Top 100 Business Tips #9 – Cyber Security
It is estimated to have affected 2.9 million British businesses in 2016, at a total cost to the economy of £29.1 billion.
In fact, online fraud is now considered to be the UK’s most common type of offence, with one in 10 people affected in 2016, according to Crime Survey of England figures.
There are more than five million criminal cyber acts every year, accounting for half of all the crime that takes place. They include everything from computer misuse to fraud and theft.
According to the National Crime Agency, the top types of cyber crime affecting individuals include phishing for security and personal details using bogus emails; criminals taking over webcams; hijacking files and then holding companies to ransom; keylogging – recording what someone types on their keyboard for criminal purposes and capturing screenshots of a computer before ‘ad clicking’ to direct it to certain paid products and services.
For companies, the main threats are hacking and distributed denial of service (DDOD) attacks, which bring key services and small and large scale organisations to their knees, as we’ve seen in a few high profile recent cases.
Ransomware, where criminals take control of an organisation’s online systems before blackmailing them for cash to put it right, is the least common type of business attack, yet resulted in the biggest losses in 2016, at over £7 billion.
When and where you least expect it
So, it’s a really big issue, but did you know your biggest cyber security threat could be you people?
Adam Lutkin, Managing Director of IT specialists Computanet Solutions Limited, said this is down to human nature – something the crimesters are only too good at capitalising on.
“You can have the most secure systems possible. Fire walls, antivirus software and robust security protocols are all essential parts of your online defence systems,” he said.
“However, unless you back these up with rigorous training, the people who are your most valuable asset, could also inevitably be your weakest link.
“This is because of people’s basic good nature. If someone calls up a member of your team and seems personable, and engages them in conversation – they might even get lucky and mention something, coincidentally, that seems to add up – there is always the risk that in a moment of naivity or weakness, they will provide the scamsters with that vital, secure piece of information that will give them the virtual key to your door.”
This, ultimately, Adam adds, is what computer hackers are interested in. Access. To pieces of data which, when added together, give them an entry point to bank accounts, credit cards – and even property.
“This is a multi-million-pound industry,” continued Adam.
“And it’s more lucrative than other types of crime, because once they have the personal or company data, they can sell it over and over again for significant profit.
“This is why the people doing this kind of thing are investing more and more time in increasingly sophisticated ways of getting access to the information they need. It’s also the reason firms need to work equally hard at staying one step ahead. Just implementing protective systems and forgetting about them isn’t enough.
“It’s all about protecting your business – and your customers – from intrusion and theft.”
A need for constant vigilance
Adam founded Computanet in 1995, not long after the internet was born. He has seen the level of threat, and the amount of protection therefore required, grow over that time.
“No-one is immune and everything is valuable to a criminal, particularly as so many people use the internet for for banking and to pay for goods and services these days,” he said.
“The theft often starts small, so whether you’re a business owner or an individual, it pays to be vigilant and really check your bank accounts, so that you have a clear picture of what is coming in and what is going out. Very often, fraudsters will test the water by stealing small amounts to begin with, escalating it if you don’t notice it and they get away with it the first time.”
The other big risk is the plethora of ‘free’ downloads available on the internet, according to Adam. Downloads that offer a seemingly valuable product or service for little or nothing which, once added to a system, can be used to spy on daily activities and extract data.
“The old saying still rings very true here,” added Adam. If it seems too good to be true, chances are it is.”
Unfortunately, despite the growing threat of cybercrime, and recent high profile cases of disruption to key services like the NHS caused by hackers, many people remain strangely blasé about the threat.
“There seems to be a bit of an assumption that it won’t happen to them and people often take a bit of a laissez fair approach to their cyber security,” he said.
“Until, of course, it does happen, and then they really do start to understand the importance of protecting themselves.”
Typical Cyber Security Mistakes
We asked Adam to name the most common errors or oversights companies make when it comes to their online security.
#1 Team training
“The so-called ‘threat surface’ is changing and it’s often not the IT systems where the breaches happen,” continued Adam.
“Often it’s the softer channels, like the telephone, where the issues arise. It someone calls up and asks to check an email address or a piece of company information, we as human beings have an instinctive tendency to take the person on the other end of the phone seriously.
“In reality, though, staff members need to be appropriately trained so that they never give out any customer or company information over the phone, as a matter of course. They should never engage in such conversations with anyone they do not know, and ask for any such requests to be submitted in writing.
“More often than not, such requests will never arrive!”
#2 Email vetting
“Again, there is a basic human tendency to want to take any email we receive seriously. However, in today’s world, the reality is that only a small proportion of them are actually legitimate.
