Cyber-crime is still the thing that happens to someone else, right? Until it’s not.
It’s also something of a silent weapon because you can’t see it or touch it. But when it happens to you, you will certainly feel it.
October is Cyber Security Awareness Month. Which for us, also comes with an awareness that cyber security is a bit of a trite topic and not something you really want to think about.
So instead of pretending that this is the most exciting blog you’ll read this year (it’s not), we’ll simply try to help you feel more in control about potential attacks with actions you can take to avoid them.
And although cyber-crime is a scary subject, this isn’t about scaring you into buying things you don’t need. It’s a straight-talking, no-nonsense guide to protecting you and your business in the way that works for you.
A stat waiting to happen?
In the past year, 39% of businesses had a cyber-breach or cyber-attack. That’s 2 in every 5 businesses. But since the headlines are all about the big names, you probably shudder with relief that your business isn’t big enough to be targeted. Except…
…small and medium sized businesses are actually the most common victims of cyber-attacks. Because small businesses often act as a gateway into larger ones. Small businesses are more vulnerable to social engineering. And small businesses are more likely to pay ransoms.
Whilst many businesses are insured against money in the bank, the less-tangible losses can be far reaching. Consider how much you might lose if you had to temporarily stop trading? Or if you lost data that you rely on to run your business? And the most intangible of them all is damage to your reputation. Which can be difficult to quantify and even harder to recover from.
The biggest risks:
- Lost revenue
- Business interruption
- Reputational damage
- Data loss
How SMEs are targeted
Among businesses that experienced a cyber-attack last year, 83% reported phishing as the cause. But although this makes phishing the most common cyber-attack method, surprisingly, only 19% of businesses test staff with mock phishing exercises.
Remote workers may also be seen as easy targets for cyber-criminals, as employees working from home are unlikely to have the same level of security protections as employees in an office setting.
You & Your Family
We are all rather reliant on tech. It makes our lives so easy, we’ve welcomed it into our homes with open arms – and sometimes an open door!
But it’s not just the risk of someone emptying your bank account or spending on your credit card. When it comes to you and your family, the reputational damage caused by cloning and impersonation could be catastrophic. So here are 7 things you can do to reduce your risk:
Your cyber-crime fighting kit
1. Look out for timely and topical scams
Look out for news-jacking scams; hackers are quick to implement topical and timely scams that ‘feel’ relevant. For example, there’s recently been an email scam about the energy rebate. People received an email asking them to fill in a form to claim support back when in fact, the rebate is happening automatically.
2. Sweet FA
2FA (Two-Factor Authentication) or MFA (Multi-Factor Authentication) requires you to prove your identity with two or more pieces of information when logging into a system or application.
These additional layers of cyber-security reduce the risk of being hacked. So much so, the National Cyber Security Centre (NCSC) recommend 2FA for accounts that hold highly sensitive or valuable data, as well as email accounts (since an email address is often the gateway to resetting other accounts and services).
Secondary authentication via text message or an authenticator app is the most common 2FA method (Tech Beacon reported that SMS verification can stop 100% of automated attacks, 96% of phishing attacks, and up to 75% of targeted attacks). Common MFA methods include inputting a code sent to another device, or confirming access using biometric data (finger or face).
Longstanding advice to create a complex password with random characters, symbols and numbers is no longer considered helpful, since memorising them is almost impossible. And whilst companies like Apple can create ‘strong passwords’ for you, as soon as you move to another device, you can’t sign in.
Instead, use 3 random words. 3 random-word-passwords are hard to hack. And much easier to remember than th1sw0rDthAt5i5fu110fnumb3r5andl3tt3rs.
In fact the ‘three random word strategy’ is the password method recommended by the NCSC (National Cyber Security Centre) at home and at work.
4. Train your humans
Whilst bots are facilitating many cyber-attacks, it’s human error that accounts for much of its success; a click on an interesting link, opening an intriguing video, peeking at a pen drive ‘lost’ in the street – we’ve all made these mistakes at some point. So make your teams, and friends and family, aware of the latest attacks. Test staff with mock phishing exercises and make it ok to ask a silly question or for a second opinion.
5. Trust your gut
If something feels even slightly suspicious, it probably is. And if it’s genuine, you haven’t lost anything by putting the phone down and calling back on the number you’ve found yourself. Just be aware that if you make the caller aware of your intention, they may try to steer you towards calling a bogus number.
6. Be a grammar geek:
When you look closely, phishing emails are often full of grammatical errors or poor spelling (even if the branding looks legit). An official email or advert will have been written, edited and proofread by professionals. And whilst the odd mistake may slip in, it’s rare. Obvious grammar mistakes, misspells and odd sentence structures are a sure sign of phishing. Especially from a bank or payment provider.
7. Do the boring bit – review policies every year
If you have policies, check that they cover what you need. Don’t only consider hardware or cash in the bank. Think about business interruption, loss of income, loss of data and reputational damage. And if you don’t have policies, chat with someone you trust. A professional adviser should never try to sell you something you don’t need and should ask you lots of different questions to make sure you are properly covered.
Protect yourself and your business
Overall, take the best precautions you can to reduce your risk, but cover yourself for the worst.
And if you’re just not sure what cyber-protection you need, or you’ve had enough of thinking and want to take action, we’re here to ask you the questions you may not have thought about. And we never judge.