In recent years a number of high profile cyber-attacks have made the headlines, including the suspected North Korean hack of Sony in 2014, the Yahoo hack of 1.5 billion user accounts in 2016, and last year’s “WannaCry” ransomware attack on the NHS. There have been many others, and news coverage of the next one is only a matter of time.
But it’s dangerous to think that only large multi-nationals have to worry about cyber-crime. SMEs are now a favourite target for cyber-criminals, with recent shocking statistics suggesting there are now around 7 million cyber-attacks on SMEs annually; that’s around 19,000 each day.
The particular rise of ransomware
Cyber-security risks come in many shapes and sizes, but arguably the form of cyber-crime that’s increased most dramatically in recent years is ransomware. The comparative ease with which you can find ransomware software on the “dark web” has made it a commoditised form of cyber-crime, known as ‘Ransomware as a Service. A ransomware attack can infect an entire IT network through an individual computer, locking computers and encrypting data, before a ransom payment is demanded for their release.
Of course there is no guarantee that payment of the ransom will result in the encrypted data or computer access being restored, and the true cost of such ransomware attacks is more often the business disruption and lost data rather than the ransom itself. This was sadly evident with the “WannaCry” ransomware attack on the NHS, where the disruption was massive, regardless of the fact that no ransom was paid.
As with nearly all cyber-attacks, ransomware relies on exploiting humans that are caught off-guard - unsuspecting people infecting their computers with the malware. Even unrelated forms of cyber-crime, such as “invoice frauds” (where the fraudster impersonates someone who you are due to pay, and then provides you with false bank account information), and “phishing” emails (where a spoof email is sent in an attempt to elicit sensitive information), still rely on human error.
How can businesses protect themselves and keep cyber criminals at bay?
As human behaviour is often the key factor, the biggest step businesses can usually take is to ensure that their internal culture encourages staff to think critically about communications they receive, and to question with rigour instructions they receive from either internal or external sources. In practical terms, this could mean:
- If new payment details are received over the phone or via email, contact the correct external supplier directly through a secure medium and using a trusted source for their contact details to verify those new details;
- If payment instructions are received internally from, say, the MD or FD, verify them directly or in person, as spoof emails like these from company directors (often called “CEO fraud”) are on the increase. Staff are often reticent about querying instructions from “on high”, but they should be interrogated just as critically as other parties. Setting your IT system to automatically label email as ‘External’ if it originates from outside your business can also help to identify such spoof internal emails;
- If an unexpected or odd attachment is included with an email, remember there is no such thing as a “quick peek” when it comes to malware. Trust your instincts; if something does not look or feel right, by reference to, say, the sender, subject line, text, attachment or any combination of these, then it may well not be. Suspicious attachments must not be opened, but forwarded to the IT department to be checked safely. These emails often go to multiple addressees in a company, so unless everyone is on guard then malware will infiltrate your IT system;
- Similarly, if an email includes a suspicious-looking hyperlink, wherever possible it may be better to access the relevant website through trusted routes (such as via a Google search or existing bookmarks; or hovering your mouse over the link to see which website it would take you to – if it doesn’t look linked to the company it claims to be from, don’t touch it) rather than by clicking on hyperlinks in emails. However, get advice from your IT department first. There is no downside; if the link is legitimate, little time will have been lost, if it is not, then you may well have saved your business.
On a more technical level, regular off-site back-ups are perhaps the best protection against data loss from malware, and ensuring you have up-to-date antivirus and firewall software is a must for any business.
Prevention is better than cure
Perhaps not surprisingly, the majority of businesses that engage cyber-security advisors are doing so after a cyber-attack, rather than before. It is perhaps trite to say that “a stitch in time saves nine”, but an additional sobering factor is that failure to take reasonable precautions to protect your business from cyber-crime risks could also potentially invalidate any relevant insurance cover that you might have. Your insurance company might say that the circumstances of the attack were analogous to you leaving your premises unlocked over night.
There is no way for a business to protect itself completely from a successful cyber-attack, but having robust cyber-security policies and procedures and effective staff training should dramatically reduce the risk. The steps suggested above are not exhaustive, but they are ones that any business can easily take – at no cost – no matter its size. If it hasn’t already happened, one day your business is going to be a cyber-crime target. Make sure you are properly prepared; that day may be imminent.
If you would like to know more about these or any other issues relating to cyber-security risks, please contact Stuart Evans today for more information.
With thanks to Michael Axe for his contribution to this article.