There has been a lot in the press recently about cyber attacks. It’s a problem that is of our own making: as we become increasingly dependent on Internet-based systems, we give more power to those criminals that seek to gain by our self-impose vulnerability. In this article Steve Jordan looks at some of the dangers cyber crime poses, and what you can do to protect yourselves.
If your business is hit by a cyber attack, your ability to function as a business will be impaired. You might lose money, or commercially sensitive information, or other people’s data. Your service might suffer, your reputation be damaged, your customers might lose confidence in you and, (and here’s the salt in the wound), you might get fined as well for not keeping your customers’ data safe. It’s really bad news.
According to PWC’s Information Security Breaches Survey released in June 2015, 90% of large organisations and 74% of SMEs had suffered a security breach - up from 81% and 60% the year before. This is not a theoretical risk. This is real.
So, let’s look at the types of attack you are guarding against.
This can infect a computer from contaminated email attachments, infected websites or social media posts, or corrupt files stored on external drives. Common types include: Spyware, designed to steal information about your activity on a computer so a criminal can obtain personal information; Ransomware, that locks a computer until a ransom is paid, usually in Bitcoin; or viruses that disrupt the operation of a computer.
Protecting against malware
Use a firewall designed to protect one computer from another; use antivirus software and keep it up to date; encrypt sensitive data; restrict the kind of devices that you will allow to be connected to your office computers (phones, IPods, USB drives, etc.); keep software updated with the latest patches from the developer; back up data regularly; and have strong passwords that are as long as possible, have different types of symbols and are not based on personal information that could be discovered by a hacker. Avoid following potentially malicious links on e-mails or attachments.
This is when a fraudster manipulates an individual into helping them get access to a computer system. Phishing, for example, when a criminal sends an e-mail pretending to be someone else in the hope that it will be opened and acted upon. Or spear phishing, a more direct form of the same thing but directed at a specific person, often appearing to come from someone they know. Payment fraud is another type of social engineering that fakes a request from a senior member of staff or a trusted supplier to pay money to a specific bank account.
Protecting against social engineering
It’s largely a matter of staff education. People need to be wary and always check before doing anything. If you hover the mouse over an e-mail address in the sender box it will show you where the message really came from. Check for e-mails that are spelt badly or include numbers in their addresses rather than letters; often phishing e-mails will be sent from an email account that looks right, but isn’t quite. Never provide banking, login or personal information unless you check that the request is coming from a genuine source.
It’s very easy for a criminal to create a spear fishing e-mail that looks as if it has come from you, or is personal to you, if he knows where you are and what you are doing. For example, if you’ve just visited a restaurant you might not be suspicious of an email survey that comes in the following day. The survey might contain malicious software.
Protecting yourself against data leakage
Many people are happy to live their lives online, posting their every movement and thought on Facebook or Twitter. Be careful what you post. Also, check what information is available online and be careful how much you divulge to your ‘friends’ on Facebook. Not everyone is friendly. Make sure you have your privacy settings up to date. Don’t forget, if you are a director of a company there’s loads of information about you at Companies House and, if your business is registered at your home address, anyone can find out where you live. Try, as best you can, to keep your personal and business lives separate.
Sniffing is when criminals intercept your data when it's sent through a publicly-available Wi-Fi hotspot. They can steal passwords and login details even if you don’t type them in every time. Criminals can even set up their own public hot spots which connect you to their computer as soon as you log in.
Protecting yourself against sniffing
If possible use a Virtual Private Network (VPN) when accessing public Wi-Fi connections which will encrypt your data so the criminals can’t get at it. Don’t do anything on public Wi-Fi that you wouldn’t want other people to see, such as online banking, accessing company e-mails or anything that requires you to enter a username or password. If in doubt, stick to using your 4G connection, which is also encrypted.
The European General Data Protection Regulation (GDPR) comes in to force on May 25th 2018 and will bring into effect a set of rules that anyone processing customers' personal data must abide by. Customers will have more say over what you can do with their data and how it can be used and reporting a data breach will be mandatory. It will also give greater power to regulators to impose significant fines if your business is responsible for losing data, up to 5% of global turnover or €20m.
It’s important to report rime to help the authorities catch the criminals. In the UK you can report cyber crime online at www.actionfraud.police.uk or by phoning 0300 123 2040. Check out the reporting process in your country and be sure to report the criminals every time.
In the future our lives will be controlled even more than they are today by computers and more of our business will be conducted online. The criminals try to be one step ahead and the adage is relevant: they only need to get lucky once, we have to stop them all the time.
Click here to see the next Editor's Pick