In the last couple of years, there have been a number of high profile cyber-attacks that have made the headlines, including the suspected North Korean hack of Sony in 2014, the Yahoo hack of 1.5 billion user accounts in 2016, and last year’s “WannaCry” ransomware attack on the NHS. But it’s dangerous to think that only large multi-nationals have to worry about cyber-crime, as SMEs are now a favourite target for cyber-crime fraudsters, with recent statistics suggesting there are now around 7 million cyber-attacks on SMEs annually (or around 19,000 each day).
The rise of ransomware
Cyber-security risks come in many shapes and sizes, but arguably the form of cyber-crime that’s increased most dramatically in recent years is ransomware. The comparative ease with which you can find ransomware software on the dark-web means that ransomware has effectively become a commoditised form of cyber-crime. A ransomware attack can infect an entire IT network through an individual computer, locking computers and encrypting data, before demanding a ransom payment for their release.
There is, of course, no guarantee that payment of the ransom will result in the encrypted data being restored, and the true cost of such ransomware attacks is more often the business disruption and lost data rather than the ransom itself. This was sadly evident with the “WannaCry” ransomware attack on the NHS, where the disruption was massive, regardless of the fact that no ransom was paid.
But as with nearly all cyber-attacks, ransomware relies on exploiting humans that are caught off-guard – in this case, unsuspecting people infecting their computers with the malware. Even unrelated forms of cyber-crime, such as “invoice frauds” (where the fraudster impersonates someone who you are due to pay, and then provides you with false bank account information) and “phishing” emails (where a spoof email is sent in an attempt to elicit sensitive information), still rely on human error.
How can businesses protect themselves?
Generally, the biggest step businesses can take is to ensure that their internal culture encourages staff to think critically about communications they receive, and to question instructions they receive from either internal or external sources. In practical terms, this could mean:
- If new payment details are received over the phone or via email, the external supplier should then be contacted directly to verify those new payment details
- If payment instructions are received internally from, say, the MD or FD, those instructions should be verified directly or in person, as spoof emails like these from company directors (often called “CEO fraud”) are on the increase. Setting your IT system to automatically label email as ‘External’ if it originates from outside your business can also help to identify such spoof internal emails
- If an unexpected attachment is included with an email, remember there is no such thing as a “quick peek” when it comes to malware. Suspicious attachments should be forwarded to your IT department to be checked safely
- Similarly, if an email includes a hyperlink, wherever possible it is better to access the relevant website through trusted routes (such as via a Google search or existing bookmarks) rather than by clicking on hyperlinks in emails.
On a more technical level, separate off-site back-ups are perhaps the best protection against data loss from malware, and ensuring you have up-to-date antivirus and firewall software is a must for any business.
Prevention is better than cure
Statistics indicate that, sadly, the majority of businesses that engage cyber-security advisors are doing so after a cyber-attack, rather than before one. It is perhaps trite to say that “a stitch in time saves nine”, but it is nevertheless worth bearing in mind that a failure to take reasonable precautions to protect your business from cyber-crime risks could also potentially invalidate any relevant insurance cover that you might have, in much the same way as if you’d left your premises unlocked when you left for the night.
While there may be no way for a business to protect itself 100% from a cyber-attack, having a robust cyber-security policy and procedures, and adequate staff training, will dramatically reduce the risks posed to your business. The four steps summarised above are ones which any business can easily take – at no cost – no matter its size, so that they are better prepared for the (perhaps inevitable) day when they become a cyber-crime target.
If you would like to know more about these or any other issues relating to cyber-security risks, please contact Michael Axe today for more information.