A cyber awareness guide for SMEs

Technology is rapidly evolving, providing great opportunities for businesses to improve processes and communication, however it comes with its challenges as these constant changes also open up opportunities for criminals.

To help you stay on top of the latest cyber threats and what you can do to protect yourself and your business online, we’ve pulled together some useful information. This information will educate you in the necessary steps you need to take or tighten up on.

It’s important to note that this isn’t an exhaustive list, as previously mentioned this environment is ever changing and evolving, however this information will improve your current level of understanding, help you spot advances and changes and improve the protection of your systems, business and your customers.

It’s often the case that SMEs prioritise innovation, growth and survival above online security, risk mitigation and due diligence which can be seen as an expensive, time consuming burden. However, without having an awareness and the relevant measures in place, SMEs are often left in a more vulnerable position and open to attack.

Without trying to scaremonger, every day thousands of computers worldwide are attacked by criminals taking advantage of the online world to deceive, hack and steal. It’s now just the world we live in. Attacks can have a devastating impact on businesses, both reputational and/or financial. Cybercrime is significant, and its growing year on year, affecting all sectors of society. Now is the time to swat up.

Implementing a few simple security processes and making staff aware of threats can make a significant difference in reducing your chances of becoming victim.

 

What areas of your business are at risk from cyber-crime?

In a nutshell:

  • your money
  • your reputation
  • your data including client details or personal information, payment information, product details and confidential company information.
  • your intellectual property
  • your IT equipment
  • your IT based services for example websites and payment systems. As computer usage increases, so too do the risks of business computers being compromised from either internal or external sources. Cybercriminals are becoming more sophisticated and fraud is increasingly becoming more difficult to detect.The must do’s:

 

Cyber-crime prevention – the need to knows

  •  Understand where your data is held – so that you can protect it
  • When new security threats are identified, change your procedures and controls to mitigate your risk
  • Create a cybercrime prevention culture within your business – train your staff on how to spot cybercrime incidents and what to do if they are identified
  • Regularly update staff and include cybercrime awareness in induction plans for new starters
  • If you don’t have an IT department within your business get external help from a company like Smart Computers to review and update your systems, policies and procedures

 

Types of cybercrime and how to prevent them

There are two main types of cybercrime:

 

Cyber dependent crime

  • What is it?

This crime involves a criminal accessing your computer system and making it unusable. These offences can be carried out against computers, networks, data storage or other devices. If access is gained, a hacker may have the ability to:

  • steal or change data held on a network
  • control devices linked to a network such as CCTV or printers
  • view what a user is doing by monitoring keyboard strokes or accessing the webcam

There are a number of ways computer systems can be hacked including hacking passwords or attacking a software application. Typically newer programmes or software are more vulnerable.

Another form of cyber dependent crime is the use of malicious software. This malicious software gains unauthorised access to computers and/or other connected devices via contaminated email attachments, infected websites, corrupt files held on external devices such as laptops/mobile phones/USB sticks. These attacks are more commonly referred to as Malware, Ransomware, Spyware, Worms and Viruses.

 

  • How to prevent cyber dependent hacking

There are some important steps you can take to prevent cyber dependent attacks.

  • Use a firewall – A firewall controls the traffic entering and leaving a network using filters and rules
  • Encryption – It is wise to encrypt all important and sensitive data so if it is accessed or stolen it can’t be read
  • Keep software updated – make sure any software on your computers, systems and mobile devices are kept up to date. Download ‘updates’ and ‘patches’ as soon as they are available as they are constantly updated to protect you. Delaying an ‘update’ increases your vulnerability
  • Use up to date software – older software (such as Windows XP) maybe redundant and not have update support
  • Password security
    • make passwords as long as possible, the more characters the harder it is to crack
    • use a variety of characters including numbers, symbols and punctuation marks
    • don’t include dictionary words as they are easier to crack, if you do, replace letters with symbols
    • try using a pass phrase with three random words together, maybe a lyric from your favourite song
    • use different passwords for different accounts
    • avoid using personal information

 

  •  How to prevent malicious software attacks

 

By being aware of the routes that malicious software can come in via, and taking caution when clicking on links and opening attachments, you can rapidly reduce the risk of a malicious software attack. In addition to:

  • Using antivirus software to monitor devices and servers – antivirus software will alert you of the risks before they reach you and can remove and repair any damage caused. It is recommended that you use a comprehensive ‘paid’ version of antivirus for businesses to provide more protection. Smart Computers are partners with ESET who offer award winning antivirus packages for less than you might think
  • Use a firewall – A firewall controls the traffic entering and leaving a network using filters and rules
  • Back up your data regularly to a separate device. Encrypt your backup where possible. Smart Computers provide a range of backup facilities to protect you, your business and your customers
  • Device control – prevent malware from infecting computers by restricting what devices can be connected to them such as smart phones and USB drives
  • Don’t follow links or open attachments unless they are from a trusted source
  • Remove any software or IT equipment no longer needed, ensuring sensitive information is wiped

 

Cyber enabled crime

  • What is it?

