Sony, eBay, Ashley Madison, and the Red Blood Cross Service (and now even Google!) have all felt the sting of online security breaches, despite protection from an army of IT experts. In 2017, no business can afford to rest on its laurels – however ergonomic.
The threat to your business is serious and real. In 2015, the 'Business & Professional Services' sector was named as the most targeted industry by cybercriminals.
Yet, there's hope. Being risk-aware and security savvy will help you sidestep most wily web opponents and stay safe online.
Below, we identify the biggest modern threats to your business – plus 5 pro tips to avoid them.
First, a fact.
Did you know that you have a legal obligation to protect your data?
The records you keep – confidential and everyday details stored within your business – are protected by law. Have some of it stolen? You could be up for a hefty fine of up to $1.8 million. Under the Privacy Act 1988 (Cth), businesses – including some small businesses – are obliged to protect personal data such as names, signatures, addresses, telephone numbers, dates of birth, bank account details, employment details about a person.
If you've failed to take reasonable steps to protect this information and it's accessed by a hacker, your business may be liable.
(And FYI: 'But...it was stolen!' is not a permissible defense).
It certainly pays to know the who, what and how of online security. We've got you covered, below.
GONE PHISHING – HOW TO AVOID GETTING SCAMMED
Email phishing is one of the most common ways your business can be conned. It involves messages – usually via email – that 'lure' victims to click, send money, or otherwise divulge sensitive information. No longer clunky and comically obvious, email phishing scams are increasingly sophisticated – and successful. Check out the latest phishing attack that is travelling via Google.
It takes just THREE emails before a phisher is guaranteed someone to open it, and only TEN for someone to then click a malicious link.1
Sometimes you simply need to open the email to be attacked – no clicking or attachment-downloading required. (You know that speeding ticket from the Roads & Maritime Service? Guess what? The RMS does not issue speeding tickets via email!).
Spear-phishing is the latest iteration, where professional phishers research a company specifically and launch a targeted attack. A common example is an email to the Finance Department that looks like it came from one of your suppliers, asking for payment of an overdue invoice. This comes complete with an email trail between Director/CEO and the client, with real names and email addresses plus accurate logos and signatures. It's clever, sophisticated and easy to fall for.
Pro Tip #1: If you're not sure whether to trust a link in an email (or in general), use whois.com for free to search for the domain and identify its origins before clicking on it.
Pro Tip #2: Something we've been having fun with (to the detriment of friends and colleagues!) is this free website, allowing you to send phishing emails of your own to see whether your mates would fall victim to a scam. A lot of businesses use it regularly to test their employees' scam-identifying abilities!
CATCHING DIGITAL THIEVES FROM WITHIN THE RANKS
Security threats can be coming from in-house too.
Suspect an employee has used company technology to commit an offence, such as stealing confidential information? These days, it's possible to reconstruct a person's action in great detail using digital artefacts in a process known as digital forensics ("DF"). DF is a powerful tool – but it's only be effective if your business is 'DF-friendly'.
Being DF-friendly doesn't start with getting IT to investigate, effectively trampling over the evidence like virtual wildebeests. Important metadata like timestamps and access information can be easily destroyed or contaminated once another user has logged-on. Instead, it involves preserving evidence and capturing forensic images the right way. There are plenty of online resources to help you get your head around it – or you can email us for more detailed advice.
Pro Tip #3: Make it a company policy to take a forensic image (aka drive image) of a device whenever an employee leaves. This creates an exact copy of the hard-drive so that if, in the future, it becomes evident an employee has misused the computer, you still have essential data such as deleted or saved files, date and time stamps on hand. As a bonus, it frees up the device for the next person to use without fear of destroying evidence.
HOARD YOUR RECORDS!
It takes an average of 205 days for a company to discover they've been digitally compromised!.2 By that time, it's likely the hacker has come and gone, leaving scant evidence that they were ever there at all.
Pro tip #4: Keep backup servers for at least a year so metadata is available for investigation, showing how and what was compromised by the hacker. Of course, this is subject to any other legal obligations you may have to keep records for longer periods.
CHEAP AND VERY, VERY NASTY
Ultimately, the best method of protecting yourself and your employees from malware and phishing is to pay for quality protection. While the most sophisticated (and devastating) malware may not be caught by the software, it will eliminate the basic viruses and help identify spam – cutting 90% of the risk.
Pro Tip #5: Do not download free protection software. Most of it is actually malware in disguise, pretending to scan for viruses whilst installing malicious programs to steal your passwords and keystrokes. The irony.
1 Verizon 2016 Data Breach Investigations Report, pg 22, < http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ >
2 Mandiant M-Trends Report 2015, pg 2, < www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf >
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.