You, the CEO of a small business, are under attack. Right now, extremely dangerous and well-funded cybercrime rings around the world are using sophisticated software systems to hack into thousands of small businesses like yours to steal credit cards, client information, and swindle money directly out of your bank account.
Don’t think you’re in danger because you’re “small” and not a big target like a Kmart, David Jones, Aussie Farmers Direct and Ashley Madison? Think again. 82,000 NEW malware threats are being released every single day and half of the cyber-attacks occurring are aimed at small businesses. You just don’t hear about these attacks because they don’t make the news; the news wants to focus on BIG stories. Second, most small businesses don’t know they’ve been hacked or don’t report it as they should because they’re embarrassed or afraid of the legal and reputational consequences.
According to www.staysmartonline.gov.au –
- 30% of Australian small business had experienced a cyber-crime incident in the last year,
- 109% more security incidents were detected in Australia in 2015 compared to 2014, and
- 63% of confirmed data breaches involved weak, default or stolen passwords.
These statics are growing rapidly as more businesses utilize cloud computing, mobile devices and store more information online. You can’t turn on the TV or read a newspaper without learning about the latest online data breach, and government fines and regulatory agencies are growing in number and severity. Quite simply, most small businesses are low-hanging fruit to hackers due to their lack of adequate security systems.
I do realize that the above statements may come across as “fearmongering” and may upset you. That is not my intent.
As the CEO of an IT support company that works day and night to protect our clients from these attacks – and who sees, on a regular basis, hardworking entrepreneurs like you being financially devastated by these lawless scumbags – I am determined to WARN as many businesses as possible of the VERY REAL threats facing their organization so they have a chance to protect themselves and everything they’ve worked so hard to achieve.
However, the biggest danger to your businesses today is complacency around security. To quote Andrew Grove, former CEO of Intel – “Success breeds complacency. Complacency breeds failure. Only the paranoid survive.”
Success in the context of your security is that you might not have been attacked YET – or if you were compromised, the consequences weren’t significant. Therefore, because of your ‘success’ in not being a target YET, you’ve become complacent about security measures in your organization.
Unfortunately, it is only a matter of time before you have some form of a data breach.
Because of all of this, it’s critical that you protect your business from these 10 ways that Cybercriminals get into your IT systems.
- They Take Advantage of Poorly Trained Employees. The #1 vulnerability for business networks are the employees using them. It’s extremely common for an employee to infect an entire network by opening and clicking a phishing e-mail (that’s an e-mail cleverly designed to look like a legitimate e-mail from a web site or vendor you trust). If they don’t know how to spot infected e-mails or online scams, they could compromise your entire network.
- They Exploit Device Usage Outside Of Company Business. You must maintain an Acceptable Use Policy that outlines how employees are permitted to use company-owned PCs, devices, software, Internet access and e-mail. I strongly recommend putting a policy in place that limits the web sites employees can access with work devices and Internet connectivity. Further, you have to enforce your policy with content-filtering software and firewalls. Having this type of policy is particularly important if your employees are using their own personal devices to access company e-mail and data.If that employee is checking unregulated, personal e-mail on their own laptop that infects that laptop, it can be a gateway for a hacker to enter YOUR network. If that employee leaves, are you allowed to erase company data from their phone? If their phone is lost or stolen, are you permitted to remotely wipe the device – which would delete all of that employee’s photos, videos, texts, etc. – to ensure YOUR clients’ information isn’t compromised?Further, if the data in your organization is highly sensitive, such as credit card information, financial information and the like, you may not be legally permitted to allow employees to access it on devices that are not secured; but that doesn’t mean an employee might not innocently “take work home.” If it’s a company-owned device, you need to detail what an employee can or cannot do with that device.
- They Take Advantage Of WEAK Password Policies. Passwords should be at least 8 characters and contain lowercase and uppercase letters, symbols and at least one number. On a mobile phone, requiring a passcode to be entered will go a long way toward preventing a stolen device from being compromised. Again, this can be ENFORCED by your network administrator so employees don’t get lazy and choose easy-to-guess passwords, putting your organization at risk.
- They Attack Networks That Are Not Properly Patched With The Latest Security Updates. New vulnerabilities are frequently found in common software programs you are using, such as Microsoft Office; therefore, it’s critical you patch and update your systems frequently. If you’re under a managed IT plan, this can all be automated for you so you don’t have to worry about missing an important update.
- They Attack Networks With No Backups Or Simple Single Location Backups. Simply having a solid, reliable backup can foil some of the most aggressive (and new) ransomware attacks, where a hacker locks up your files and holds them ransom until you pay a fee. If your files are backed up, you don’t have to pay a criminal to get them back. A good backup will also protect you against an employee accidentally (or intentionally!) deleting or overwriting files, natural disasters, fire, water damage, hardware failures and a host of other data-erasing disasters. Again, your backups should be AUTOMATED and monitored; the worst time to test your backup is when you desperately need it to work!
- They Exploit Networks With Employee Installed Software. One of the fastest ways cybercriminals access networks is by duping unsuspecting users to willfully download malicious software by embedding it within downloadable files, games or other “innocent”-looking apps. This can largely be prevented with a good firewall and employee training and monitoring.
- They Attack Inadequate Firewalls. A firewall acts as the frontline defense against hackers blocking everything you haven’t specifically allowed to enter (or leave) your computer network. But all firewalls need monitoring and maintenance, just like all devices on your network. This too should be done by your IT person or company as part of their regular, routine maintenance.
- They Attack Your Devices When You’re Off The Office Network. It’s not uncommon for hackers to set up fake clones of public WiFi access points to try and get you to connect to THEIR WiFi over the legitimate, safe public one being made available to you. Next, NEVER access financial or other sensitive data while on public WiFi. Also, don’t shop online and enter your credit card information unless you’re absolutely certain the connection point you’re on is safe and secure.
- They Use Phishing E-mails To Fool You Into Thinking That You’re Visiting A Legitimate Web Site. A phishing e-mail is a bogus e-mail that is carefully designed to look like a legitimate request (or attached file) from a site you trust in an effort to get you to willingly give up your login information to a particular web site or to click and download a virus.
Often these e-mails look 100% legitimate and show up in the form of a PDF (scanned document) or a UPS or FedEx tracking number, bank letter, Facebook alert, bank notification, etc. That’s what makes these so dangerous – they LOOK exactly like a legitimate e-mail. - They Use Social Engineering And Pretend To Be You. This is a basic 21st-century tactic. Hackers pretend to be you to reset your passwords. In 2009, social engineers posed as Coca-Cola’s CEO, persuading an exec to open an e-mail with software that infiltrated the network. In another scenario, hackers pretended to be a popular online blogger and got Apple to reset the author’s iCloud password.
There is no silver bullet that offers 100% protection when online and you have both a professional and legal reasonability to protect your clients’ personal data and information.
As per the Privacy Act you must take all reasonable steps to safeguard Tax File Number (TFN) from loss, unauthorized access, use, modifications, disclosure or other misuse, whether the information is stored in physical or electronic form (including your IT system and your cloud applications as well). Current draft changes from Tax Practitioners Board also state that you are ultimately responsible for your client’s information no matter where you store it and how it is accessed.
At the end of day, you (and your team) are at the center of security and you need you get serious about protecting your business against cybercrime.
Iain Enticott is the director of Technology For Accountants, an IT Support and Services provider that works exclusively with Accounting Firms. Iain is dedicated to helping Accounting Firms enjoy Stress Free IT, by delivering IT Support and Solutions that just plain work. For more information, visit www.technologyforaccountants.com.au