Although it is important to educate yourself on how to protect your businesses, it is also important to help you understand what you are protecting yourself against. Showing you these is not designed to increase the fear of crime but to increase your knowledge base so you are better prepared to understand the world of cyber security. Some of the most common threats are seen below.
Phishing refers to the process of deceiving recipients into sharing sensitive information with an unknown third party (cyber criminal). It is often carried out via email, masquerading as a legitimate source but in fact is looking to steal personal details such as login information. It is often difficult to distinguish between legitimate and phishing emails but often clues give them away such as spelling mistakes, unusual attachments or emails that are simply from a business or source that you have never had dealings with.
Spam, unlike phishing which has the intention of causing significant harm, is sent to try and get the recipient to visit a certain website for sales or to drive up website visitor numbers. Spam can sometimes be linked to fraudulent means so it is important to be cautious when opening a spam email.
Malware is a general term for malicious software. Malware includes viruses, worms, Trojans and spyware. The software is used to gain unauthorised access to computers and can gather sensitive and private information.
A virus is a file that runs on a computer, sometimes it is visible but sometimes it runs in the background without being noticed. There are a variety of viruses, including worms and Trojans. Worms are designed to spread from computer, infecting every computer it passes through. Trojans are malicious programs that pretend to be legitimate software, but actually carry out hidden, harmful functions.
Adware should always be treated with caution. Adware delivers advertisements by tracking your usage and can redirect you to unwanted website. It can often come with free software that you install and unless it notifies you that it is collecting data from your computer then it should be considered malicious.
Ransomware is a form of malware where criminals can lock your computer and display a message demanding a certain amount of money to be aid otherwise they will wipe your computer of its data. Ransomware is often activated through human error, opening a corrupt email attachment or visiting an infected website so it is important to ensure all staff are aware of online security to at least a basic level.
Distributed Denial of Service (DDoS)
A denial of service attack often targets websites. A denial of service attack uses one computer to flood a network meaning no one else can access that network. A Distributed Denial of Service attack involves multiple computers, often botnets (a network of infected robot computers) being used to flood the network. This is often used as a temporary attack to prevent the use of a website or other online systems run by a business but these are often large corporations who are victims of a targeted attack.
Things to consider:
- Cyber Essentials Cyber Liability Insurance (This comes with the completion of Cyber Essentials)
- Firewalls and Internet Security Protection (Anti-virus)
- Backing up of data
For more detailed information on the above you may like to visit the following or look at some of the other advice sheets on the Warwickshire Business Watch website:
Get Safe Online – https://www.getsafeonline.org/
Cyberstreetwise – https://www.cyberstreetwise.com/
Reporting Business Cyber Crime If you have been or believe you have been a victim of Cyber Crime please report it directly to Action Fraud. This can be done by visiting www.actionfraud.police.uk or calling 0300 123 2040. Action Fraud is not an emergency service, in case of an emergency please dial 999.
In line with the Government’s 10 steps to Cyber Security, Cyber Essentials is a Government-backed scheme encouraging businesses to review their online activity and security. It is for all organisations of all sizes and all sectors of business.
There are two levels to Cyber Essentials, Cyber Essentials Basic and Cyber Essentials PLUS. Both levels cover 5 areas and they are: Secure configuration, Boundary firewalls and internet gateways, Access Controls, Patch (Update) Management and Malware protection.
Cyber Essentials Basic
Cyber Essentials Basic requires the organisation to complete a self-assessment questionnaire, have it signed off by the CEO of the business and then the response is independently reviewed by a certifying body.
Cyber Essentials PLUS
Cyber Essentials PLUS offers a higher level of assurance through the external testing of the organisation’s cyber security approach. Cyber Essentials Plus comprises remote and on site vulnerability testing to check whether the controls claimed actually defend against basic hacking and phishing attacks.
What are the benefits?
- Peace of mind
- Cyber Liability Insurance worth £20,000
- Access to exclusive contracts – Mandatory for central Government contracts since October 2014 which involve handing personal information and providing certain ICT products and services.