Cyber enabled crime is considered more ‘traditional’, however has gathered scale and reach through the use of computers, networks and other devices such as mobile phones and tablets. This crime involves using false or stolen credit card details to buy items online or to transfer funds to criminal accounts via fraudulent emails.

Other cyber enabled crime, known as social engineering, involves a fraudster manipulating an individual to assist their criminal activity via:

  • Phishing – sending emails pretending to be someone else to numerous recipients at the same time with an aim to get them to reveal confidential information
  • Spearphishing – a more direct form of phishing where the criminal sends an email to a specific person impersonating a ‘sender’ that is often known to the recipient. The email content may contain other information to make it appear more genuine such as info gathered from social media sites ie holiday info, birthdays etc

Another form of cyber enabled crime involves hacking, identity theft and fraud occurred via public wifi systems or ‘hot spots’. This is either via a criminal intercepting your data as you send it over a wi-fi network, or via a criminal setting up their own public hot spots which they then broadcast calling it something like ‘free_wifi’ or ‘coffee_shop_wifi’. When you connect to a fraudulent hot spot, you are effectively connecting to the criminal’s computer who can then capture any data you send.

  • How to prevent ‘traditional’ cyber enabled crime

The best defence is staff education and awareness. Making your team aware of what to look out for will reduce the risk of falling victim.

  • Check the sender email addresses in all emails to check they are legitimate
  • Never provide full bank details, personal information or login details straight away – the best thing to do is to contact the organisation or person making the request using trusted and known contact details such as over the phone to confirm
  • Be cautious when posting online, especially on social media sites – does the information you share need to be in the public domain? Check your security settings
  • Manage any changes in user access. Ensure any staff leaving the business no longer have access to IT systems or buildings

How to protect yourself when using Wi-Fi connections – which ones are safe?

  • Use a Virtual Private Network (VPN) which will encrypt your data as you send it. VPNs can be downloaded on to phones and computers as an app
  • Don’t do anything on public Wi-Fi that you wouldn’t want other people to see such as online banking, accessing company emails or anything that requires you to enter a username and password
  • If you are unsure as to whether a Wi-Fi hotspot connection is secure, don’t use it. Use your 3G and 4G data connections instead as these are encrypted

 

Top 10 takeaway tips:

1. Be sceptical – If it sounds too good to be true, it probably is. Approach deals, opportunities, documents, transactions and information with caution.

2. Know your business – Have a thorough understanding of your business:

  • How it operates
  • The staff you employ
  • The products and services you provide
  • Your target markets and obligations, legally and regulatory

This will help you detect when something isn’t right.

3. Know your customers and suppliers – Understand who you do business with to help identify occasions where a seemingly ordinary business request or transaction looks out of the ordinary.

4. Identify areas where your business may be vulnerable – How may a cybercriminal target your business? Test the systems you have in place to reduce your risk, ensure you and all staff are aware of the systems in place. Review these on a regular basis.

5. Develop an anti-fraud culture – It’s important that your staff understand the risks and impacts any losses to the business has to the business and themselves. This will help them to be more vigilant.

6. Take care online – Make sure your business technology is protected against attacks. Back up, Back up, Back up.

7. Understand your finances – Always check your bank statements. Have a good handle on the accounts so you can spot any discrepancies or abnormalities.

8. Secure and protect your property – Including laptops, computers, phones and IP. Include these in your back up systems and processes.

9. Make an action plan – What are your knowledge gaps? Where do you need professional or legal advice? Understand your pitfalls and the processes that need tightening up. Prevention is better than cure.

10. Always report fraud –  Report it if you feel you have been scammed or defrauded. Action Fraud is the UK’s national fraud reporting centre. They provide a central point of contact for information about fraud and financially motivated internet crime.

  • You can report online at actionfraud.police.uk or call 0300 123 2040
  • You can also report the crime to police in your local area if you know the suspect

 

How to report cybercrime

If you are the subject of fraud, it’s vital that it is reported. If the authorities are unaware, they won’t be able to take steps to combat this activity now and in the future. Your information may form part of one big jigsaw as the fraudulent activity may also be happening elsewhere.

Report cybercrime to Action Fraud online at www.actionfraud.police.uk or call on 0300 123 2040.

Call 999, 101 or go to your local police station if:

  • a crime is in progress or about to be
  • the suspect is known or can easily be identified
  • the crime involves a vulnerable victim

 

Useful contacts

Below is a list of useful websites:

www.actionfraud.police.uk

www.financialfraudaction.org.uk

www.fraudadvisorypanel.org.uk

www.fsb.co.uk

www.cifas.org.uk

www.bis.gov.uk/insolvency

www.bis.gov.uk

www.getsafeonline.org

www.companies-house.gov.uk

www.fraudadvisorypanel.org

www.fca.org.uk

www.hmrc.gov.uk

www.ipo.gov.uk

www.ico.org.uk

www.pcisecuritystandards.org

www.chequeandcredit.co.uk

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.