Torchlight - Summer 2023

Page 1

BBB® | Summer 2023

Cybersecurity: What businesses need to know

pg 4

Senior move managers set the standard for trust pg 8

BBB study: Vacation scams

pg 11

Pat Origliasso Spire

NO MATTER THE SIZE OF BUSINESS, CYBERSECURITY IS

A CRITICAL ISSUE.

There does not seem to be a day that goes by when we do not read or hear about a business or organization experiencing a cyberattack.

These attacks can be damaging in many ways. They can take a toll financially, put stress on your employees and, should you fall victim to one, damage the trust your customers and employees have in you and your business.

In this edition of Torchlight, you will find how BBB Accredited Businesses use proactive measures to help mitigate cybersecurity issues.

BBB encourages a five-step approach to cybersecurity based on the National Institute of Standards and Technology Cybersecurity Framework.

It represents an approach that applies to the specifics of your business, helping you understand how best to identify and protect your business’s vital data and technology assets, as well as how to detect, respond to and recover from a cybersecurity incident.

The program, which started in 2018, is a collaboration between BBB and the National Cyber Security Alliance. The goal is to empower small- and medium-sized business owners and principals to begin to assess what business assets need to be protected from cyber-attacks and encourage those leaders to make their business more resistant to such attacks or other related incidents and make them more resilient if an incident does happen.

The five-step plan:

1. Identify – Take inventory of key technologies you use and know what information you need to rebuild your infrastructure from scratch. Inventory the key data you use and store and keep track of threats.

2. Protect - Assess what protective measures you need to have in place to be as prepared as possible for a cyber incident. Put protective policies in place for technologies, data, and users, and ensure that your contracts with cloud and other technology service providers include the same protections.

3. Detect - Put measures in place to alert you of current or imminent threats to system integrity, or loss or compromise of data. Train your users to identify and speedily report incidents.

4. Respond - Make and practice an Incidence Response Plan to contain an attack or incident and maintain business operations in the short term.

5. Recover - Know what to do to return to normal business operations after an incident. Protect sensitive data and your business reputation over the long term.

Cyber criminals can come at us from many different angles. According to the 2022 BBB Scam Tracker Risk Report, several different online contact methods led the way for successful fraud attempts. Websites, social media and email were the top three ways scammers contacted their victims.

SCHEDULE A PRESENTATION BY YOUR BBB

BBB outreach can help get valuable information on marketplace trust to local organizations, free of charge.

Contact us at outreach@stlouisbbb.org to schedule an in-person or virtual presentation for your group.

Board of Directors

As a business owner, you need to educate employees about what not to do online. You should be on guard from phishing attempts, which can lead to ransomware being installed in your system.

Business email compromise continues to grow as the scammers get better at hiding who they are and mimicking company leadership while trying to compromise your employees. A recent BBB study showed that businesses and other organizations lost $3 billion between 2016 and 2019 with another $23 billion in attempted scams.

Small businesses need to be on the defensive. A March 2022 article by Forbes reported that small businesses are three times more likely to be targeted by cybercriminals than larger companies. The story said accounts of CEOs and CFOs are twice as likely to be taken over than regular employees. Executive assistants are also popular targets, according to the report.

Business owners need to be vigilant about cybersecurity. One of the eight Standards for Trust for BBB Accredited Businesses is “safeguard privacy.” That standard reads: “Protect any data collected against mishandling and fraud, collect person information only as needed, and respect the preferences of consumers regarding the use of their information.”

Unfortunately, warding off scammers is not going to get any easier. Artificial Intelligence, commonly known as AI, has grabbed a lot of headlines lately. There are tools through AI that will make it easier for the scammers to take advantage of unsuspecting people.

We will need to redouble our efforts to make sure that we keep our customers’ information safe.

Thanks for supporting BBB’s efforts to combat fraud and make businesses better through education and sharing best practices.

Michelle Corey President & CEO, CAE

Carolyn Beard Callier & Thompson

Kitchen Bath Appliance

Blake Birner

Renewal by Andersen

Don Brown

Don Brown Chevrolet

Angela Courtwright

More for Less Remodeling

Terri DeMent

Nestlé Purina

Jill Falk

Schnuck Markets

Joe Fisher

DH Pace Company, Inc.

