Cyber threats are accelerating. By one estimate, the global economy is now losing $2.9m to cybercrime every minute1. A third of UK businesses were affected last year, suffering financial loss, disruption and reputational damage2.
Yet simple precautions could thwart the majority of attacks, as business leaders heard at a recent Strategies for Growth event held by HSBC.
1. Email – still the main frontier
Over 90% of cyber attacks are launched by email, according to Barry Searle of cybersecurity consultancy Int-Qual Pro. Increasingly this takes the form of fake invoices that appear to come from a known and trusted email address.
“Businesses that are hit may believe their systems have been hacked, but often it turns out that the business has simply been manipulated into paying things they shouldn’t have paid,” Searle told event delegates.
To counter email threats:
- Enforce processes to verify invoices before payment – especially where a supplier has apparently changed their bank details. Check with a call to a pre-approved contact
- Install free SPF and DMARC tools, which alert you to unauthorised use of your email domain – and encourage supply chain partners to do the same
- Ensure your email and financial systems are separate, so that even a successful email hack doesn’t leave your finances compromised
2. Social media – a feast for criminals
Cyber criminals exploit social media profiles to mount targeted ‘spear-phishing’ exercises. “Smaller businesses are the most heavily targeted sector, because they often lack the staff and experience to deal with organised crime,” Searle said.
His recommended actions include:
- Review social media policies to ensure profiles include only relevant details. For instance, the fact that an individual is responsible for authorising invoices should not be featured on their profile
- Be discreet on personal social media accounts, such as Facebook and Instagram. This makes it hard for criminals to cross-reference from company websites or LinkedIn profiles. For example, business leaders should use an abbreviated name on their personal accounts, and a profile picture that doesn’t identify them