Not Another Piece on Cyber Security! by Martyn Wright
There seems to have been a plethora of articles on cyber risks recently, so why the need for another one, you might ask?
The reason is simple; businesses and individuals continue to be the victim of cyber scams. It is also true that no matter how small your business, information that you hold in respect of customers, employees, product design etc. is of huge interest to cyber criminals.
The Current Top 5 Threats
Ransomware – a form of malware that attempts to encrypt your data and then extort a ransom in exchange for an unlock code. Usually delivered via e-mail. The key steps to protect your business are:
- Staff Awareness – staff should be wary of unsolicited e-mails, particularly, those asking for a prompt response.
- Malware Protection – install and maintain good anti-virus and malware protection software.
- Software updates – keep your applications up to date.
- Data Backups – well managed data backups will allow you to recover from an unencrypted version of a file. Ensure you regularly test them.
Phishing, Spear Phishing & Whaling – phishing is an attempt to gain sensitive information while posing as a trustworthy contact e.g. your bank. Spear phishing is a highly targeted attempt to gain information from an individual, whilst Whaling is a form of spear phishing, where a fake e-mail from the CEO applies pressure, to make an urgent payment, on a CFO.
Phishing e-mails often look convincing, with faultless wording and genuine logos. Things you can do to help protect your business include:
- Be suspicious of unexpected e-mails and bear in mind that companies simply do not ask for sensitive information, nor will Banks ask for passwords.
- Make use of anti-malware software and ensure that you have spam filters turned on.
Data Leakage – With the widespread use of tablets and smart phones, it is essential to understand that security needs to extend well beyond the office. The following pointers provide useful first steps to prevent data leaking from your business:
- Ensure mobile devices have passcode locks.
- Turn on GPS tracking and the option to remotely wipe the device if it is lost.
- Encryption software is highly recommended when using portable storage devices.
- Do staff use unprotected personal devices or personal accounts (Hillary Clinton?) for business use?
- Keep an eye on your mobile devices, briefcases, paperwork etc. at all times. There have been a number of high profile data losses involving various Govt/Public bodies.
Hacking – Criminals have traditionally, attempted to gain access to bank account or credit card information. Intellectual property is another source of value. Tricking staff into revealing user names and passwords remains a threat. Primary protection methods include:
- Network firewalls and data access security.
- Procedures for providing and removing employee access and user awareness training.
Insider Threat – It is possible for employees to leak data, either by mistake or maliciously. The following tips can mitigate the size of any data leak:
- Education, so that your team are alert to issues and potential risks.
- Only provide staff with the minimum access to information they need to do their jobs.
- Control the use of portable storage devices.
- Consider using applications to monitor staff behaviour, in certain situations.
Do you have an Incident Response Plan? If so when was it last reviewed and are your staff aware of it and do they know what to do, if there has been a breach?
What to do if you have been breached
- Change your passwords and ensure they are strong – letters, numbers and symbols and the longer the better.
- Call your bank and credit card companies.
- Consider shutting your systems down and if appropriate, engage a third- party expert to assess the extent of the breach and advise on corrective action.
- Report the incident to ActionFraud.
- Communicate to all stakeholders, including customers and key suppliers, so that they know and understand what has happened.
- Document everything that you do.
Useful Sources of Information
- 10 Steps to Cyber Security for Smaller Firms - icaew.com/10 steps.
- Get Safe Online – Getsafeonline.org/businesses.
- ActionFraud – actionfraud.police.uk.
- Your Bank – speak to your Relationship Manager