Holly Francois Maritz

Tom Gershman

Gershman Mortgage

Seth Goldkamp

Design Aire

Heating & Cooling

Katie Hopkins Truck Centers, Inc.

Carlos Huddleston

Gonzalez Companies

Greg Kendall Commerce Bank

* Chairman of the Board

** Immediate Past Chair

*** Advertising Club President

**** President & CEO

Justin Lee**

RubinBrown

Tom Linhares

Dodge Moving & Storage

Ben Lynch

Ameren MO

Rose McDaniel Graybar

Stefan Sigurdson

Allen Roofing & Siding

Heidi Singleton*** New Honor Society

Todd Smith Waterway Carwash

Katie Statler* Caleres

Ben Stegmann

Second Mile Service Company

Mary Schwartz Westerhold

Madison Communications

Aaron Windholz

McBride Homes

Adriane Yates

Spire

Michelle L. Corey****

Better Business Bureau

Better Business Bureau Serving Eastern & Southwest Missouri & Southern Illinois 211 N. Broadway, Ste. 2060

St. Louis, MO 63102

Phone: (314) 645-3300

Fax: (314) 645-2666

Hannah Kloppenburg, Editor

Email: hkloppenburg@stlouisbbb.org

Cover photo by Tim Vizer

Torchlight (ISSN 1547-2043 USPS 053-540) is published quarterly by Better Business Bureau, 211 N. Broadway, Ste. 2060, St. Louis, MO 63102. Subscriptions are available to BBB Accredited Businesses only. Periodicals Postage Paid at St. Louis, MO. Postmaster please send change of address to: Torchlight, Better Business Bureau, 211 N. Broadway, Ste. 2060, St. Louis, MO 63102.

Pat Origliasso, managing director, IT security for Spire, at the company’s headquarters in downtown St. Louis.

“GO FASTER, SAFER”

How cybersecurity can move your business forward

Is your business prepared for a cyberattack? We consulted BBB Accredited cybersecurity experts and examined how St. Louis-based Spire approaches cybersecurity to learn what businesses are doing to protect themselves — and their customers.

Time, money, personal information: Customers entrust these to the businesses they work with every day. Businesses, especially those that uphold BBB’s Standards for Trust, have a responsibility to their customers to treat all the above with respect.

For St. Louis-based natural gas utility Spire, strong cybersecurity is a pillar of upholding that trust – and Pat Origliasso, managing director, IT security, feels that businesses should prioritize it.

“There are different risks to different businesses, but all businesses, regardless of size or industry, are at risk,” Origliasso explained. “Our responsibility is to protect our customers’ information.”

There’s more than just information at risk: Spire’s cybersecurity team also protects the vital service it provides to its customers. “Our infrastructure provides reliable energy to our customers, including hospitals,” said Origliasso. “Protecting against attacks to ensure the safe and consistent delivery of that energy to our customers is critical.”

Spire isn’t the only business with cybersecurity on the brain. In recent years, cybercrime has increased as companies move more aspects of their business online.

Current cybersecurity risks

BBB commonly receives reports of cybercrimes such as phishing, malware or ransomware attacks, and impersonation scams. Methods used by cyber criminals tend to evolve over time as businesses and consumers find ways to safeguard against them.

Right now, businesses are particularly at risk for a scam known as Business Email Compromise (BEC) – scammers impersonate a CEO’s email account and ask employees to transfer funds to a fraudulent source.

A 2018 BBB investigative study found that 80% of businesses received a BEC email that year, and a 2023 BBB poll found that half of Accredited Businesses have received one. BEC fraud is the biggest source of losses reported to the FBI’s Internet Crime Complaint Center (IC3) and has been for several years.

Common cybercrimes reported to BBB in 2022

Business Email Compromise (BEC): Scammers use business contacts to impersonate a CEO or other staff member and ask employees to transfer money through wire, gift cards or routing to a fraudulent bank account; also called CEO fraud, spear phishing or whaling.