What are the costs involved?
Cyber Essentials documents are free to download and can be used to either attain Cyber Essentials or to simply self-assess and apply the appropriate controls.
In order to gain the certifications and use of the badge, Cyber Essentials basic costs £300 but Cyber Essentials PLUS varies depending on the size of the business as this will impact on the amount of testing to be done.
If you would like more information on Cyber Essentials please visit the Cyber Streetwise website https://www.cyberstreetwise.com/cyberessentials/ where you can see which businesses can offer Cyber Essentials and gain more of an insight into what is involved.
Data is of paramount importance to any business but if it is accessed by unauthorised individuals or even criminals it could have a range of damaging implications. If your business handles confidential information it is worth considering using encryption in order to ensure that if data gets into the wrong hands, the details in this data cannot be accessed.
How does encryption work?
Encryption uses a key to encrypt data and that same key is needed to decrypt the data. The process of encryption runs the data through a formula meaning it cannot be understood by a third party. Encryption can be carried out on data that is stored but it can also be used in transferring data, i.e. via email.
Storing Data and Transferring Data Storing data
When storing sensitive data whether it is a backup or working data, you should always check what level of encryption is used.
Whether it is in the cloud or a physical backup, you should know where the data is at all times.
When moving sensitive data it is important to encrypt this in case of loss.
Transferring data electronically is preferable as even if removable devices such as memory sticks are encrypted, these can easily be lost. Information Commissioner’s Office In the event of data being lost or stolen, you may need to notify the Information Commissioner’s Office.
If you have encrypted the data, the consequences may not be as severe due to you taking greater steps to ensure the data cannot be interpreted, even if it is intercepted. It is important to remember that the level of encryption used with be determined by the sensitivity of the data you are dealing with.
The implementation of this will also vary in complexity therefore you may need to consult your IT department or a specialist.
Emails have become a way of life; they are used at work, home, on the move and transcend geographical barriers. However, this development in communication has also lead to nearly 50% of all emails sent being spam.
Below we take a look at some of the vulnerabilities and how these can be protected.
Dangers of Emails
Shoulder surfing – With the increase in mobile technology, employees can now work from practically anywhere, whether this is with their mobile, laptop or tablet. The danger of this is that when working in a public place, someone nearby may take the opportunity to watch what you are doing. Be careful when opening sensitive emails in a public place. This also applies to working with any sensitive data.
Phishing refers to the process of deceiving recipients into sharing sensitive information with an unknown third party (cyber criminal). It is often carried out via email, masquerading as a legitimate source but in fact is looking to steal personal details such as login information.
Attachments and spelling mistakes
If the email is from someone you do not know and is unexpected, you should be cautious about opening any attachments as they could be harmful to your computer. In order to identify a phishing email as well as unusual attachments, you can look out for spelling mistakes or even an unusual email address that sent the email in the first place.
These are specific phishing emails targeted directly at your business. They are often harder to detect as they are likely to be from a company you do business with and will seem rather plausible.
Secure Email – There are certain email systems that operate much more securely and offer higher levels of encryption so anything passed through them is much more protected.
Encryption is discussed in detail in another Advice sheet but it would essentially mean securing the contents of the email, i.e. attachments before they are sent so that if intercepted, the contents cannot be read.
Human error plays a large part in criminals gaining access to your business via email. It only takes one person to open an attachment or click a link which could jeopardise your whole computer network.
It is important that all staff are aware of the risks and are always cautious of unexpected emails.
When it comes to physical and online crime prevention there are several things to consider when it comes to working with your employees. Employees are arguably the greatest asset to a business but can also be working against the businesses. In both instances it is important to consider the following:
It is important to instil good practice, potentially through the use of policies, put cyber onto the agenda!
Potential policies should include: appropriate use of the internet, use of email, regulations on downloading unapproved applications, the use of passwords.
It would also be useful for a business to stress the importance of reputation and data. Education around the Data Protection Act and other legal obligations would help to affirm the importance of handling data, especially on a computer.
