Simon Cohen, Head of IT Consulting at Moore Stephens (WA), discusses his top tips for businesses to boost their cyber security, in light of recent scams. We have noticed a spike in online scams relating to fraudulent online payments, including two cases where organisations suffered losses, he writes.
While technology presents countless efficiencies in business, it also brings with it a variety of risks. With exponential growth and innovation in this space, effective IT Risk Management & Cyber Security processes are vital.
We have recently noticed an increase in online scams relating to fraudulent online payments. Typically, an email account is initially ‘hacked’ and the hacker initiates contact on requesting a creditors change of banking details. The communication contains a new BSB and account number and the target individual is requested to update the creditors details.
We have seen a recent spike in cases and in the particular examples that came to our attention, two organisations suffered a loss. These examples highlighted a lack of robust processes on both sides of the transaction: firstly the organisation being hacked has usually not taken sufficient security precautions and secondly a failure on the recipient of the scam request to thoroughly verify the request.
Therefore, to help you safe guard your business from hacking attempts, here are 8 key steps to improve your cyber security.
Step 1: Secure your passwords
Use secure complex passwords. The longer and more complex the password, the more difficult it is to crack. Don’t use the same password for all your sites! If you find it difficult to remember multiple passwords then use a password management tool.
Step 2: Implement Two Factor Authentication on your systems
Two Factor Authentication requires two forms of verification before enabling access to systems. This provides an added layer of security against many common forms of attack.
Step 3: Only work in secure environments
Be careful where and how you connect online. Be mindful of open access WIFI networks and web sites that don’t have secure connections (where the URL address does not start with https).
Step 4: Secure your applications
Limit the number of applications that your staff can use. This technique of ‘application whitelisting’ prevents unauthorised /malicious programs from running. Also, ensure that access to your applications is on a need to know basis. Leavers should have their access rights removed quickly.
Ensure your applications are patched to protect against the latest forms of threats and ensure that your web browsers block add-ins such as Flash and JAVA which are common access points for malicious code.
Step 5: Backup regularly and test your DR capabilities
This won’t necessarily stop you being hacked but it will help you recover should an incident occur. Having a robust back-up strategy is vital in ensuring business continuity. The frequency depends on the needs of your organisation but daily is usually a good starting point. However, it is also important to test your backup on a regular basis.
Step 6: Staff awareness
If you employ staff, then they are potentially the first line of defence to a cyber attack. It is therefore important to ensure they have the necessary (ongoing) training and awareness in being able to spot a potential threat and knowing what to do in the event of an attack.
The first and most basic step you can take is training your staff to challenge unusual email requests such as demands for payment and the changing or divulging of personal, banking or contractual details.
In each case, the first response must be to do nothing and check directly (ideally by phone as the source email account could be hacked) with the legitimate source of the request. Your staff should be advised to not accept call-backs, excuses or worry about feeling uncomfortable about challenging these types of requests.
Step 7: Network monitoring
Although the need in this space will vary depending on the size of your organisation, you will likely have a combination of on-premise and external infrastructure. Whatever the depth or split of your network configuration being able to monitor your organisation’s applications and the incoming and outbound traffic is increasingly important.
In addition to monitoring, being able to actively protect your network and applications from attack is an increasing necessity.
Step 8: Update your T&Cs
Update your T&Cs with your clients so that a clear process for changes to key data points is in place. No changes should be made to any banking, contractual or personal details without them first being verified directly with nominated individual(s) from your organisation.
Simon Cohen, Head of IT Consulting at Moore Stephens (WA), has over 20 years’ experience in the IT industry, spanning key areas of software development & support, Project Management, IT Security, Data Centre upgrades, Web performance, IT Operations and building and expanding effective teams. He has delivered key strategic and technical solutions for global organisations such as PwC, UBS and Thomson Reuters and has managed teams spanning US, UK, Poland Singapore & India. Simon is also experienced in working with SME’s across various sectors to assess requirements against current practices and devise suitable strategies and practical solutions. He currently focuses in helping organisations on key areas of IT advisory and consulting: to protect themselves from risks such as cyber security, data protection and compliance; to optimize and grow through the appropriate blend of people, processes and technology; And to rescue or turnaround a project, team or business. Simon has worked with and in many different types of organisations and is adept at cutting through the structural, political and cultural complexities in order to obtain the outcomes they desire. Contact Simon at firstname.lastname@example.org or connect via LinkedIn