All businesses should take steps to protect themselves online, in order to protect their data, reputation and revenues from cyber-attacks.
This is especially true when businesses have changed their ways of working in response to the Coronavirus outbreak, potentially exposing themselves to a greater risk of cyber-crime.
Cyber-crime comes in many forms but hacking and phishing – using fake emails to get security information – are among the most common.
Here’s a basic guide on how to ensure your business is protected against these two threats.
Simple steps to avoid being hacked
Unfortunately, all types and sizes of organisations and businesses are at risk from data hacking, with often larger companies making the news headlines when a hack occurs. For example, this summer came the news that universities in the UK, US and Canada have had data stolen about students after hackers attacked a cloud computing provider.
But the problem is more widespread than the headlines might suggest. In the 2020 UK Government Cyber Security Breaches Survey, almost half (46%) of businesses had identified cyber security breaches or attacks in the last 12 months.
The extent to which companies are taking action to deter hacks varies, which may be due to a lack of awareness and understanding of their cyber risk or due to lack of available resources.
Here’s a reminder of some easy to implement steps to get started and help keep your business protected.
Most businesses have basic password policies in place. But it’s important that all staff are aware of this. So, if you ensure everyone is well trained about password creation and protection, your business as a whole is likely to be safer from hackers.
At its most basic, training staff to be cyber-secure means making sure they always use strong and unique passwords for all business accounts. These can be stored using an online password manager, so they don’t need to ever be written down or shared by email.
Also, take steps like limiting how many people have access to your systems and data.
Up to date software, firewalls and antivirus systems
Make sure your apps and operating systems are up to date. Likewise, ensure you have firewalls and antivirus systems in place on all devices, which are up-to-date and using the right settings; this is particularly important as cyber-attacks are constantly changing, so your defences must adapt too.
Regularly back up data
All businesses should make regular backups of any important data, and make sure that these backups are recent, secure and can be restored.
The majority of network or cloud storage solutions now allow you to make backups automatically.
Phishing attacks and steps to avoid them
The National Cyber Security Centre (NCSC), part of the Government Communications Headquarters, warns that all businesses, big and small, will be at the receiving end of phishing attacks at some point.
Broadly, phishing is when scammers use emails to trick you into giving them sensitive information. Common phishing tricks targeting companies include bogus emails that can look remarkably authentic and fool staff into transferring money or information.
The NCSC warns that phishing emails are getting harder to spot. But there are steps you can take to minimise the risks.
Reduce the damage
Give your employees the lowest level of user rights required to do their jobs, so if they are the victim of a phishing attack, the potential damage is reduced.
‘Administrator’ user accounts may be of particular interest to attackers, as they have the privileges to change security settings, install software and hardware, and access all files on the computer. So, limit administrator accounts to those who really need them and discourage people from using these accounts to check their emails or browse the web.
Use two factor authentication
Two-factor authentication adds an extra step to log-in procedures, by requiring two types of information from the user.
By ensuring all staff use two-factor authentication across business accounts, then even if an attacker knows a password, they won’t be able to access the account.
Train staff to spot unusual requests
Successful phishing attacks depend on a bogus email, which can sometimes be very sophisticated and convincing, persuading a user to click on something they shouldn’t.
So, ensure your staff have had training to help them spot phishing attacks – for example, if they get an email from an organisation that they don’t do business with, they should treat it with suspicion.
This can be very challenging, but signs of phishing scams include poor spelling, grammar and punctuation, and urgent wording such as ‘send these details within 24 hours’.
Report all attacks
Encourage users to report any emails that they’re unsure about, even if they have already clicked on them.
If you believe that your organisation has been targeted report it to the States of Jersey Police. You may also be required to report to the Jersey Financial Services Commission and/ or the Jersey Office of the Information Commissioner.
At Islands, we have access to Cyber Crime Insurers, who not only can cover you for your financial loss, assist in minimising the disruption to your business and provide access to professional advisors to guide and support you, should your company be the victim of a cyber incident, but also provide policyholders with complementary risk management advice, services and training which can reduce the likelihood of your company falling victim and suffering the stress, financial loss and reputational damage that such incidences can bring.
If you require a cyber-crime quotation or would like to discuss the cyber risks your company may be exposures to and the solutions we have available, please contact Mike Norbury at Mike.Norbury@islands.je