yourself to check a few things before blindly obeying, you should increase your odds of evading a trap. In the example below, the email address that should be Evan’s belonged to a scammer sending from michaelwilly889@gmail.com. This simple habit of clicking or expanding the box around the sender’s email name to reveal the email address can help you uncover if the person sending the email is who they claim to be.

How to Protect Yourself Against Phishing Attacks

Training
First and foremost, train yourself and your team. Educate your users on how to identify phishing emails and what to do when they receive them. Below are some starting points to educate on, look for, or to be wary of:

• Does the domain look suspicious? Is the domain missing a character, or are there extra characters? Are any of the characters replaced with another character?
• Inform users about the dangers of sharing personal information on social media sites. The more the attacker can learn, the more information they can use against the user when crafting phishing emails, specifically spear phishing.
• Encourage your users to speak up if they see anything suspicious. Spelling mistakes, suspicious links or attachments, a generic greeting, requests to log in, or requests to give your password are all forms of suspicious requests or behavior.
• Let your employees know that you would much prefer they report clicking a phishing link than an incident response investigation later. Additionally, tell your users that if they are unsure of an email, they can send it to an IT email to verify the legitimacy.
• In the case of vishing attacks have a codeword or phrase to verify the caller’s identity. If the caller can’t reproduce this word or phrase, report the call to either IT or management.
• Establishing policies and procedures about who resource owners are can put users at ease in the event of a spear phishing email or even a vishing call. If the user knows who to expect specific requests from, they may be less likely to share information or do tasks they weren’t expecting to be requested of them from that person.
• Conduct phishing exercises to track progress and verify that your users are learning effectively. There are platforms available to simulate a phishing attack. Conducting these exercises allows you to set a benchmark and track your results over time to show success or areas of improvement.

Multifactor Authentication
While training helps, it isn’t a silver bullet. When a user clicks on a link and potentially has their password compromised, multifactor authentication (MFA) can prevent the entire account from being compromised. MFA can be in the form of an SMS text message, push-button notifications, an authentication app, or a physical token with a changing code. Many organizations use Office365. Use this document to help you get started setting up multifactor authentication in O365.

Perform Reconnaissance
One of the best steps you can take to assess your risk is to understand your internet presence and that of your users. This will help identify vulnerabilities to remedy and will allow you to see what the attackers are likely able to see. With this knowledge, you will be able to protect your organization better.

There are many ways to go about this and tools available to do this, but we recommend using Discover. Discover is a tool that uses several other tools to perform various reconnaissance searches. It will search social media sites, multiple search engines, DNS lookups, and several other valuable sources of information to see what is publicly available about the specific company name and the company’s domain. Types of information it finds can include emails, employee names and job titles, files hosted on the domain searched, subdomains, and more.

Identify and Disclose Incoming External Emails
Another valuable tool in your phishing prevention toolbox is giving your users the immediate ability to easily recognize when an email originated outside of your organization. You can add a statement at the top of all incoming external emails stating that they came from outside of your organization.

This helps users know when they are viewing potentially malicious emails. This is especially helpful when attackers attempt to appear as though they are a colleague; the notice will quickly alert the recipient that the sender is not who they claim to be.

This blog was contributed by FRSecure. FRSecure is a full-service information security management company that protects sensitive, confidential business information from unauthorized access, disclosure, distribution, and destruction. View our free cybersecurity webinar with FRSecure here.  Learn more about phishing and cybersecurity by signing up for Choice’s Taking Care of Business Webinar email list, here.

Being in the know is the first step to protecting yourself and your business from cyber fraud. Choice Bank is committed to providing you with up-to-date resources and tips to help you stay informed. Learn more at bankwithchoice.com/cybersecurity.

The post How to Identify and Prevent Phishing Attacks appeared first on Choice Bank.

Common Signs of a Phone or Text Scam

1. Unfamiliar or Spoofed Numbers
   Scammers often use fake caller IDs to make it look like they’re calling from a trusted source, like your bank or a local number. If you don’t recognize the number, be cautious.
2. Urgent or Threatening Language
   Scammers try to scare you into acting quickly. They might say your account is compromised, you owe money, or you’ll be arrested if you don’t respond immediately.
3. Requests for Personal Information
   Legitimate organizations will never ask for your PIN, password, or full Social Security number over the phone or via text.
4. Suspicious Links or Attachments
   Text messages that include links to “verify your account” or “claim a prize” are often phishing attempts. Clicking these links can install malware or lead to fake websites.
5. Payment Demands
   If someone asks you to pay using gift cards, wire transfers, or cryptocurrency, it’s a scam. These payment methods are hard to trace and recover.

How to Protect Yourself

• Don’t answer calls from unknown numbers. Let them go to voicemail.
• Never share personal or financial information unless you initiated the contact and are sure of who you’re speaking with.
• Don’t click on links in unsolicited texts. Visit official websites directly.
• Use call-blocking and spam-filtering tools on your phone.

