The Digital Dangers & How You Can Avoid Them
We spotted this ICAEW article recently, which reminds us of the many risks, posed by cybercriminals and how we can mitigate these. It’s important not to become complacent, particularly as working practices might be slightly different than usual.
It’s a sad fact that criminals thrive in times of uncertainty and fear, and there’s already been a spike in cyber attacks related to the coronavirus outbreak. With so many employees now working at home, often using new unfamiliar apps, companies need to be especially vigilant regarding cyber threats. So here is a quick reminder of some basic good practices and some useful resources to share with staff.
Spike in new cyber attacks
The National Cyber Security Centre (NCSC) have reported an increase in phishing attempts which refer directly to the coronavirus. These emails often encourage users to click on links to fake websites, leading to malware of some kind being downloaded by the users.
For example, there was a wave of emails which purported to come from the World Health Organisation related to coronavirus. There are also reports of an increase in emails pretending to come from IT service desks about remote working or access, which again encourage users to click on links or provide authentication information to criminals. Specific sectors are being targeted. There were attacks reported on the US healthcare agency last week, with sectors such as healthcare under particular attack.
At the same time as these new attacks, many organisations have opened up new vulnerabilities in their sudden switch to home working. Staff may be using unfamiliar apps and bypassing controls in order to be able to work effectively. They are also likely to be stressed and worried and may not think about cybersecurity.
Get the basics right
There are lots of simple guides to help small and medium-sized organisations focus on the most important steps, including ICAEW's 10 steps to cybersecurity for smaller firms and the NCSC’s Small Business Guide to Cyber Security.
Some of the key points to focus on at this point are:
- Keep software and anti-malware protection up-to-date and install patches as soon as they made available. This helps to reduce vulnerability to attackers, as they often target unpatched systems. It also ensures that you have protection against the latest viruses.
- Have strong access control, and password discipline is essential. Two-factor authentication (2FA) is advised for important accounts or data, but following good practices around passwords is always essential. This includes having strong passwords or passphrases, changing default passwords and not reusing passwords
- Back up your data and test your processes. This is critical to protect against ransomware attacks in particular, where data is encrypted by criminals who demand payment for unencrypting it.
Help users to be vigilant
At the moment, staff should be vigilant when looking at emails and clicking on links. Phishing emails can be very convincing and professional-looking but there are some key things to look out for. The NCSC guidance gives the following general tips around phishing emails:
- Many phishing emails have poor grammar, punctuation and spelling.
- Is the design and overall quality what you'd expect from the organisation the email is supposed to come from?
- Is it addressed to you by name, or does it refer to 'valued customer', or 'friend', or 'colleague'? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
- Does the email contain a veiled threat that asks you to act urgently? Be suspicious of words like 'send these details within 24 hours' or 'you have been a victim of crime, click here immediately'.
- Look at the sender's name. Does it sound legitimate, or is it trying to mimic someone you know?
- If it sounds too good to be true, it probably is. It's most unlikely that someone will want to give you money or give you access to a secret part of the Internet.
- Your bank, or any other official source, should never ask you to supply personal information from an email.
It is also useful to hover over a link to see the actual hyperlink address that you are being directed to, not just the text in the email. Finally, if in any doubt, double-check any claims made in the email, for example call colleagues or banks to check whether they have sent the email in question.
The NCSC has a wealth of resources to help businesses of all sizes. As well as the Small Business Guide, they provide a free cybersecurity training course for staff that can be watched online. The NCSC also sends out a weekly threat report which highlights new or particular important threats or attacks.
We've also created this helpful article on how to avoid being blackmailed online after a security breach.
ICAEW also has over twenty evergreen cybersecurity tips of the week on Tech News.