Scams and cyber-attacks have become a fact of life for businesses in the UK. Firms are being targeted with bogus phone calls and emails by scammers trying to steal money, confidential data or sensitive information.
As firms become increasingly reliant on technology and exploit the internet to grow, they are making themselves vulnerable to malicious cyber-attacks.
At the same time the use of mobile devices and cloud services in the workplace has exacerbated an already high threat level.
The cyber threat applies to firms of all sizes, large and small.
Firms mistakenly think that they are too small to be on the radar of hackers and cyber criminals. You don't have to be a big company — such as British Airways, the National Health Service (NHS) or LinkedIn — to experience a big data breach.
Attackers know for example that SMBs (small to medium sized businesses) tend to have less money and fewer resources to protect their IT infrastructure.
The majority of cyberattacks are not planned or highly targeted. They are automated and indiscriminate, exploiting known vulnerabilities within commonly used IT systems.
According to a report from the UK’s National Crime Agency (NCA). The average age of those arrested for malicious hacking activities was just 17 years old.
And the consequences of a cyber-attack can be devastating, disrupting businesses, causing considerable financial and reputational pain, and possibly have a direct impact on your customers if their data has also been breached.
Plus, with the introduction in May 2018 of the GDPR there are potentially regulatory fines – as well as the remedial costs to your IT systems and infrastructure after a breach.
The cost of cyber-attacks.
WannaCry and NotPetya brought major companies to their knees and cost billions to remediate in 2018.
WannaCry and NotPetya are ransomware that spread rapidly across computer networks infecting Windows computers, encrypting files on the PC's hard drive, making them impossible for users to access, and then demanding a ransom payment in bitcoin in order to decrypt them.
Ransomware attacks often rely on persistence as the preferred method of wearing down targeted victims to the point of submission. After repeated attacks, the victim is often so desperate to regain access to their company’s network that they become resigned to paying the ransom demand.
After infiltrating the victim’s computer network and releasing the initial ransom demand, the attacker typically occupies a little used area deep in the victim’s network, from which they can watch and wait for their victim’s next move. Companies will often engage IT support in the hope of thwarting the ransomware demand.
Where uninfected external backups exist, IT support will wipe the data on the infected network and restore the network to a clean state. The attacker, still sitting in the victim’s network, typically waits a few hours before re-releasing the ransomware and again demanding payment to unlock the victim’s network.
Cybercriminals are patient and through this type of persistent behaviour they often succeed in their goal of wearing down their victims and securing a negotiated ransom.
The WannaCry and NotPetya ransomware attacks were massive incidents that impacted companies both large and small across the world affecting organisations such as the UK’s National Health Service (NHS) and shipping giant Maersk.
WannaCry is estimated to have infected 200,000 computers across 150 countries, spreading through unpatched versions of Microsoft Windows.
NotPetya was propagated through a compromised update of a popular Ukrainian tax application and affected companies in Ukraine and in other parts of Europe.
WannaCry cost the UK’s NHS an estimated £91.5 million, according to government calculations; £19 million for the attack itself and another £72.5 million in IT support to remediate and upgrade systems in the wake of the attack with an estimated total global cost of the attack calculated as high as $4 billion.
NotPetya was also widespread and costly. Shipping company Maersk and logistics company FedEx lost approximately $300 million each.
What measures can you take to protect your business?
There are some common-sense measures that your firm can adopt to avoid and minimise the risk of a malicious attack.
These actions will help you reduce the risk of human error and help you to set up some basic IT safeguards.
For cybersecurity planning to work employees need to be aware of the cyber criminals techniques and that these fraudsters adapt tactics depending on the situation.
Cybersecurity precautions help organisations to protect their hardware, IT infrastructure, business applications and sensitive data from unauthorised access.
Measures to protect against fraudulent emails.
An effective way to set up a defence against fake emails is to inform customers from the very beginning that email is not a secure method of transmitting sensitive or personal data.
Consider including a phrase at the end of your email signature that as a company you would never notify changes to important business information, such as bank account details, by email.
As a message this needs to be repeated over and over again, so that it becomes second nature to customers. The hope is in a situation where the customer is suspicious of an email, that they follow their gut feeling and report it.
If it is possible, when you are making a business transaction you should avoid conducting it entirely via email. Where time and circumstances allow, meet and speak or consider faxing the other party to get some reassurance that they are who they say they are.
Where electronic communication is essential, encrypted emails offer a much greater level of security and reduce the threat of a breach if emails fall into the wrong hands.
Malware and Phishing emails.
Malware (i.e. ‘malicious software’) refers to harmful programmes and software that allow hackers to access or destroy data on an infected system.
Your employees will need to have some kind of email security policy that they can refer to and follow, rather than leaving it all up to chance or guesswork on dealing with the threat of malware.
Actively communicate to all staff what the policy is, and keep it updated with the latest trends and tactics.
If your firm does have emails that contain sensitive information it is wise to have some verification procedures in place, to verify the sender or whoever is requesting the information.
Treat with caution emails (or phone calls) from another party to a business transaction that inform you of a change in bank account details, particularly if these are received just before you are due to close a transaction.
Email is the most common method used to deliver malware: a recent estimate is that 80-90% of ransomware attacks for example come via email.
Be careful of clicking on any link in an email purporting to be from a reputable source, in case this triggers malware. If in doubt, type the company’s website address into your browser to bypass a suspicious link.