What to Do If You’ve Been Targeted

If you think you’ve been scammed or shared sensitive information:

• Contact your bank immediately to secure your accounts.
• Change your passwords and enable two-factor authentication.
• Report the scam to the Federal Trade Commission at reportfraud.ftc.gov.

Stay Informed, Stay Safe

Scammers are always evolving, but so are the tools to stop them. Stay alert, trust your instincts, and when in doubt, hang up or delete the message.

Being in the know is the first step to protecting yourself and your business from cyber fraud. Choice Bank is committed to providing you with up-to-date resources and tips to help you stay informed. Learn more at bankwithchoice.com/cybersecurity.

The post How to Spot and Stop Phone and Text Scams appeared first on Choice Bank.

1. They Pressure You to Act Immediately

Scammers create a false sense of urgency. Whether it’s a “limited-time offer” or a threat to suspend your account, they want you to act fast before you have time to think or verify.

2. They Ask for Personal or Financial Information

Legitimate organizations will never ask for sensitive information like your Social Security number, bank account details, or passwords via email, text, or unsolicited calls.

3. They Want Payment in Unusual Ways

If someone asks you to pay with gift cards, cryptocurrency, or wire transfers, it’s a scam. These methods are hard to trace and nearly impossible to recover.

4. Their Story Doesn’t Add Up

Scammers often use emotional stories, like a relative in trouble or a prize you’ve “won”, to manipulate you. If the story seems too good (or too bad) to be true, it probably is.

5. They Refuse to Let You Hang Up or Call Back

A scammer may insist you stay on the line or avoid verifying their identity. A legitimate business will always allow you to call back through official channels.

Stay Safe

If something feels off, trust your instincts. Hang up, don’t click, and contact your bank or the organization directly using a verified number or website.

Being in the know is the first step to protecting yourself and your business from cyber fraud. Choice Bank is committed to providing you with up-to-date resources and tips to help you stay informed. Learn more at bankwithchoice.com/cybersecurity.

The post 5 Warning Signs You’re Talking to a Scammer appeared first on Choice Bank.

1. Don’t Reuse Passwords

Using the same password across multiple accounts is like using one key for every door in your life. If one account is compromised, all your other accounts are at risk. Create a unique password for each account, especially for banking, email, and shopping sites.

2. Use a Password Manager

Remembering dozens of complex passwords is tough, but you don’t have to. A password manager securely stores your login credentials and can generate strong, random passwords for you. All you need to remember is one master password. Here are some recommended password manager services.

3. Make Passwords Strong and Complex

Avoid common words, names, or easy-to-guess combinations like “123456” or “password.” A strong password should be at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols.

4. Enable Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring a second form of verification, like a code sent to your phone or generated by an app. Even if someone steals your password, they won’t be able to access your account without that second factor.

5. Update Passwords Regularly

Change your passwords periodically, especially if you suspect an account may have been compromised. And if a company you use experiences a data breach, update your password for that service immediately.

Stay One Step Ahead

Cyber threats are constantly evolving, but following these best practices can help keep your personal and financial information safe. Strong passwords and MFA are simple tools that make a big difference.

Being in the know is the first step to protecting yourself and your business from cyber fraud. Choice Bank is committed to providing you with up-to-date resources and tips to help you stay informed. Learn more at bankwithchoice.com/cybersecurity.

The post Simple Steps to Stronger Passwords and Safer Accounts appeared first on Choice Bank.

1. Use Strong, Unique Passwords

Avoid using the same password across multiple accounts. Instead, create complex passwords that include a mix of letters, numbers, and symbols. Consider using a reputable password manager to keep track of them securely.

2. Enable Multi-Factor Authentication (MFA)

MFA adds an extra layer of protection by requiring a second form of verification, like a code sent to your phone, when logging into your accounts. Always enable it when available, especially for banking and email accounts.

3. Be Cautious with Public Wi-Fi

Avoid accessing sensitive accounts or making financial transactions over public Wi-Fi networks. If you must use public Wi-Fi, use a virtual private network (VPN) to encrypt your connection.

4. Monitor Your Accounts Regularly

Check your bank and credit card statements frequently for unauthorized transactions. Many banks also offer real-time alerts for account activity; turn these on to stay informed.

5. Watch Out for Phishing Scams

Be skeptical of unsolicited emails, texts, or calls asking for personal information. Don’t click on suspicious links or download attachments from unknown sources. Always verify the sender before responding.

6. Keep Your Devices and Software Updated

Regular updates often include security patches that protect against the latest threats. Enable automatic updates on your devices and apps to stay protected.

7. Use Secure Websites

Before entering any financial information online, make sure the website’s URL begins with https:// and look for a padlock icon in the address bar. These indicate a secure connection.

