Cyber threats are accelerating. By one estimate, the global economy is now losing $2.9m to cybercrime every minute1. A third of UK businesses were affected last year, suffering financial loss, disruption and reputational damage2.
Yet simple precautions could thwart the majority of attacks, as business leaders heard at a recent Strategies for Growth event held by HSBC.
1. Email – still the main frontier
Over 90% of cyber attacks are launched by email, according to Barry Searle of cybersecurity consultancy Int-Qual Pro. Increasingly this takes the form of fake invoices that appear to come from a known and trusted email address.
“Businesses that are hit may believe their systems have been hacked, but often it turns out that the business has simply been manipulated into paying things they shouldn’t have paid,” Searle told event delegates.
To counter email threats:
- Enforce processes to verify invoices before payment – especially where a supplier has apparently changed their bank details. Check with a call to a pre-approved contact
- Install free SPF and DMARC tools, which alert you to unauthorised use of your email domain – and encourage supply chain partners to do the same
- Ensure your email and financial systems are separate, so that even a successful email hack doesn’t leave your finances compromised
2. Social media – a feast for criminalsCyber criminals exploit social media profiles to mount targeted ‘spear-phishing’ exercises. “Smaller businesses are the most heavily targeted sector, because they often lack the staff and experience to deal with organised crime,” Searle said.
His recommended actions include:
- Review social media policies to ensure profiles include only relevant details. For instance, the fact that an individual is responsible for authorising invoices should not be featured on their profile
- Be discreet on personal social media accounts, such as Facebook and Instagram. This makes it hard for criminals to cross-reference from company websites or LinkedIn profiles. For example, business leaders should use an abbreviated name on their personal accounts, and a profile picture that doesn’t identify them
Smaller businesses are the most heavily targeted sector, because they often lack the staff and experience to deal with organised crime.Barry Searle, Int-Qual Pro
3. Data – when fallbacks fail
Rather than go to the effort of stealing business information, cyber criminals can focus on denying access, in the hope that businesses will pay to have their data restored.Searle warns that some businesses affected find themselves faced with fees and delays to retrieve data from their cloud providers. In some cases this is so prohibitive that victims have chosen to pay the criminals instead.
- Check your cloud contract to ensure the terms of data retrieval are acceptable
- Keep printed back-ups of continuity plans, so you can execute them without digital access
4. Devices – unlikely access points
The Internet of Things is the fastest-growing vulnerability to be exploited by hackers.
A plug-in air freshener and an aquarium thermometer are among the connected devices used by criminals to breach business defences, Searle told delegates.
- Replace default manufacturers’ passwords with new ones on any connected device your business installs – and do this retrospectively for any existing devices
5. Wi-fi – who’s on your network?
“Public wi-fi is never secure, even when you use a password,” Searle warned. “Your personal data services provide far more security, and mobile hotspots are a more secure alternative.”
- Use public wi-fi only in an emergency, and never for sensitive or financial communications
- Turn off business wi-fi and Bluetooth when not in use
Searle urged business leaders to see cyber threats in the same way as physical ones. “These decisions are as simple as putting an alarm on your premises and deciding to lock the door when you leave,” he said.
Find out additional ways to protect you and your business.
Protection comes down to training and communication.