When it comes to passwords, staff should be advised that they should not be written down, computers should be ‘locked’ when they are not in use and work space is kept tidy and free of confidential information. This could be contained in a Computer Usage Policy.
Staff should only have access to information that is relevant to them – consider managing access.
Something as simple as human error in opening email attachments with a virus embedded could be costly to the businesses systems. It is important to educate employees of the dangers of viruses etc.
There has been a rise in CEO Impersonation Fraud in which fake emails are sent to employees requesting an invoice to be paid and when they do so, it turns out that the CEO had not ordered this to be done.
It is important to inform employees of the physical security onsite so that if they need to implement any of the security measures, they can do so.
It is important that those members of staff who are responsible for managing security are confident in procedures etc.
Use strict visitor policies and ensure all staff help implement this.
Encourage staff to be vigilant and challenge non-employees as to their reasons for being on site.
It could be that employees are attempting to defraud the business by stealing stock, money or other assets.
Disgruntled employees may be assisting others in causing harm to the business, consider access to various parts of the building.
Keep a regular check that policies and procedures are being followed.
Flexible working and BYOD
With the development of technology and the increasing capabilities brought about with it, flexible working is becoming ever more popular. Being able to work from anywhere increases efficiency and provides great potential for growth. However, as with the majority of technological developments, it also brings about some issues which need to be treated with caution.
The main threat to businesses from accessing information away from the business network is the potential for eavesdropping on the communication between the device and business network.
Remotely connecting to a company network Depending on the size of the business, this will determine which method of access you should use. Some of the most common ways to access your business network away from site include:
- Virtual Private Network (VPN)
- Software specific programmes (Windows Remote Desktop)
- Remote Email Access
A virtual private network allows you to access business files and data away from the business using a private connection. Although this is a secure method of connecting into the business it is important to ensure the basic security protocols remain in place such as passwords, anti-virus etc.
Bring Your Own Device (BYOD)
As mentioned above the growth in technology has brought about many opportunities, one of these is the ability to ‘bring your own device’. Although this seems like a great idea, you must seriously consider the following:
- Is it necessary for employees to use their own devices?
- Using third party devices means it is difficult to determine the safety of the devices and whether they carry viruses.
- Would employees using their own devices reduce productivity?
- Consider using an Acceptable Use Policy.
What would the cost implications be in terms of data limits and technical support?
When considering implementing flexible working/bring your own device policies it is worth considering a risk assessment to weigh up the benefits and implications of making such changes and then also putting in place disaster management plans to limit damage in the event of a breach of cyber security.
What is Get Safe Online?
Get Safe Online is the UK’s leading source of unbiased, authoritative and easy-to-understand information on protection against fraud, identity theft, viruses and many other problems encountered online – as well as physical computer theft/loss, backups and related topics.
Aimed at consumers and small businesses and jointly funded between the Government and Private Sector, Get Safe Online is the Government’s default online security advice channel. A world-leading initiative, Get Safe Online is a not-for-proﬁt organisation.
The Internet of Things
The term ‘Internet of Things’ is something which not a lot of people know about, but almost everyone will have some sort of interaction with on a daily basis in one way or another.
What is the Internet of Things?
The Internet of Things is the name given to the network of electronic devices and other items which can connect to the internet and through connectivity, enable the exchange of data.
There is now an ever increasing number of items which can connect to the internet. This brings about many benefits but also an increasing number of loop holes for criminals to exploit. Examples of the Internet of Things include:
- Fridge/Freezers that are now connected to mobile devices.
- Automatic orders from printers that are running low on ink.
- Central heating systems that can be controlled from your mobile phone before arriving into work/home.
- Watches that now connect to smartphones.
Benefits For businesses the increase in connectivity will mean:
- Increased efficiency, especially with regard to manufacturing.
- Potentially greater business opportunities that have become available due to greater efficiency.
- Flexibility in working – location/time.
