Earlier this month, I had the privilege of being on a cybersecurity panel for the monthly IBAW meeting. Also on the panel were Erika Nowak, CFO at Ixonia Bank; Elliot LePoidevin, EVP at R&R Insurance; and April DeValkenaere, from Fortress Forensic Investigations, who moderated. It is always interesting to bring together a multidisciplinary group like this because it offers a broader perspective.

There was great audience participation, and as I reflect on the content, there are some standout points that serve as a great reminder that we need to be ever vigilant as we work to stay secure.

Here are Seven Keys to Strengthen Your Cyber Defenses:

1. Understand the most common entry points for cybercriminals. While we are all a little tired of hearing about phishing, it remains the most common point of entry for cybercriminals, accounting for about 90%. When a phishing email is clicked on, it is often used to perpetrate business email compromise, or BEC. This is where a cybercriminal gains control of a key person’s email, such as the CFO’s. He then makes very legitimate-looking requests of another financial team member to make money transfers. Other common entry points are unpatched systems, old and insecure operating systems, remote access pathways like VPN, and insecure passwords.
2. Be aware: AI and deepfakes are real and increasingly sophisticated. Deep fakes are being used to clone the voices and videos of executives. They are real and convincing. A widely reported 2024 case with engineering firm Arup underlines this risk. The cybercriminals used deepfakes to confirm 15 money transfers totaling $25 million. These deepfakes are relatively easy to produce and are becoming increasingly common. It is important to establish a verification process that involves multi-channel confirmation, including callbacks. Some even recommend a “confirmation code” known only to the parties who would typically approve a transaction.
3. Make sure you have newer preventative measures in place. Cyber criminals and the automated agents they use are always looking for a way in. They scan IP addresses, websites, ports, and more for potential entry points. Applying tools like MFA has become more than a big-company thing. It is necessary at every level. In addition, newer ITDR (Identity Threat Detection and Response) technology is available to watch over users, credentials, permissions, and authentication behavior. This technology is necessary to protect you from compromise. It monitors your cloud credentials for anomalous behavior that might indicate a hacker has access and immediately alerts and blocks access to prevent further breaches or the threat actor’s use of your account.
4. Adopt employee security awareness training! This came up repeatedly from all of the panelists. By a large margin, most security incidents are caused by human error. After all, phishing emails would not be a problem if someone didn’t click on them. Using a Security Awareness Training Tool or outsourcing it as a service is key. Packages like KnowBe4 and its many competitors make this easy, and if you use an MSP for IT services, often they will provide it as a service. At least quarterly training requirements should be instituted, along with regular phishing tests to see who clicks!
5. Check fraud is alive and well, making it important to implement strong protection measures. Washing checks is nothing new. This is where criminals wash off the ink and change the recipient, or even the amount of a check, and then cash it. Stop this type of fraud by using Positive Pay.  This is a banking solution where you confirm the recipient and amount with your bank each time you write checks, and the bank does not approve the transaction unless there is a match. It is also important to reconcile your business accounts daily to detect fraud in time to recover.
6. Pay attention to overlooked vulnerabilities. We often ignore old computers that just do “that one thing” or run a specialized machine. That old, unsecured device may be your weakest and easiest point of entry to the network. Replacing or updating old hardware and unsupported systems is critical for protection. Also, update older Wi-Fi protocols, upgrade remote access methods, and ensure password policies are up to date. Monitor for shadow IT—when someone adds an unapproved device or app, creating a risk.
7. Get cybersecurity insurance that fits your business. Prevention is key. Still, insurance can protect you if a threat actor gets through. Ensure your policy matches your business size, industry, and risk profile. Check that it covers ransomware, business interruption, and social engineering attacks. The right broker knows your sector and understands your needs.

The IBAW (Independent Business Association of Wisconsin) meeting was a great event as always. Check out their meeting schedule for an upcoming event!  And stay vigilant against cyber threats by adopting some of the protections we discussed!

Scott Hirschfeld

Scott Hirschfeld is the President of CTaccess, a Brookfield IT support company that has been helping businesses stop focusing on IT and getting back to doing business since 1990. Under his leadership CTaccess provides the business minded approach of larger IT companies with the personalized touch of the smaller ones. Connect with Scott on LinkedIn.