Impostors or “spoofing”: Scammers pretend to be well-known companies, government agencies, vendors or others to obtain sensitive information or access to finances.

Phishing: Scammers use an email, text or social media message to entice a victim to share sensitive information or click on a malicious link. Clicking links in phishing emails can put malware or ransomware on your computer:

• Malware is malicious software created with the intent to do harm to a computer, network or server.

• Ransomware is a type of malware that allows scammers to hold victims’ data hostage in exchange for a payment.

Craig Turner, information technology director at BBB of Eastern & Southwest MO & Southern IL, says Accredited Businesses’ websites or email accounts are sometimes impersonated or compromised by cyberattacks. “We come across websites that are no longer legitimate but are using company domains. The business sometimes doesn’t even know their website has been taken over by someone else,” said Turner.

Red flags of a cyberattack

• A dramatic increase or change in spam or suspicious emails staff receive

• Lots of negative comments or increased activity on social media posts

• Employees trying to get access to a service or network they don’t typically have access to

• Any computer system behaving abnormally

• Sudden changes in payment methodology, which could be a sign of Business Email Compromise

Who is at risk

All types of businesses are at risk from cyberattacks –and the consequences can be dire.

Origliasso explained that attacks happen for a number of reasons: financial gain, disruption of service, brand defamation or even political motivation.

Origliasso referenced three major consequences of cyberattacks. The first is customers’ private information

being released, which impacts their identity, finances or even their credit rating. The second is disrupted service. The third is impact to brand reputation. “Building trust with customers can take years. Losing customers can take seconds,” he said.

Jeff Eiserman, advisor at Springfield-based insurance company Ollis/Akers/Arney, said that in his experience, healthcare, education and manufacturing and retail businesses are common targets. While large businesses can be targeted for their wealth of data, small businesses should be on the lookout, too. “You can be a small five-person doctor’s office, and you’re still subject to HIPAA,” he said.

“Smaller businesses can definitely have an incident...it can easily end them,” said Jason Gotway, principal and technology practice leader at Anders, a St. Louis-based CPA and advisory firm. “Smaller organizations may not be as prone to sophisticated attacks, but they also have less sophisticated security or don’t invest in things like cyber insurance.”

Gotway explained that companies collecting information from customers carry responsibility for that data if it is compromised. A breach can be extremely public, which can damage customer trust and can potentially have legal consequences.

Jason Gotway, principal & technology practice leader, Anders

How businesses can protect themselves

Preventative technology solutions

A silver lining of the increase in cybercrime is the corresponding increase in technology solutions businesses can use to protect themselves.

• Major email providers like Microsoft and Google have settings that can help businesses prevent common cyberattacks. Businesses can set up their emails to flag messages from outside their organization, limit incorrect login attempts and use a spam filter for basic protection.

• Multi-factor authentication (MFA) requires employees to verify their identity on a secondary device, such as their mobile phone, when they attempt to log into a company account. This protects accounts even if a password is compromised, and companies should consider implementing it across all parts of their system. “Ransomware was a huge thing in 2021 – not as much in 2022,” Eiserman said. “The insurance industry says 93% of those attacks are prevented by implementing MFA.”

• There are a number of third-party services that offer additional protection, such as password managers, antivirus software or authentication services. Businesses should assess their own unique security needs when considering these: “Unfortunately, there’s not a silver bullet that prevents everything,” said Origliasso. He also urged businesses to stay abreast of cybercrime trends and keep their solutions up-to-date.

Employee cybersecurity training

All experts agreed: staff training is a must.

“Most attacks start with someone clicking on a link or doing something that they shouldn’t,” said Origliasso. “Everyone has a stake in the game. You need to arm your staff with information.”

• Origliasso said companies should train employees on common attacks, what to look for and trends specific to their industry – for example, training supply chain teams to recognize emails with malicious attachments and fake invoices, Spire provides frequent, consistent training for its entire staff: annual security awareness training, quarterly phishing training campaigns and periodic learning on seasonal attacks or current trends.

