Cybersecurity March 22, 2017

Home office report: How much do you know about cyber crime?

love-locks-1961156_1280-1.jpg

How much do you know about cyber crime?

The answer: probably less than you think.

Travel organisation ABTA recently joined the likes of Tesco, Gmail, LinkedIn and Adobe in announcing a major cyber security breach – this time compromising the details of 43,000 customers. In 2016 alone, cybercrime cost UK businesses an estimated billion pounds – a 22% increase on the previous year.

Future episodes like these appear certain, and it’s up to business owners to be vigilant, be aware, and be prepared. But is the message getting through? According to the Home Office’s latest research into cyber crime (conducted by consultancy Britain Thinks for the Research, Information and Communications Unit), business owners are increasingly aware of cybercrime, but lack the knowledge to defend themselves against the phenomenon.

This shortfall is down to a lack of clear messaging and guidance on the subject, says the report. Many even believe that victims of cybercrime are complicit in the act, having failed to educate and protect themselves against illegal activity. The fact is, without vigilance, cybercrime can affect any business.

So let’s clear up some of the confusion, and explain what practical steps you should take to keep yourself, your business and your customers safe – in plain English.

1. Know the threat

The report highlights the fact that while business owners have a general understanding of things like phishing attacks, terms like Malware or DDoS attacks are still generally misunderstood. Teach yourself how to spot and defend yourself against common types of online crime.

Which? offers useful guides on fake, fraudulent and copy websites, phishing via email and spotting scams online. Visit Clarks for malware, Aabyss for DDOS attacks and TechRepublic on ransomware.

2. Always update mobile and desktop software and updates

Hackers look to exploit vulnerabilities in software and apps. Protect yourself where possible by making sure you always have the latest version of any software or app installed, as these will feature vital security upgrades. On most devices, it’s possible to have any new update downloaded and installed automatically, while your device is running or overnight. Click to find out how to turn on this setting on iOS and Android.

In their survey of 18 groups, the Research, Information and Communications Unit (RICU) found that although participants generally agreed with the fact they need to keep software updated, it can be a time-consuming inconvenience: “It stops people from using their computer. It takes an hour to do and then you have restart,” said one participant.

Updates may seem like they appear at the worst time, but they happen for a reason. According to the blog superantispyware.com, more than 90% of software and operating system (OS) updates are to patch security vulnerabilities in programs. Around 1.5 million people who ignored a recent Wordpress update, for instance, were hit by hackers who took advantage of the vulnerability.

Our advice: An inconvenient 30 minutes is always preferable to a cyberattack. Make sure all programs are up-to-date as soon updates become available.

3. Only download apps from reputable app stores such as Google Play or the Apple App Store

Downloading and installing apps from other sources could expose your device to malware and other malicious software, putting your data at risk of being compromised.

For many surveyed, and likely many of you, too, Google Play and the Apple App Store are the default sources for apps. You may not be aware that apps can be downloaded from other sites. The truth is, there are many third-party app stores available, some reputable, some not. One such store, Haima for iOS, was popular fdue to its ease of use. However, it was highly vulnerable to cyber attack and code written into the store allowed viruses to steal information from users.

App sotre and Google Play.jpg

Apps the way to do it: Only download apps from reputable sites

Despite the risk, some surveyed said they might choose to download apps still in development when they think the risk is worth the reward - streaming football matches, for instance, or watching pirated movies. These kind of apps are not permitted on either Google Play or the Apple App Store for good reason: they open up the business to risk of attack.

Our advice: Make sure you, and your staff, use their laptops solely for work purposes. If in doubt of the reputation of an app store, err on the side of caution.

4. Use three random words to create a strong password

Most of us struggle to remember complex passwords and instead rely on easily-guessed alternatives. The three most popular passwords in 2016 were ‘123456’, ‘password’ and ‘12345678’.

As a common middle ground, we try and transpose numbers and special characters into something memorable e.g ‘pa55word!’ thinking this is safer. It is, but only marginally:this coping method is well known to hackers.

In their research, the Home Office found respondents were confused about what constituted a ‘good’ password.

Our advice: While numbers and symbols are useful to create a password, a string of three random words should provide adequate protection.

Make sure these words have nothing to do with your family, friends, or anything about your personal life shared on social media. Criminals will attempt to guess your password by ‘social engineering’ – crudely guessing your security information based on what they know about your life and interests.