Things to be aware of
- Increased number of items/processes that could be compromised.
- Cost implications if malfunction/stolen.
- With an increasing number of electrical items that could malfunction beware of bogus calls offering to ‘fix’ electrical items.
Ensure all devices are password protected.
If you have a Bring Your Own Device policy, ensure it is strictly implemented to ensure that no viruses or malware is transferred to your business equipment.
Technology is developing at an incredibly fast pace with usability in mind, however security is always developing in reaction to this which means it is as important as ever to ensure your business stay on top of their security.
Legal Compliance for Businesses
Although there are laws in place to protect businesses, there are also those such as the Data Protection Act 1998 which they must comply with in order to operate legally.
Data Protection Act 1998 The Data Protection Act 1998 is perhaps the most important Act for businesses to consider when it comes to compliance.
The Data Protection Act 1998 is overseen and regulated by the Information Commissioner’s Office. The Act covers important rules on the storage, processing and distribution of electronic data. The Act has 8 core principles and they have been paraphrased below:
- Personal data shall be processed fairly and lawfully.
- Personal data shall only be obtained for a specified, lawful purpose.
- Personal data will be adequate, relevant and not excessive.
- Personal data will be accurate and kept up to date.
- Personal data shall not be kept for any longer than necessary.
- Personal data will be processed in accordance with the rights of the data subject.
- Appropriate measures will be taken against unauthorised processing, loss or damage to data.
- Data will not be transferred outside of the European Economic Area unless the rights of the data subject can be upheld.
More information on Data Protection can be found at https://ico.org.uk/.
Failure to comply with the regulations can result in a variety of penalties so it is a good idea to ask questions if you are unsure of your responsibilities.
Information Commissioner’s Office As mentioned above, the Information Commissioner’s Office is responsible for the Data Protection Act but also holds the register for businesses that process personal information and deals with concerns relating to the Act. If your business deals with personal information it must register with the ICO, this is also obligatory for the use of CCTV.
Depending on which sector(s) your business operates in will affect the number of regulations it must comply with, for example the financial sector is regulated by the Financial Conduct Authority (FCA). Please ensure you research regulators to ensure you are following guidelines or legal obligations.
Passwords are the most common way to access your information by proving your identity. They are used to access a variety of information with varying degrees of confidentiality but chances are if it needs a password, it’s worth protecting.
- When talking about passwords, the advice is quite straight forward, the more random the better.
- Always use of a combination of upper and lower case letters, numbers and keyboard symbols where possible.
- Password generators such as https://identitysafe.norton.com/passwordgenerator are useful.
- Don’t use personal references (family names, date of births etc.).
- Don’t use a single dictionary word.
- Don’t use the same password for all accounts!
2-Step Verification and 2-Factor Authentication
2-Step Verification or 2-Factor Authentication is a process of protecting personal data which requires a login (e.g. email). This method requires a normal password but also adds an additional login step using a mobile, alternative email or authenticator app. This method would be ideal for a business and its staff email accounts.
Applying advice in business When it comes to using passwords and accounts in a business it is important that each user is clear on the importance of safeguarding their own area and does not share this with other members of staff.
- Consider enforcing a change of password for employees every 30 days.
- Include in company policy, strict safeguarding around desk space, instructions on locking the computer when away from it and raising awareness of privacy.
- Do not recycle passwords.
- Do not write down passwords.
And always be wary of who is around you when entering your password.
Patching is another term used for ‘updating’ and is used when referring to your computer systems. These updates refer to the software that is on your computers and other devices.
Updates are released for a number of reasons ranging from bringing in new features to security management.
Principles behind updating software As mentioned above, updates are released for a variety of reasons including:
Advancements in technology
Software companies will constantly be developing new features and versions of their software for the benefits of their customers, e.g. voice control.
Preventing crashing or update the performance.
Address security issues
Updates will also be released to address (patch) vulnerabilities in the coding of software. These loopholes are areas which could potentially be targeted by hackers and therefore when these updates are released it is important that they are installed.