• For external learning opportunities, Origliasso recommends checking out free options online or researching industry groups, like CompTIA or SANS, that provide training and certifications at a cost.

• Results from training like the quarterly phishing campaigns Spire conducts can give businesses a pulse check on how their employees are performing and where more education is needed. They may need more support than they expect: “Most organizations, when they do this for the first time and get a report back, are shocked,” Gotway said. “I don’t want anyone to think they’re immune.”

• To prevent BEC, experts recommended that employees double check any message that seems off, especially any request to transfer funds. When in doubt, they should call or verify in-person.

Work with trusted partners

Businesses may choose to employ cybersecurity experts who can help assess their risks and needs. Business advisors, insurance providers and IT or risk management services can assess and provide resources based on each business’ circumstances. Whenever possible, businesses should seek to work with partners for critical services like banking who also have high standards for cybersecurity and data privacy. Start the search for other trustworthy businesses at BBB.org.

What to know about cyber insurance

Cyber insurance protects against common attacks and is customized based on the needs of each company. The coverage typically includes resources to help businesses determine the scope of an attack, how best to respond and any regulatory or legal actions needed.

Jeff Eiserman of Springfield-based Ollis/Akers/ Arney says that five years ago, few of his clients had cyber policies; these days, most do. “[Insurance can] protect your company and keep you up and running,” he said. “I don’t know of a business yet that can continue to make money and protect their reputation if they’re shut down.”

Cyber insurance tips:

Check your current insurance.

• Many businesses already have a commercial crime policy that typically covers loss of money from crime, including cybercrime. However, these policies typically don’t cover loss of data, and cyber policies usually do.

• Check your current policy carefully to assess what you may need.

Make sure your policy covers the losses applicable to your business before signing on.

• Policies can vary. BBB’s 2018 BEC study found that some policies don’t include coverage for social engineering losses. In a similar vein, some policies don’t cover losses for fraud committed over social media.

• Work with your broker to identify your unique risks and coverage needs – for example, Eiserman says, a company that doesn’t have a website won’t need media liability coverage.

Discuss terminology with your broker.

• Cybercrime can go by varying names – for example, BEC could be referred to as social engineering.

• Make sure you understand the scenarios your policy covers, and don’t assume a term means what you think it does. “[Businesses] have to be an educated buyer, and the best way to do that is to ask questions of their broker if they don’t think they’re getting what they need,” said Eiserman.

Prioritize cybersecurity

Cybercrime won’t be going away any time soon – and experts agreed that businesses should allocate time and money for prevention. “It’s not if, but when it will happen,” Turner said.

“It’s only going in one direction, and it’s not really a great one. Have enough budget set up to do the prevention, so you’re not an easy target,” said Gotway.

As for Spire, its success in protecting the privacy of its customers’ information and the integrity of its business can be attributed to its intentional commitment to and investment in cybercrime prevention.

“Cybersecurity is a cost to do business,” Origliasso said. “While it’s not a revenue generator, it can prevent you from incurring some much higher costs. Without it, business is hard to conduct.”

As a parting thought, he shared that a friend of his once compared investing in cybersecurity to the first manufacturer’s decision to put brakes on a car:

“It was done so vehicles could go faster, safer,” he said. “If done correctly, cybersecurity practices can help your business move more quickly, which in today’s ever-changing world is critical to being successful.” BBB

Jeff Eiserman, advisor, Ollis/Akers/Arney

BBB’s cybersecurity resource center

For more information on common cyberattacks, BBB’s five-step policy for cybersecurity response and how to report cybercrime, please scan the QR code.

GOLDEN BRIDGES BRINGS CLIENTS HOME

A BBB Accredited senior and specialty move management company is setting a high standard of ethics in its Quincy, IL marketplace and community.

Moving or downsizing is overwhelming in the best of circumstances. But the truth is that circumstances aren’t always the best — moving can be more challenging for seniors, folks moving to a new state or those who simply have a lot of belongings to sort through.

That’s where move managers come in. In Quincy, IL, Golden Bridges Senior & Specialty Move Managers have spent the past decade helping their neighbors make smooth transitions to the next phase of their lives.

