As accountants, we encourage our clients to be smart with their money. We advise them on how to spend it, how to save it, how to invest it, how to administer it…and how much of it to hand over to the tax man.
But in this digital age when we tend to manage our money at the tap of a phone or the click of a mouse, accountants also need to encourage clients to be safe with their money. Cybercrime is a huge problem for businesses of all sizes, from one-man operators to global multi-nationals.
It’s estimated that cybercrime costs the UK economy £15bn a year with the average cost of a cyberattack on an SME – a lucrative target for hackers who see the supply chain as an easy route to larger organisations - put at £6,500.
If you think that cyber criminals are unlikely to seek out your business, then you’ve been misled. According to a recent survey of SMEs, a quarter of those businesses polled admitted they had been the victim of cybercrime in one guise or another.
Cybercrime is any criminal act in relation to IT, computers and networks – so instances of online or electronic trickery to gain dishonest financial advantage is described as cyber fraud. It is conducted in many ways and, contrary to what you might believe, hacking isn’t always the most prevalent form. It’s more likely that your business – or indeed your employees – might fall victim to social engineering.
Cyber criminals use social engineering not to physically attack your networks, but to use people within your organisation to unwittingly help them gain access to it. Con artists in the real world are able to commit crimes by gaining the trust of their victims – think of all the terrible stories you may have heard about elderly people being robbed after letting a con man in to do an electricity meter reading - and it’s no different in the virtual world.
Social engineering is the art of manipulating people to give up confidential information such as passwords, bank details or other commercially sensitive data. Put simply, it’s much easier for cyber criminals to exploit human nature to trust than it is to put time and effort into hacking your network.
Online fraudsters are renowned for using phishing scams to extract the information they need. More often than not, it will come in the form of an email purporting to be from a legitimate business contact or government agency such as HMRC: the recipient may be encouraged to click on a link or open an attachment which contains malicious software designed to give access to your network…and all the passwords they need for banks and other online platforms.
Variations on phishing include vishing – whereby a criminal will impersonate a member of bank staff over the phone and request sensitive information – and smishing where they will send a text message containing a link which then infects the user’s phone.
Anyone can be impersonated – and I don’t mean by copying their accent or mannerisms. The amount of information floating around in the internet, either through LinkedIn profiles, company websites and other public records, makes it easy for criminals to imitate senior managers, directors, and even your customers, on email. Be suspicious of any email coming out of the blue that requests payment, bank details or any other information that would not usually be exchanged electronically. Look carefully: while the email address may seem legit, there will usually be a subtle difference such as additional letters or capitals in place of lower case.
Unless you have the same password for absolutely every online platform or electronic device, then the chances are that you are not going to remember all of them. The worst thing you can possibly do, however, is write it down and keep it in the vicinity of your desk where prying eyes – delivery people, cleaners, and even customers – might be able to see it. The same goes for USB sticks which may be left lying around: never insert it into your PC as you simply don’t know if it contains malicious software.
Although technology has opened up a whole new way for criminals to target people, it has many benefits too. Without it, we’d all be tied to our office desks and unable to work on the go whether it’s on the train or in a coffee shop. But be wary of using public Wi-Fi as hackers use spoofing to impersonate a trusted source, such as the wireless network in your favourite café. Connect to their device instead of the bona fide network and you’re giving them an open invitation to help themselves to confidential information on your phone or laptop.
Just as staff can be the weakest link, they can also be the best defence against fraudsters. You should have regular team meetings and briefings to keep them aware of tactics cyber criminals use and ask them to be vigilant about suspicious activity. Businesses often use ethical hackers to test the robustness of their IT systems, and now some even use ethical phishing campaigns to test staff response.
If you are serious about your organisation’s cyber health and protecting its financial position, then there is no better time than now to take action. Scottish Enterprise is currently offering vouchers of up to £1,000 to help cover the costs of working towards Cyber Essentials accreditation. This certification tests your organisation’s resilience to common cyber threats – and gaining the badge will reassure your customers and suppliers that you’re committed to keeping their data safe.