Stay One Step Ahead

Cybersecurity is an ongoing effort. By following these best practices, you can help protect your financial information and reduce your risk of fraud.

Being in the know is the first step to protecting yourself and your business from cyber fraud. Choice Bank is committed to providing you with up-to-date resources and tips to help you stay informed. Learn more at bankwithchoice.com/cybersecurity.

The post Best Practices for Protecting Your Financial Information Online appeared first on Choice Bank.

Supply chain risk has increased dramatically over the last decade, as the internet has become an integral part of various business operations. What’s more, third-party breaches can be costly, increasing the average cost of a data breach by $207,411. Still, research shows this risk is largely being overlooked.

While it’s not possible to totally eliminate supply chain risk, there are several steps your organization can take to reduce your supply chain exposure. Review the following guidance to understand what factors increase your organization’s supply chain risk, how to mitigate them, and what to do if your supply chain is compromised.

Where Does Supply Chain Risk Come From?

Supply chain risk can stem from a variety of parties and practices within your organization, such as:

• Third-party services or vendors with access to information systems
• Poor information security practices by suppliers
• Compromised organizational software or hardware
• Software security vulnerabilities in supply chain management or among third-party vendors
• Inadequate third-party data storage measures

Every organization has at least two levels of suppliers. This includes directly contracted suppliers (Tier 1) and the companies that supply to them (Tier 2). Very few organizations review the risk of their Tier 2 suppliers, leaving them vulnerable to supply chain cyberattacks.

What’s worse, supply chain risk can increase dramatically a few months into suppliers’ contract terms and may only continue to increase throughout these contracts if such Tier 2 suppliers are not properly vetted for potential cyber exposure concerns.

What Factors Increase Supply Chain Risk?

A wide range of factors have the potential to elevate your organization’s supply chain risks, including:

• Complacency or inability of your organization or its suppliers to monitor and assess cyber risk
• Any changes in your organization’s cyber risk tolerance
• The increasing severity and frequency of cyberattacks
• The increasing sophistication and boldness of cybercriminals

In the event of a supply chain cyberattack, cybercriminals may attempt to overwhelm your organization’s networks and servers to disrupt normal business activities. They may also try to copy, rearrange, or destroy vital company data. Whatever their intent, a cyberattack on your organization’s supply chain can be costly and time-consuming.

Understanding Your Supply Chain Exposure

There are several ways in which your organization can review its supply chain cyber exposure. Consider the following best practices:

• Create a vendor inventory of all third parties and consultants with access to your organization’s IT network or sensitive data.
• Use a cross-functional, legal, compliance, and privacy team to assist your organization in assessing its supply chain risk.
• Communicate with your organization’s vendors about their specific cyber risks and what measures they have in place to mitigate these exposures.
• Review the cybersecurity policies and procedures in place within your organization and its suppliers for effectiveness.
• Assess your organization’s physical and online processes to determine potential gaps in cybersecurity.
• Identify critical systems, networks, and information within your organization to better understand how this data could be compromised and what actions are necessary to protect such data.

Decreasing Supply Chain Risk

Fortunately, there are some steps that your organization can take to help decrease its supply chain cyber risk. Be sure to implement these precautions:

• Incorporate cyber risk management into vendor contracts. This can include requiring vendors to obtain cyber insurance, having them notify your organization after a cyber incident, and establishing clear expectations regarding the destruction of data following the termination of your contracts.
• Minimize access that third parties have to your organization’s data. Once a vendor or supplier has been chosen, work with them to address vulnerabilities and cybersecurity gaps.
• Monitor suppliers’ compliance with supply chain risk management procedures. Consider adopting a “one strike and you’re out” policy with suppliers that experience cyber incidents or fail to meet compliance guidelines.

How to Respond to a Compromised Supply Chain

If your organization’s supply chain becomes compromised or exploited by cybercriminals, follow these response measures to mitigate the damages and prevent future incidents:

• Mitigate first. This could include patching or upgrading software systems, disabling internet access, or moving applications behind firewalls.
• Contact your insurer immediately. Make sure to reach out to your insurer as soon as the incident occurs. Give them as much information as possible to help kickstart the claim process.
• Engage legal counsel. Consult your organization’s trusted legal professionals for additional guidance on adopting an appropriate response to the incident, such as whether to contact law enforcement or inform stakeholders.
• Enlist forensic expertise. Have forensic experts work with your organization to investigate the incident. These experts can help identify the perpetrator(s), determine potential cybersecurity gaps that led to the incident, and offer tips for preventing similar supply chain concerns going forward.

For the latest industry news and business tips and resources delivered right to your email inbox, subscribe to our Taking Care of Business Newsletter.

This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2021 Zywave, Inc. All rights reserved.

The post Reducing Supply Chain Cyber Exposure appeared first on Choice Bank.