For even greater protection, use Lastpass to generate truly complex, random passwords – just don’t forget your master password.

5. Use a separate, strong password for your email account

On the subject of email, the report recommends using a separate, strong password for personal email accounts. Our email accounts act as the gateway to our other accounts: they can be used to set passwords for other programs and contain sensitive information. As such, it’s important to make your inbox secure using a three-word password or using Lastpass, as above.

Our advice: Even if you choose not to use a different password for every online account – which itself is sensible – be sure to prioritise this one account.

6. Use two-step authentication for important accounts

Respondents in the study regarded this advice a little confusing: you don’t have control over which websites offer two-step verification. 

Others were unclear about what two-step authentification means.

Two-factor (or ‘two-step’) authentication is something most of us have experienced when using online banking, online shopping, or setting up a Google account. It simply means having to issue a second set of personal data after entering a password – a fingerprint, a second password, or a code that is texted to your phone, for example.

Our advice: Where two-step verification is available; use it. If the website or app you’re using fails to offer two-factor authentication and requests to process important information on you – such as making a payment or bank transfer – exercise caution.

7.Keep your passwords secret

Good advice, and advice which the group surveyed found easy to understand. Email, social media and banking accounts contain personal data which – if stolen – can be used for identity theft and fraud.

Our advice: Do not share your passwords around the office, however tempting it is or how much you trust colleagues. If you do have to reveal a password to a colleague, close friend or family member, change the password once they have finished using it.

8. Use your smartphone’s in-built security features

Smartphone manufacturers are working hard to make modern devices more secure for users and harder for others to access. Most newer handsets will offer the option of a numerical password, a pattern lock or fingerprint scanners. If you have the option, fingerprint scanners are by far the most effective security functionality available.

There was concern amongst those surveyed that fingerprint locks were inconvenient, but the technology has vastly improved over the last few years and it's quicker than ever to unlock. Devices can recognise fingerprints from both hands, at different angles, and even from the thumb which is generally more conducive to everyday mobile phone use.

IPhone_7_Plus_(29789933241).jpg

Think smart: Phones hold an incredible amount of private data. Keep them secure

The point is, smartphones have incredibly powerful security features built in, designed to be as unobtrusive and convenient as possible. Even if it takes an extra couple of seconds to login to your phone, the effort is worthwhile. Mobiles are more powerful than ever, and hold increasingly vast amounts of personal and business data, it pays to protect it.

Our advice: Use the most comprehensive security features available on all your devices. Keep the software on your phones up-to-date by turning on automatic updates.

9. Use your laptop’s in-built security features

There were two pieces of solid advice put forward in the report.

  1. If your laptop or desktop uses Windows 8 or Mac OS X Leopard v10.6 software or above it will come with a good range of security features already built-in. Keeping these features turned on and your software up to date will help keep your devices secure.
  1. If your laptop or desktop isn’t able to use Windows 8 or Mac OS X Leopard software or above, you should consider installing security software to keep it secure.

Many in the survey group were confused by the terminology and unaware of what operating system they used and whether they use a later or earlier version. So let’s clear that up first.

If you use a Mac, here’s a list of operating systems and how you find out which you use.

If you use Windows, head here.

The second confusion was in point two, where the advice is that you should consider installing security software. Let’s be clear, you absolutely should install security software in the instance your device isn't automatically protected. Here are some options for Mac and Windows users.

Our advice: Use the most comprehensive security features available on all your devices. If your device is unable to install or run the latest security update, you should consider installing after-market security software.

10. Backup your data on secure websites

If your device is hacked or infected by malicious software, important data – such as photos, emails or key documents – may be deleted or damaged beyond repair. Create a second accessible copy of all files using an external drive or cloud-based storage system.

There was some concern and confusion from those surveyed about the safety of cloud storage -  particularly following a spate of high-profile attacks - and about who holds the data, too. Essentially, is it safe?

Firstly, what is the cloud? It’s essentially outsourcing the storage of your data to an external company. Building data centres within your business is expensive, using the cloud means reducing the service needs of your business and IT department.

So, is it safe? Cloud storage providers are starkly aware of their responsibility to end users. According to the BBC, Amazon Web Services' (the world’s biggest public cloud platform) has over 1,800 security controls governing its services, likely many times more secure than your business's security. Customers can control their own encryption keys and set the rules for who can and can’t access data.

