Call 01383 324 098

Specialist accounting and tax services for Consultants, Trades Professionals & Creative Companies

The battle between cyber criminals and companies is constant and on-going

By 18th July 2018

Business is now done mostly on personal computers, smartphones and tablets so we often take the advantages of this flexibility somewhat for granted.  It is too easy to forget that each of these devices may represent a risk to the company and to its data.

 

There have been many new stories concerning data breaches over the past few years and the battle between cyber criminals and companies is constant and on-going.  Don’t assume that only large companies will be targeted, small companies can be attractive propositions too.

 

Research from the Federation of Small Businesses (FSB) shows that “a staggering seven million cyber crimes are committed against smaller businesses in the UK every year – that’s 19,000 a day. On average, a cybercrime incident costs a small business almost £3,000 in damages, and it can take days for the business to be back up and running”

 

It’s all about the money...

Cybercriminals are operating for their financial gain at your expense. They to do this by stealing private financial information, personal details and account login credentials, then go on to commit fraud, data theft or extortion, or simply to sell that information to those who would commit further crimes.

 

However, there is more at stake if they can infiltrate a company and trick employees with fake emails that look at though they come from an actual customer, supplier, business service or a superior, then there’s a chance they can trick employees into sending huge amounts of funds to a bank account owned by the cybercriminal.  It happens and then the company is laid wide open to demands for money

Here are some of the favourite methods used:

Malware – a software program written by cybercriminals to steal information from a computer or network.

Phishing emails – fake emails that imitate customers, suppliers or services known to the individual. These emails can trick the user into opening attachments containing malware, or trick the person into clicking on a hyperlink to a fake website where the user is asked to enter their login details.

Ransomware – This is what was used to attack the NHS in 2017. Ransomware locks computers and demands a ransom in bitcoin. If the ransom is not paid, the program deletes crucial data from the PC, or prevents the victim from using the machine again.

DDoS attacks – Distributed Denial of Service (DDoS) attacks happen when a hacker floods a company’s website with traffic to take it offline. The true aim of the attack is often to find vulnerabilities in the website’s defences so that the cybercriminal can access the website’s database of customer information, or to gain access to the company’s internal computer network.

 

How to protect your business

Prevention is always better than cure - make it difficult for the criminals and they’ll go elsewhere and none of these below involve large sums of money or time, just ogod behaviours and practices.

 

1) Back ups

 This seems so obvious and yet proper backups are one of the foremost weapons in the fight against cyber crime.  All information that your company requires to operate should be backed up; records, transactions, personnel information.  Imagine having to restart your business from scratch as quickly as possible; that is the starting point for planning your backup strategy.  This should be done daily; cloud storage makes this far easier that once it was, and it should be checked or tested regularly - a backup that doesn’t work is not a backup.

 

2) Password Policy

Make sure you switch on password protection on all devices, and use two-factor authentication on all user accounts where you are given the option. Although it is seen as a major inconvenience, all staff should be forced to change passwords regularly and basic parameters for strong passwords (a mix of characters, letters and different cases) should be enforced.  Guessing passwords is much easier than most of us imagine if even basic information about individuals is available.

 

3) Updates

No one likes watching a computer updating and there are many stories of problems occurring after an upgrade, so it’s easy to assume that maybe this is something best avoided - if it isn’t broken, don’t fix it.  However it is crucial that you make sure all IT equipment (computers, servers, smartphones, tablets) is kept up to date with the latest software updates. If you cannot bear the idea of allowing automatic updates you need to dedicate resources to ensuring that updates are done regularly and timeously.

 

4) Antivirus

Ensure all PCs have antivirus software installed and active, and that your internet router and servers have properly configured firewalls installed. Even in small companies, these defences need to be monitored - if you feel that you simply do not have the resources to do this in-house there are many offerings from third parties who will install and monitor your security 24/7.  You may be surprised at how cost effective these services can be.

 

5) Limit downloading

Saving money on software is something that too many companies are prone to, but it is difficult to overstate the importance of reliable sources of applications and programs.  Staff should be prevented from downloading any third party software from unknown sources, which might be malicious. A good way to do this is to remove admin privileges from their user accounts.  Their responsibilities in this area should also be made very clear in staff handbooks and contracts of employment.

 

6) Educate

Advise employees to be suspicious of any emails that are not directly addressed to them, and avoid opening email attachments from an unknown origin.  Was the email expected, then almost certainly it’s safe.  Was it not expected; be wary.

 

Despite the attraction of sophisticated hardware and software to secure your data assets, the simple fact is that your staff are your greatest vulnerability, and potentially, your greatest strength.  If possible run education sessions for them to alert them to the potential risks of cyber crime and the impact it can have on their company.  Some risks, from social media posts for instance, may not be immediately obvious to them and need to be explained.

 

Companies should always try to avoid a fortress mentality where security is concerned as it can be counterproductive, however the risks are real and the consequences, for companies who haven’t put a strategy in place and be literally devastating

phishing