Cyber-securityCyber security may sound like a technical problem, but as we saw recently with the NHS attacks, preventing it is a management challenge.

It starts with carrying out a risk assessment and answering, ‘how would our business cope if we came in one morning and our computers didn’t operate?’ ‘What is our backup plan and who could we rely on to help us fix it if we had an attack?’

When you have a grip on your operations, remember your business has a responsibility to staff and customers to secure the data they use in the organisation too. The Data Protection Act requires personal data is secured and used appropriately.

Why should you do this? Because the threats from cyber criminals, hackers and identity theft are very real. When you understand the extent to which your business will be affected and what it could cost you, it becomes easier to justify the resources you’ll need to put in place now to prevent it.

Computer security for small businesses should be multi-layered, using desktop security products such as anti-virus, anti-spam and firewalls, and network intrusion detection, and hardware technologies such as security tokens, disk encryption and biometric fingerprint recognition.

But above all, it is about management. Define and train your staff on a security policy, including using strong passwords that include numbers and letters; not sharing or displaying passwords; and only opening email attachments from reliable sources. Encourage your staff to use the web responsibly, and stay vigilant when outsiders are in the office. Monitor access to the network, including memory sticks and other plug-in devices, which can be used to steal company information.

Protecting your business against phishing, vishing and smishing
  • Be cautious of how much information you reveal about your company via social media platforms
  • Do not assume a caller is genuine because they know information about you or your company – fraudsters are skilled in collecting enough information to sound convincing
  • Do not open emails that you suspect could be spam
  • Never enter any personal or security information on a site accessed through a link in an email
  • Never open attachments from senders you are unsure of
  • Be cautious of callers who attempt to gain information from you – “I want to check a payment you made today”. Rather than, “I want to check a payment of £5,000 you made today in favour of XYZ Ltd”. The former may be trying to get you to divulge information that can be used against you later.
  • If you are suspicious, terminate the call
  • When ringing back to verify the contact, use your usual contact number, not one provided in the suspect correspondence
  • On sites that require you to input sensitive information, look for “https” in the website address – the “S” stands for “secure”
  • Ensure there is a padlock symbol in the URL address bar – this shows that your selection is secure
  • Remember that your bank may ask you for some information, but will never ask for your full password or PIN, provide you with details to make a payment, or request that you grant them access to your systems or PC
  • Familiarise yourself with what your bank will and won’t ask you if they wish to verify payments
Protecting your business against invoice fraud
  • Make your staff aware of this threat
  • Check notifications and invoices received carefully to see if the document looks like a counterfeit
  • Check that the email address the message comes from does not look odd, such as by ending in”.org” when it should end in “.com”.
  • Always call your supplier, using contact details you have on file (not those supplied in the message – that will be the fraudster) to confirm any changes before effecting them. Ensure that you validate the exact bank detail changes you should be making, in full
  • Consider setting up single points of contact with the companies you pay regularly
  • Consider adopting dual control procedures for any changes in payment information
  • Use leveraging technology that ensures invoices are matched with purchase orders, flagging any rogue invoices
  • Regularly conduct audits on your accounts
Cyber risk insurance
Insurance is an essential part of your cyber security strategy to help you to recover quickly after a breach and cover the costs involved such as:
  • Bringing in experts to support your team
  • Managing any negative press coverage and crisis containment
  • Third party liability
  • Repairing and restoring systems following an attack
  • Extortion costs you may have to pay following a ransomware demand
  • Legal advice
  • Business interruption costs
Vulnerability assessment – preventing an attack before it happens
CLA have partnered with cyber security specialists Ilicomm, who can offer a vulnerability assessment.

Their vulnerability assessment programme will not only reveal as yet undiagnosed problems, but will highlight weaknesses and recommend the explicit technical controls required to mitigate the risk to an acceptable level.

To find out more about cyber security and how to protect your business please call, or request a call back and one of our account executives will contact you.