These occur when hackers identify a vulnerability in a system and are able to exploit it before the developer has chance to release an update or maybe even realise there is an issue. When the update is released it is important that it is installed as soon as possible as hackers will then know for certain that there is a weakness and go after any system that hasn’t installed the security update.
Updating software is important but as well as releasing updates for security and other purposes, developers may release entirely new operating systems.
Over time support and updates for very old programmes may be discontinued while they focus on updating more recent software and developing new programmes. An example of this is Windows XP, this stopped receiving updates in 2014. Therefore it is important to keep an eye on when your software may stop receiving updates so you can plan around this.
When to update
Software should be updated as soon as possible. It is a good idea to either set your system to automatically update when a patch is released or at least notify you when one is ready. If you run up to date software and follow some of the other advice sheets such as anti-virus, firewalls and passwords you will have a better chance of protecting yourself online.
Regional Cyber Crime Leaflet
The phrase ‘social engineering’ is quite a new term in the world of cybercrime but it is something that has been around for decades. It involves playing on the good will of individuals in a process of manipulation and deceit.
What is Social Engineering?
Social engineering is the process of deceiving someone to gain access to personal information or private systems. Criminals will use social engineering because it is often easier and quicker to play on someone’s trust than spend endless hours attempting to hack computer systems, or they may use it to entice someone to click on a link containing a virus they have sent.
Forms of Social Engineering
Social engineering revolves around impersonation. This could be as a member of staff, potential supplier or simply enquiring as a member of the public.
These are electronic communications, normally emails, which seek to obtain personal information.
This is where a fake scenario is provided in an attempt to gain trust.
Quid Pro Quo
The criminal will offer a service in return for information, e.g. IT support.
This is done by leaving a memory stick or removable device around and waiting for curiosity to take over and for it to be plugged into a computer where it can infect all the computers on the network.
What can you do?
- Ensure all staff are aware of who to give information to and what can be shared via the likes of social media.
- Be wary of people who do not normally associate with the business incase they have damaging intentions.
- Secure all devices connected to the business with firewalls, anti-virus and spam filters to limit the chances and effects of being a victim.
- Do not respond to suspicious contacts.
If you feel you may have been a victim, it is important to not be embarrassed about the situation and to act quickly. In your business, it would be important to inform the relevant parties and also change all passwords incase the criminal has also managed to access your systems.
The importance of addressing cyber crimeaddressing
Cyber crime is affecting individuals and businesses on an unprecedented scale. It was reported in the Office for National Statistics Crime Survey that between March 2015 – March 2016 there were 5.8 million incidents of fraud and computer misuse. This highlights the importance of addressing the issue and in the case of businesses, putting it in the boardroom.
Why address Cyber crime?
- Businesses rely on connectivity – internet, telephone, conference calls, banking transactions etc.
- Cyber is the lifeblood of a business; it should therefore be considered a high priority in all strategic boardroom meetings.
- Prevention of attack or loss of data.
- Compliance with regulations.
- Prepared – Business Continuity Plan.
The consequences are too great to not consider business defences:
- The cost of recreating the lost data – either by buying new hardware and software or re-entering the lost data (which may not always be possible)
- The cost of continuing without that data (availability)
- The cost of informing others about the loss
A company that suffers a data loss can also suffer a loss in its reputation as a professional organisation. This problem is greatly magnified if personal data belonging to other people has been lost.
Taking the initiative
- Should not be a tick box exercise.
- Aim to go beyond the ‘compliance’ approach.
- Mainstreaming cyber means as well as ensuring your business is secure, it could also lead to new developments within the business.
- Government backed initiatives – Cyber Essentials.
- Overall peace of mind that you have done all you can to protect your businesses.
Where to get Advice?
Many of the Advice Sheets talk about specific issues; this Advice Sheet aims to signpost you to the range of useful resources out there to help you protect your business both physically and online.