Partners Susan Scholz, Suzanne Ellerbrock and Nancy Waters, along with recent addition to the team T (Terry) Heberlein, take a deliberate, compassionate and personalized approach to help their clients “live life better.”

In addition to services for seniors, Golden Bridges facilitates specialty moves for people of all ages. The common thread among their clients is that they need support for a major life change.

business is very personal, because we’re going through people’s lives,” Ellerbrock explains.

One of the best things about their line of work, Ellerbrock says, is that she and her team have built long-term trusting relationships with their clients.

And it works. According to Golden Bridges, the company has more than doubled its sales each year since it was founded in 2013. Golden Bridges received a BBB TORCH Award for Ethics in 2019 and opened its first physical office space this year.

“Not everybody has this opportunity,” says partner Suzanne Ellerbrock. “It’s rewarding to know that we are needed in our community.”

Golden Bridges is meeting a timely need. The U.S. population aged 65+ will jump nearly 80 percent between 2010-2030. As Baby Boomers retire, more people will downsize or move into retirement communities and care facilities.

The Golden Bridges team are experts in managing both the physical and emotional aspects of a move. Clients may have to sort through sentimental belongings, address hoarding tendencies or sell a deceased loved one’s home.

“Our team members experience the emotions with them. We laugh with them, we cry with them, we listen to their stories and we help guide them through the process,” Ellerbrock says.

Golden Bridges’ work requires a great deal of mutual trust. “Our

She says one client comes to mind who was at risk of losing her apartment due to hoarding tendencies. Golden Bridges was able to help her organize and keep her home, and helped her take care of two homes and 11 storage units over the course of an eight-year relationship.

“Not only is she a client, but she’s a friend. Without her, there’s times where we wonder if we’d even be here,” Ellerbrock says.

Each Golden Bridges team member brings unique expertise, but they also collaborate with partners who handle services like remodeling, auctioning and traditional moving support. Because of this, Ellerbrock says, a high level of integrity and responsiveness is paramount to maintain clients’ trust.

“We apply ethical standards whether it’s a client of ours or a client of someone else’s,” she explains.

“We’ve actually stopped working with some businesses because we didn’t feel they had the integrity to serve our clients the way we wanted them served. We cannot afford to have negativity around what we do, because then we wouldn’t be able to serve the community the way that we can.”

From left to right: Susan Scholz, Nancy Waters and Suzanne Ellerbrock, partners. Center: Terry “T” Heberlein, director of sales & community outreach.

The team works with other organizations of high integrity to serve the community. They volunteer frequently — most recently holding a food drive that provided 500 meals — and are involved in the Quincy Chamber of Commerce, Rotary Club, Kiwanis and BBB.

“We feel that by being a member of the BBB, people know that we will do what we say we’ll do. They know we have been vetted by an organization that does business with integrity,” Ellerbrock explains.

In its first decade, Golden Bridges has helped more than 420 clients with their life transitions. The team is looking forward to more growth and continuing to serve their clients with a high standard of integrity.

“We understand that life doesn’t allow for everyone to take care of their family the way they’d want to,” Ellerbrock says. “Golden Bridges can [take care of them]. We get joy out of that.” BBB

SAVE THE DATE: Springfield: November 1

St. Louis: October 3

11:30 a.m. - 1 p.m. Missouri Athletic Club 405 Washington Ave. St. Louis, MO 63102 Join BBB for a celebration of trust and to honor local organizations and individuals who exemplify high ethics. Lunch will be provided.

Interested in sponsoring the TORCH Awards? Scan the QR code for your region.

11:30 a.m. - 1 p.m. White River Conference Center 600 W. Sunshine St. Springfield, MO 65807

Left and above: Golden Bridges team members work in a client’s home.

“ WHAT’S ONE THING YOU’LL NEVER COMPROMISE ON FOR YOUR BUSINESS? ”

One thing we will never compromise on when it comes to our business is the quality and professionalism of our work. We take pride in the quality of work we put out, especially for being a small family-owned business. Being a smaller company, we take the time to really focus on the craft at hand, and pay attention to the small details some bigger corporations look over. We want to make your outdoor living space your dream, and we will do whatever we can to achieve that.

