2019 is officially here, and it will be another hugely important year for cybersecurity. Last year saw an increasing rise in cybercrime against SMEs, from industrial espionage to loss of personal or company data. A number of our own customers were also affected and experienced attacks from phishing emails and malware.
We want to help you avoid cybercrime. So, from now on we will be sending out regular updates, cybersecurity tips and nuggets of wisdom from our resident IT security expert, Jamie Williams on what to look out for, how to stay ahead of the game and how to keep your data safe.
So where better to start than sharing Jamie’s 5 cybersecurity New Year’s resolutions with you. Essential to your data protection, he assures us that they are quick to implement and vital in making your business more secure. And Jamie believes that, unlike giving up chocolate or biscuits, these resolutions are easier to keep too!
Ensure a robust business process is in place to double check any change of bank details.
"This is one of my top messages to get across this year and it’s free to implement but critical. An e-mail requesting that a company’s bank details have changed should be treated as highly suspicious and the sender should be contacted by phone, from a known number (preferably not one in the e-mail that was sent with the changes) and confirmed manually before any payments are made to the new account."
"Faking bank details and banking information is an incredibly common and effective attack that’s on the rise and can be negated by a simple business process to check the validity of the new details. It can also help the sender to identify an attack or compromise. Do not reply and check the details over e-mail, because if the account you’re e-mailing is compromised you'll be liaising directly with the attacker who will of course agree that the new details are correct!"
If you receive something you weren’t expecting, consider it as suspect!
"Just because an e-mail says it came from someone you know, it doesn’t necessarily mean that they sent it. Their e-mail account may have been compromised. Perhaps there are links in the e-mail that the sender has included that have never been sent before and seem a little out of place, or don’t look quite right."
"If unsure, it’s always best to double check via phone and never via e-mail as the reply saying, 'It’s legitimate – it’s safe to click', will potentially come from the attacker. Believe me, one malicious clicked link can compromise your entire organisation."
Passwords. Passwords. Passwords.
"Passwords are usually your first line of defence and should be treated with respect. If you have a single word and some numbers for a password, change it. Aim for at least 11 random characters, the longer the better. Include upper case, lower case and symbols. I know they can be a nightmare to remember."
"I find the best way is to maybe use a sentence to get something you can remember, for example:
I had a really good Christmas in 2018 at mum and dads!! = IhargCi2018@mad!!"
If you use the same password for everything, it’s time to start changing that right now.
"Let’s assume there is another cybercrime breach at LinkedIn, (sorry LinkedIn), or similar, and your username\password is stolen: attackers will try that same combination on multiple sites that could then get them access to all sorts of information you wouldn’t want them to find. It’s a very bad idea and often these initial breaches are out of your hands and not your fault."
"Having multiple passwords for everything poses its own challenges of course, but you can use a password manager to store your passwords centrally and in encrypted form. There are free ones available, such as https://keepass.info/. Just ensure you back up the password database and remember the main password to access the database otherwise you’ll need to go through resetting them all!"
IT Training for Staff Is a really good idea.
"Firstly, specifically looking at GDPR – Awareness of data protection is key and staff training should be implemented to help your team understand its importance. Staff training is an essential part of GDPR compliance as not only does the training reduce the risk of breaches, it also demonstrates your company’s compliance. For example, if your organisation was to experience a data breach and you have documented your staff training, this would be used as evidence to prove that you took the appropriate steps to prevent a data breach and were taking the regulation seriously."
"The other reason, outside of GDPR and from my point of view, training on IT security is vitally important as users are one of the weakest links in your business security. The more that staff understand risks and know what to look out for, the less likely they are to fall foul of them. One mistake can compromise your entire organisation."
As part of our cybersecurity proposition, we are still offering an initial Free Phishing Test to assess users’ susceptibility to e-mail phishing attacks. We would strongly advise you give it a go - the results will probably shock you. The full service comes with training material as well. If you would like to run a test, please contact Jamie directly at firstname.lastname@example.org.
For further information on IT Security and a better understanding of how we can support you in this area, please visit our Resources Page and download our free IT SECURITY DATASHEET.