According to a recent government survey, almost 50% of SMEs believe their business is protected from cybercrime through their Microsoft or Mac software and updates or through having a limited online presence. However, security professionals agree this is not the case – it’s really people and processes that pose the biggest risk.
When it comes to cybersecurity, protective technologies like firewalls and anti-virus are top of mind. The notorious WannaCry and Petya attacks earlier this year also highlighted the importance of using the latest software versions and ‘patching’ regularly to fix security vulnerabilities.
However, what may be less well known is that innocent employees and suppliers can cause as much damage as malicious hackers. Staff are already inside a business’s security framework and can easily be exploited to bypass security controls. Surveys confirm that over 60% of security incidents involve human error or naivety.
These incidents include:
- Using ‘unpatched’ applications where software updates containing security fixes are not installed
- Using easy-to-guess or default passwords
- Opening an infected attachment or using an unsafe URL
- Falling victim to social engineering scams (such as phishing)
- Neglecting operating processes or security protocols.
Here are some real life examples of these breaches that we’ve come across and some simple precautions that businesses can take to protect themselves.
Social engineering scams
Scam emails look more authentic than ever before and can easily be mistaken for emails from the ATO, ASIC or your bank. We recently heard of a bookkeeper who received an email from a supplier informing them of a change of bank account details. That email was not really from the supplier, and payments of $30k a month were at stake. Another case involved a PA who received an email from her boss (travelling interstate) to transfer $200,000 to secure a business deal. She did as requested – only to find out later that the email was not from her boss.
Staff vigilance and due diligence are key to avoid falling victim to these types of attacks. No email, however plausible, can be depended on as being reliable and from the right person. Checking transactions and requests like these should be done personally – by calling the sender and asking for verbal confirmation. It would even pay to check with familiar contacts if you receive an email from them with a link which seems ‘out of the ordinary’.
When it comes to updating bank details and making payments, two different people in your organisation should be required for authorisation. As an extra safeguard, run monthly exception reports on creditors to check if any unusual changes have been made. Scammers may wait weeks or months to make their move.
Using unsecured mobile devices
Many of us use free Wi-Fi internet particularly when travelling, but remember this is dangerous as any information transmitted and received is vulnerable and your usernames and passwords are easily obtained. A case we are aware of involved a company director who checked his email over a public Wi-Fi network while on an overseas business trip. Hackers were able to set up an email divert, and email the bank who subsequently failed to properly examine a forged signature sent to them by the scammers. This led to an unauthorised transfer of significant funds (later refunded by the bank).
It’s wise to avoid public Wi-Fi hotspots for online banking, shopping, entering personal details and sending confidential emails. Consider turning Wi-Fi off on your mobile settings so you don’t connect to Wi-Fi networks by default. If you really must use free Wi-Fi, make sure that websites you go to are fully encrypted by checking the browser bar has https:// (instead of http://) and shows the locked padlock symbol.
Quick wins to improve your security
There are some simple steps that SMEs can take to improve their security. These include ‘people,’ policy’ and ‘process’ controls, as well as technological defences.
Establish security policies and document processes – Consider implementing information security policies and data classification that clearly set out how different types of data should be handled and controlled. Ensure that employees are aware of the sensitivity of data and their individual responsibilities for protecting it.
Regular staff training – Accidental clicks on infected emails are the most common entry points for hackers to business networks. Make your employees aware of security issues and scams. (See scamwatch.gov.au) Staff should be aware of the risk of human error and what is expected of them – for example, in regard to personal mobile devices connected to company networks, USBs and passwords.
Password management – Make sure you use strong identity authentication and password management. Staff should use passwords with alpha-numeric complexity and change them every 90 days.
Anti-virus protection – Never use free anti-malware software – buy a reputable package, keep it updated and run full system scans each week.
Patching – Make sure you install all updates available for both operating systems AND applications. Software patches are free with licenses and can be set to ‘automatic updates’. Consider upgrading to Microsoft’s latest Windows 10 which is more secure.
Backups – Make frequent backups using an external hard drive and disconnect it from your network when completed. Test your ability to recover the data. Good backup procedures aid recovery if you are attacked.
Consider cyber insurance
Many insurance policies offer cover to safeguard against data breaches, computer hacking, employee error and more. Look for a combination of first and third-party coverage and watch the small print and check what is/isn’t covered as some are becoming stricter on exclusions.
No business, whether large or small, can afford to ignore cybersecurity. Please contact your Accru advisor if you would like some initial guidance.