If the email looks as though it is from a client, or a senior individual within your own firm, double check it against the email address from which you had received previous correspondence.
Fraudsters can make an insignificant change to how the email address looks, such as adding an extra letter or changing the email domain address.
If the email looks suspicious, do not follow any links, open any attachments (as they may contain malware), or respond to the email.
Hackers often distribute malware by disguising it as a downloadable file, such as a Word document or a PDF file. They usually attach them to emails, in-app messaging, social media posts or have victims download links on websites in a form that looks genuine.
Once malware is on a system, the hacker can access data, monitor keystrokes, activate webcams, or remotely take control of a machine.
Similar to malware, phishing involves tricking a user into clicking loaded links to acquire personal information, such as passwords, by posing as someone legitimate or an organisation familiar to that person.
Scams and cyber threats have become a fact of life, and it’s not only emails that firms are receiving, they are also being targeted with bogus phone calls.
Telephone calls can range in their approach from alerts concerning the security of a bank account, to advisors offering get rich quick deals or asking for bank details for the receipt of an upcoming payment.
As with emails, treat telephone calls with care and flag any unusual requests. As with all sensitive data, do not give away any details relating to your business, its employees or clients.
Telephone call scammers will often try to induce a sense of urgency in their victims, trying to make them think that something bad will happen if action is not taken immediately.
In some instances, they will stay on the phone, keeping the line open in the hope that you will follow their instructions to make contact for example with your bank and then impersonate them when you make a call.
Even if you consider a call to be genuine, do not deal with the query there and then, give yourself time to double check what you are being told and verify all the details.
Wait five minutes and then call another number that you know, so that you can double check that your line is not being held open. Then ring back the alleged caller on a number which you know to be correct to see if it was a genuine call.
And just because a caller has some knowledge of recent genuine transactions on for example a bank account these may have been acquired through hacking or other criminal activity.
It sounds like basic advice but never give out any authentication or account details that can be used to log into networks over the phone or by typing into your phone.
Scammers will attempt to get you to withdraw or transfer your money from your own account to a new account under the pretense of safekeeping. There is no such thing as a “safe account”. The bank would simply disable your account if it is being attacked.
A simple trick employed by scammers is to falsify the “caller display” details on your phone, making it look like it is a call coming from a legitimate number that you would recognise. To build trust they may ask the victim to check that the number showing on the telephone display matches the bona fide organisation's registered telephone number
Employee security policies and training.
Have clear and up-to-date policies and procedures in place for dealing with the risks, training staff to understand and implement the policies and safeguards.
Ensure that all staff, including support staff know how to deal with cyber-attacks. These attacks are growing increasingly sophisticated in their execution, but often the main reason for breaches tends to be a relaxed approach to cybersecurity among employees.
Cybersecurity cannot be achieved without addressing the human factor, as systems themselves have become harder to penetrate, the hackers have sought out softer targets, the employees themselves.
And even when systems have been designed to minimise risks, an individual employee can undo the best of cybersecurity plans with a click on the wrong website or opening the wrong email.
Hiring a security expert such as Worktools can be invaluable in the fight against cyberattacks. Worktools has specialist knowledge, gained from 15 years of experience in the government Defence & Security sector, and can provide your company with the best defence against the financial loss and reputational damage that is often the result of cybercrime.
Informed staff and a secure system can build the foundation for a strong cybersecurity defence and help to effectively manage an attack if one does occur.
For a security regime to work, it cannot be perceived as an obstacle to productivity. It's important that security rules and the technology provided enable users to maintain their productivity.
In a 2015 study by Wombat Security Technologies and the Aberdeen Group, it was found that employee training on cybersecurity can reduce the risk of a cyberattack significantly.
The following are some common sense training tips:
Ensure staff have a clear process to follow on verifying a caller or email that appears to be a senior member of staff, requesting a payment be made or soliciting sensitive information.
If you have remote working employees make sure there is a security policy that addresses the use of technology; for example, making sure devices are encrypted, to not use USB flash drives and that there is a policy in place concerning the use of personal phones, computers and tablets when working.
If staff are permitted to use mobile devices, consider restricting access to essential business applications.
Mobile devices should use ad-blocking software to protect against the threat of being infected by malware in the course of internet browsing.
Set up the ability to wipe lost or stolen devices remotely.
Inform staff of how using public Wi-Fi networks can compromise security.
Firms should consider using a VPN - a virtual private network - to enable secure connections are used whenever connected to public Wi-Fi.
While on a public Wi-Fi network, staff should never install any updates to computer programs or access sensitive information.
Remind staff that, when using a phone or laptop in public areas, their dealings can be seen and heard.
Consider running periodic internet searches against the name of the firm to make sure there is no fake website purporting to be that of your firm.
Restrict knowledge of the firm's bank accounts and payments made to a small number of people within the firm.
Impress on staff the need to flag and report suspicious incidents.
Ensure that confidential waste is disposed of correctly.
Regularly review and audit all cyber-attack preventative measures.
Put in place a simple crisis-management process, specifying who will take what action in the event of a security breach.
At Worktools in addition to our managed services for IT Support and Cybersecurity, we also provide a range of consulting services, which can be offered on a one-off or ongoing basis. This can range from a short risk assessment to managing your cybersecurity strategy.
Let us help you look after your data, your reputation and legal compliance. As an outside provider Worktools can conduct an initial security assessments and ensure that you are using the most advanced security technology, ensuring that both local and remote network access is protected.
image source: www.freepik.com