The top 10 chinks in your cyber armour
Stuart, our Technical Director, highlighted the acute threat of ransomware and spear fishing in an article for the March edition of Cambridge Business
We want to help SMEs outsmart the criminals. Check your practices against the following common weaknesses that can make small businesses vulnerable to cyber attack. If you’d like to find out more, contact email@example.com
High risk behaviours
Certain everyday habits play directly into the hands of cyber criminals. Make sure you and your staff understand the dangers.
- Password roulette. Anyone using one of the 25 most common passwords is playing a perilous game. Never use personal information – it’s surprisingly easy for criminals to uncover. Create a unique password for every account, otherwise cracking one grants access to all. Don’t write passwords down – use a protector service such as 1Password.com. Change passwords regularly and use a service like haveibeenpwned.com every now and then to check none of your accounts has been compromised.
- Gung-ho social. Cyber criminals use personal data people put online to target or impersonate them. More than 60% of network malware infections are caused by this ‘social engineering’. Ensure your social network privacy settings restrict access to genuine friends only. Beware of accepting requests from people you barely know, especially on the social networks you use for personal, rather than professional, contacts.
- Acting on autopilot. If you receive an email that requests a money transfer or log in details, or contains a link or an attachment, take a moment to stop and think – even if it appears to be from someone you know. Criminals pretend to be a senior member of staff, a supplier or your bank. Check the email address is exactly as it should be – sometimes just one digit will be wrong. If an email address has been ‘spoofed’ hovering the mouse cursor over it may reveal the actual sender’s address. Cut and paste a link into a checker such as https://global.sitesafety.trendmicro.com/ or, for short links, http://checkshorturl.com/ If in doubt, always ring the sender on a contact number you know is genuine, and not a number on the email – look in your own contacts or search on the internet.
While it’s crucial to educate yourself and your staff, it’s also vital to take advantage of basic system safeguards. The following problems are easy to remedy and will ensure your business is less exposed to human error.
- Lunchbreak browsing. Your entire network could be at risk if your staff use their work computers to check personal emails or do so on their mobiles over your WiFi. Set up off-network staff WiFi for personal email checking, or ensure your employees use their phones on 3G or 4G. Never give visitors access to your main WiFi.
- Weak anti-virus. Use reputable anti-virus software and keep it up to date - its designers are constantly refreshing it as they discover and thwart new malware.
- No mail filtering. SMEs regularly find that anywhere between 50 and 70% of the emails they receive are spam. Mail filtering typically costs just £2 per user per month. Quite apart from protecting staff from receiving and inadvertently acting on a malicious message, it makes business sense to ensure valid, important emails aren’t lost in a mass of junk.
- Memory sticks. An infected memory stick could take down a network. Consider other more secure ways to store and share files.
- Old or out of date software. Too busy to download updates from the software developer when prompted? Think again. Cyber criminals are constantly identifying and exploiting vulnerabilities in software, but designers quickly find ways to foil attacks. Keep your software current and robust.
No Plan B
SMEs who don’t make a plan for the worst are less resilient when attacked.
- Relying on a single local back-up. Storing to a single local back-up such as an external hard drive will be useless if that device fails or gets infected. Having multiple back-ups for your most crucial data, including physical and cloud back-ups, is the most cost-effective strategy. Should your business fall victim to ransomware you can get your data back without paying up.
- Dithering and denial. Time is money in the case of an attack. Ensure staff know how vital it is to take prompt action if they suspect they’ve been targeted. Pull out the network cable from a potentially infected machine and disconnect it from the WiFi. Ramsomware usually takes a while to run, so you may be able to limit your exposure before it gets to your server, for example.
Finally, if you are the victim of an attack take the time to report it to Action Fraud www.actionfraud.police.uk 0300 123 2040 - This enables the National Fraud Intelligence Bureau to gather crucial intelligence.
Secure password storage: https://1password.com/
Check whether log in details have been compromised https://haveibeenpwned.com/