Before I start I should say that we don’t pretend to be cybercrime experts but we wanted to share with you some of the information we have recently been given to help you protect your business from the risks.
So, a couple of things have happened recently which have really heightened our awareness of the potential risks to business finances as a result of cybercrime.
The first thing that happened is that a business we know well was affected by mandate fraud. So, what happened was that one of their staff’s Microsoft 365 was hacked into and so some of their clients received what appeared to be emails from them (which looked extremely genuine) advising that their bank details had changed and asking for payment to be made into a different account. This unfortunately resulted in two clients (between them) paying approximately £11,000 to a fraudster. This then becomes very difficult for the business that was hacked – as they still don’t have the money they are owed from their customers and you run into the question as to who is liable for the loss. Apart from the financial side, it has the potential to really affect relationships with their customers.
The second thing that happened was that I went to an event held by one of our clients, Node IT, who, with the support of Bedfordshire Police, provided some excellent information on the risks we need to be aware of and how to seek to avoid them and so we would like to share some of this with you.
Apparently 96% of crime has a communication/data element. Technology and the level of automation is creating so many more opportunities for the criminals out there so we need to protect ourselves and our businesses as much as we can.
Protecting your business – some of the risks
We of course need to protect our businesses because if our data or client data is stolen or we lose money financially from cyber crime, this could close our business down and it could be a PR disaster.
So here are some of the types of cyber crime we’ve heard about and that have resonated with us and which we want our clients and other business owners to be aware of.
- USB sticks – As you know, these are mobile holders of data. It can be easy to leave these lying around or in a laptop bag carried from place to place and can be easily stolen and the data used against you. We are also told that sometimes criminals will deliberately leave USB sticks lying around expecting us to put them into our computer and we then get attacked by a virus they have put on there.
- Phishing emails – we’ve all seen these. They are often from companies wanting to ask us to re-register or get information from us. When we login in as they have requested, they can capture our data or give us a virus. We have to be on our guard for this.
- Routers – most of us will still have default settings on our routers (at home or work) and these can easily be accessed. We should change the router name and passwords as these can otherwise be very vulnerable.
- Calls from BT/Microsoft – These is often phone calls from someone who tells you that you have a problem with your computer, phone or broadband and they ask you to log on to your computer so they can help you fix it. They then access your data and can use it in various different ways to commit a crime against you.
- Invoice emails – This is where you get invoices which appear to be from reputable companies asking for payment or asking you to click on a link for further information. Many of us have seen this with courier companies or parking fine companies.
- Vouchers – Invitation to claim vouchers for money off with reputable companies.
- Account updates – This is where you get a request from a supplier to update your details or update your security.
- Mandate fraud – This is where you are asked by suppliers to start paying their invoices to a different bank account. When we receive these, it is vital to phone our usual contact at the company (not the telephone number which may be on their communication) to verify this. We heard that one company lost £100k through mandate fraud and put the jobs of 27 staff at risk.
- Bogus boss emails – This is where you get emails which look like they have come internally from your boss asking you to pay something or to give certain information.
We understand that the bulk of cyber crime occurs due to insider (staff) threats. This can be something which is deliberate or something which allows the company to be attacked due to an error or lack of education.
So some things are think about are;
- Having clear policies about how data is dealt with when staff leave
- Have your staff got access only to the information they need? If not, be careful who has access to which folders or which levels of access on your IT systems
- Educate your staff on the risks of cyber crime and allow them to challenge and double check things with their boss or colleagues before they release information or make payments.
- Having non disclosure agreements for staff
- Having policies on how they should use data, access data, give data and protect data
- Ensuring there is a clear and strong password practice in place
This is an area where more can be done to protect your systems and information.
You should ensure that all passwords are strong with 12-15 digits. Use lower and upper case. Use numbers and special features.
Don’t use the same password for different things. If you have a problem with a bank account for example, the banks will ask you if you have the same password that you use for something else. If this is the case, they may not refund you.
Consider password storage. You can encrypt in phone, you can keep it manually in a book in an envelope in a safe or you can store online in something like ‘Last Pass’.
We heard that some companies keep passwords on a spreadsheet called passwords and have been very easily located for cyber crime to then be committed.
So, have you thought what would happen if something did happen to your data? What would you do? Do you have a plan b) or a back up plan? As it’s all so crucial to our business, it’s really important that we have a strategy in place for this.
Do you ever ignore those update message you get on your computer?
We need to make sure we have up to date anti virus on our computers and it hasn’t expired. If you have a good IT support company providing services for you, they are likely to take of this for you.
It is important to run the updates and not to ignore these otherwise we are not keeping up to date with the protection needed for new threats.
So what does this mean for you?
You may have read this blog through to the end and decided you already knew all of this and if you did then that’s great. However, there may be one or two things that you log in your mind that you need to go away and double check or change in your business or remind your staff about to make sure that you are robust.
To take things further, the new Cyber Essentials certification is something to consider as the process takes you through all the risks and ensures you have measures in place to prevent cyber crime. The certification is also a way of you demonstrating to your clients that you take cybercrime seriously. If you would like more information about this, talk to your IT provider or contact us and we can pass on the details of experts we know. The Cybercrime expert we met from Bedfordshire Police is willing to meet with businesses who contact him to discuss any problems they have had but also to help them put in place measures to avoid being a victim of cybercrime which is extremely helpful.