- Jessica Behnen, office manager, Hoffman Concrete

One thing I never like to compromise is honesty.
- Debbie Ashkar, owner, Deboura Painting

We believe if you’re going to do a job do it right or don’t do it at all. I’ve turned down jobs because customers just wanted one coat of paint. I have not found an interior paint that covers in one coat and looks good. Sometimes we don’t make as much on the job because I’m a perfectionist and I’ve trained my associates to do the same.

- Keith Caldwell, president/owner, Caldwell Painting & More

Our quality of work is what I would never compromise on when it comes to PrettyNPaint! My father taught me that a customer’s word of mouth will bring about more business. To achieve great customer satisfaction, a business must put their customers’ needs and wants first. Excellent quality will bring about superb customer satisfaction! Hence our motto: Finished to perfection!!

- Aaliyah Terry, owner, PrettyNPaint

We ensure that our customers get the selection of flooring that will meet their needs for quality, style and performance. We would not recommend a product that would not hold up to pets if pets are present at the home. Ensuring correct selections will help with the long-term use and performance of our flooring.

- Terry McDowell, manager, Flooring Galaxy

As a service company, we never compromise on the quality of the services we deliver. It is essential to maintain high standards to ensure customer satisfaction, loyalty and referable. We increase the quality of service by educating customers and team members on the value our services provide, and how it will assist in their daily life. In addition to the value, and quality of service, we believe upholding ethical practices and integrity is non-negotiable, regardless of the situation. This means conducting business honestly, honoring commitments, and treating clients and employees with the utmost respect.

- Dan Rottler, president and COO, Rottler Pest Solutions

I own a travel agency and the one thing we absolutely will not compromise on is the quality of the products we offer. This means if I would not stay in a certain hotel, I would not allow my clients to and if they insist on it, we will refuse to assist them with the reservation. While we understand budgets are extremely important when traveling, we will take the time to find a hotel with honest reviews and try to meet their budget as close as possible in lieu of just “making the sale.” This is non-negotiable for us, and we pride ourselves on it.

- Kelly Nieder, president, Open Skies Vacations

There is no logic in building a brand or paying for leads to attract single use clients.

- Brandon Bowlby, owner, BRS Painting

Simply put, Customer Service. BRS Painting is a residential re-painting company. From initial contact to invoice, the customer’s experience needs to be consistent and pleasurable. Customer Service is one of our core values. It needs to be the driver of every action and shared throughout the company and our employees. Customer Service means we treat ourselves and clients with respect, humility and integrity by setting up clear expectations and communication. There is no logic in building a brand or paying for leads to attract single use clients.

- Brandon Bowlby, owner, BRS Painting

BBB study: Vacation fraud

Predatory timeshare/vacation club sales, exit businesses and related scams

A recent Better Business Bureau study found that lax consumer protection laws and enforcement lead to unethical, deceptive practices in the vacation industry.

2020-2022 complaints and reports

21.5K

Complaints about timeshare purchases, exit and vacation clubs

1.1K

Vacation-related Scam Tracker reports $3.5M

Lost as result of scams The industry

$8.1B

Timeshare sales in 2021

$24K

Average timeshare cost

Red flags for predatory companies and scams

Timeshare companies:

• High-pressure sales tactics

• Maintenance fees that grow over time

• Claim ownership is an investment

Timeshare exit companies:

• Promise to resell quickly

• Push to pay fees up front

• Bend the truth about timeshare value

• Cost thousands even if no sale is made

• Fuel owner’s fear about obligation for heirs

Scammers:

• Claim timeshare owners owe unpaid fees

• Lie and say that credit will be ruined

• Tell consumers they can send part of what they “owe” to cover their debt

• Disappear once paid

BBB recommends to regulators:

• Create a nationwide 14-day “cooling off” period for timeshare sales

• Mandate truthful timeshare sales and exit company pitches

• Require companies to disclose facts and figures, similar to Truth in Lending Act

Read the complete study at BBB.org/scamstudies

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.