Colocation.gif

Cloud nine: Cloud storage might not stock cyber attcks, but it provides vital back up for your data

This is important to note: although the data is stored externally, it’s still your responsibility to make sure it’s well protected using a strong password, managing sharing settings and restricting access within the business: financial information or HR documents should not be available to all, for instance.

So, what about those high profile cyberattack cases? Well, according to Amichai Shulman, chief technology officer of cybersecurity firm, Imperva, most of the major data breaches that have taken place over the last five years, from Sony to Ashley Madison, TalkTalk to Target, have been from internal, not cloud-based, databases.

Our advice: Backing up will not prevent you from being attacked online, but will help lessen the impact if you do fall victim to cybercrime. Your important documents should be backed up in the cloud, and for maximum security, lock these back-ups using strong passwords.

11. Shop on secure websites

What does a secure website look like? Look for web addresses which start with ‘https’, rather than ‘http’. This means your data is encrypted to a virtually impregnable level.

Additionally, make sure all payment pages feature a padlock icon in the address bar of your browser, even if you’re redirected to a secondary payment site like Paypal. Don’t trust unsecured sites for the sake of a discount or exceptional offer – something many survey respondents said they had done in the past.

This tip will ensure your data – including your banking data – cannot be intercepted and stolen by hackers when you’re making a payment online.

Our advice: Only shop on sites which begin ‘https’ and with a padlock on the payment page.

12. Don’t click on suspicious links

Again, the advice put forward in the report was solid, but not without some confusion around terminology.

‘Suspicious links’ can be identified and dealt with in several ways:

  • Never open attachments or click links in emails from people or organisations you don’t know.
  • Never respond to emails or text messages asking for personal or financial details.
  • Never log in to an online account by clicking on the links in an email or text. Instead, search for the website yourself.
  • If a message from a known sender is unexpected or unusual, do not reply. Instead, contact the sender via an alternative method to check whether they sent the message. Their email address may have been ‘spoofed’.
  • If you suspect an email may be a scam, do not reply to the sender. Instead, flag the email as ‘spam’, and your email provider will be notified and take action against the sender.

The word ‘spoofed’ was unfamiliar territory for many business owners. Simply, ‘spoofing attacks’ are when a hacker or program successfully masquerades as another by falsifying data. So, for instance, you might get an email from your bank.

The email might be branded as Nationwide and the sender’s address might look legit, but the request might seem jarring, often asking for bank account and sort code or some other personal details. It’s the digital equivalent of knock-off clothing but with much more serious consequences.

Our advice: If an email request sounds or looks off or jarring, use precautions.

13. Secure your personal Wi-Fi with a password

You might think your home router with its seemingly random array of letters as a password key is secure, but software bugs in internet routers are more common than you might think. The biggest players in home broadband often rely on old router technology, which can be riddled with security flaws and are rarely updated to meet our security needs.

Changing the password for your home or business Wi-Fi network is important for more than preventing your neighbours ‘stealing’ your data allowance. Hackers can easily intercept data over unsecured networks.

Our advice: Be sure to reset your password from the one that it included when you set the network up. And advise remote workers to check theirs, too. Router instruction manuals will include details on how to make this change.

14. Never use public Wi-Fi to transfer personal information

This point was well understood and received by the participants in the survey.

Our advice: When you use a Wi-Fi network supplied by a café, airport or otherwise, never transfer personal or sensitive detail that could be used against you – such as banking information or email logins. Public Wi-Fi networks may be insecure, enabling hackers to access your data. This guideline applies even if you only intend to visit secure websites – those with a padlock icon in the address bar.

Arming yourself and your business against cybercrime in the ways above should be considered an ongoing exercise: an issue to be regularly reviewed as online scams and fraud become more sophisticated. Not doing so could cost your business dearly.

 

Photo credits:

Justic scales: 

iPhone 7 via Wikimedia Commons

Computer storage Rasha AL-Drawasheh (Own work) CC BY-SA 4.0, via Wikimedia Commons

Our gift to you...

Apply now for your personal leadership consultation with a Vistage Chair. They'll help you assess areas of strength of your business and identify areas of potential growth.

Apply Now

Subscribe to Vistage Insights