“Unless a team member knows the sender, they should not open the email or click on any links. Even then, if the email looks to be from a known source, they should hover to the right of the sender details and click the righthand down arrow, to double check that the address it has come from looks as legitimate as the title.
“Essentially, IT companies like us can give companies the most resilient systems possible. However, what they then also need to do, with our guidance, is to socially engineer the right behaviour through effective training.”
6 essential steps every company should take to protect itself and its customers
Seek professional advice. Have a reputable firm conduct a full audit of your business needs and IT security provisions, and then lock down your system. Install effective anti-virus software; instate a fire wall, and conduct regular updates to ensure your security keeps pace with the speed at which spyware and malware is being developed.
They should also be able to advise you on making sure your procedures are robust and your employees know how to follow them, and help train them to maintain the integrity of what you’ve installed.
Assess your systems and processes, looking at how easily information can be got at and leaked out. Allowing staff to bring in personal USB sticks from home is one error companies typically make.
Very often, the employee’s anti-virus protection won’t be as powerful as your business systems and this means they could unwittingly bring a virus into the workplace, and infect your systems.
Implement the right rules. Examples of what these should cover include forwarding work emails to home email addresses. Again, these might be less protected and create the risk that company or customer data could get into the wrong hands.
All business passwords should be changed regularly, including the individual usernames and passwords staff members use to log on each day. Again, training everyone to make these as impermeable as possible is a good idea. Things like not using the date on which they set it as their password, but instead choosing random word combinations – for example cheese and server – and a mixture of other characters that would be hard to guess, such as 3 instead of E in words.
Ensuring the integrity of any hosted storage systems they use to keep their documents in. The most reputable storage sites will be able to provide you with strong reassurances regarding the security of any information you keep with them.
Keeping online in its place
There are other considerations too, according to Adam, that are just as important as system security.
“The internet is also quite addictive,” he said.
“Therefore, limiting use of it can be a healthy thing, in terms of the culture of your company and the kinds of things you want your people to be spending their time on. It’s about controlling how pervasive these things are, both at home and at work.
“We will only accept businesses as clients if they agree to block the top 10 recommended categories of site, including things like pornography and gambling. This is because they can result in harmful downloads and cookies affecting your company systems, and because your reputation depends on running your company in a professional way, including the kinds of activities your employees engage in both at home and at work.”
He added: “It us also advisable to educate employees about appropriate social media etiquette and security, for their own protection as well as your business’s reputation.
“They need to be aware of how to make sure only the people they want to can see their posts on channels like Facebook, and that they don’t publicise things – like when they are away on holiday – that could put them and their property at risk.”
A weighty new responsibility
The new General Data Protection Legislation due to be introduced in 2018 will place even more pressure on all businesses to safely manage any data they hold about individuals.
This means they will need to not only be able to ensure it doesn’t get into the wrong hands, but they will also have to be able to identify and provide any information they hold on a person – and delete it if required – on request.
“This isn’t something that firms can just put off until they get around to it,” added Adam.
“They will need to be in a robust position by the time the legislation comes in next year, or face the very real risk of substantial fines.
“IT companies like Computanet can provide them with smart solutions which not only store their customer information in an easily accessible way, but also create a real-time, smart overview of how information comes into the business, who stores it, where and when, so that it can be found and extracted whenever necessary.
“We can even set up archiving systems that use OCR codes to log information. This can be important if, for example, someone asks you, as a company, to forget everything you know about them. You have to be able to find it in the first place.”
And effective cyber security isn’t only the domain of bigger businesses.
“Every company needs to protect itself, big or small,” added Adam.
“Whether you have six or 600 employees, the threats are really real and you need to make sure you’re protected.”
Based on Hedon Road in Hull, Computanet supplies IT services throughout the Yorkshire region, as well as to a number of European countries and America. They are one of 18 partners currently supporting our James Legal – The Business 2017 campaign and its Business Booster competition, with its total prize fund of £45,000 to be shared between two stand-out local businesses.
They tailor their services to the specific requirements of the companies they work with, ranging from interactive technologies to project management. As a Microsoft certified partner, VMWARE partner and re-seller of Microsoft Azure and Office 365, they believe in offering a global-standard service with an independent company feel.
If the issues discussed in this blog resonate with you and you could do with some advice or help, you can call Adam and his team on (01482) 229999, or email firstname.lastname@example.org.
At James Legal, we work with a range of expert partners like Computanet in order to provide effective, 360-degree support to the businesses we help. If you would like to find out more about how we can help you protect and develop your business, legally, call us on (01482) 226655 or email email@example.com. You can enter our Business Booster competition via www.jameslegal.co.uk/business-booster-competition.