Online Crime There are an array of Government backed websites and initiatives which aim to assist individuals and businesses in increasing their knowledge of the online world and they include:
CyberAware – https://www.cyberaware.gov.uk/
Get Safe Online – https://www.getsafeonline.org/
Cyber Essentials – https://www.cyberaware.gov.uk/cyberessentials/
Cyber Safe Warks – https://www.cybersafewarwickshire.com/
Traditional Crime With regards to traditional crime, Warwickshire Police have a page on their website dedicated to traditional business crime.
Warwickshire Police Initiative – Your Business Matters – https://www.warwickshire.police.uk/yourbusinessmatters
Police Designing Out Crime Officers North Warwickshire – Mark English – email@example.com
South Warwickshire – Ian King – firstname.lastname@example.org
Warwickshire County Council Business Crime Advisor – Bogdan Fironda – email@example.com
Reporting Fraud and Cyber crime If you have been or believe you have been a victim of Fraud or Cyber Crime please report it to Action Fraud. This can be done by visiting www.actionfraud.police.uk or calling 0300 123 2040. Remember If you require the assistance of the Police, the number for an emergency is 999 but in the event of a non-emergency it is 101.
Wi-Fi is now everywhere; whether it’s at home, work or public places such as the gym, coffee shops or airports. The degree to which these are secure depends on a number of factors and where these are located. If they are at home or work they are likely to be more secure than using public Wi-Fi.
With all forms of Wi-Fi however there is some degree of risk:
Home or Work internet is not secure it could mean that others have access to your internet allowance/connection, slow down your connection, or even worse, access the (sensitive) information which you are also accessing and steal this.
Securing your wireless network:
- Ensure your network is password protected
- Change the default password
Check the encryption level of the router – WPA2 as minimum
The risk with Public Wi-Fi comes with the fact that many do not require a password to access them and if they do, you do not know who else is using the connection.
Anyone could be connected to the router at the same time as you, watching what you do.
A criminal may set up a spoof hotspot which you connect to thinking it is a legitimate Wi-Fi connection when in fact all your traffic is going through their computer for them to read.
Safely using Public Wi-Fi
- Do not send personal information over Public Wi-Fi unless you know it is a secure webpage.
- Use reputable hotspots where possible.
- Businesses who want to access their corporate network should use a Virtual Private Network (VPN).
- Business information can also be stolen by shoulder surfing.
- Don’t leave devices unattended.
- Use anti-virus, firewall, passwords and update these regularly.
Wi-Fi has arguably been one of the greatest advancements in technology in recent years but it is also one of the most vulnerable as it opens up gateways for cyber criminals on a range of levels. When we think of Wi-Fi we often think of the routers at home and work but increasingly, businesses providing a service in particular, offer Wi-Fi to customers.
Public Wi-Fi raises a range of questions which should be looked into especially if you are a business owner including:
- Is your router regularly updated?
- Is your router well encrypted?
- Do customers require a password to log onto your router?
If you are a business operating away from the premises, there are a number of ways in which you can secure your systems and devices. Please see the ‘Public Wi-Fi’ advice sheet for more details.
Warwickshire County Council’s #WiFiSavvy Campaign
Warwickshire County Council is working with Trading Standards and the Office of the Police and Crime Commissioner to promote the safe use of Public Wi-Fi.
The Campaign aims to help businesses increase their security but also enables them to offer a more secure place for customers to do their browsing. As a business you will need to acknowledge the following:
- We have changed the admin password of our router from its default setting.
- We have disabled remote management to the router completely.
- We are committed to using reliable encryption (WPA2 as minimum)
- We ensure that our router is regularly updated with its latest software. We will supply an advice sheet if your business requires assistance in adhering to these.
If your business adheres to the above, we will provide a poster and window sticker which can be displayed to show that you have taken steps to make your Wi-Fi more secure and also has advice for customers when using Wi-Fi.
If you as a business follow/would like to follow the 4 simple steps outlined above and would like to receive a poster and window sticker to promote the fact that you are thinking of your customers’ online security please get in touch via the contact details on the Warwickshire Business Watch website.