Humans are the “weak link in the chain” when it comes to defending against cybercrime. According to CybSafe analysis, human error caused 90 per cent of cyber data breaches in 2019.
Because the majority of security breaches at small businesses are the result of people clicking on phishing emails, cyber criminals are taking advantage of the COVID-19 pandemic with scam emails and text messages leading to fake websites that harvest personal information.
Cyber criminals are increasingly sophisticated and professional in their approach, and it can be difficult to detect fake emails or scams. Training staff, as well as managers, to recognise scams is crucial so they don’t fall for them. The Australian Cyber Security Centre has a useful free quiz tool to help educate people on what to look for, from spelling issues to URLs that don’t match the sites they’re supposed to be from.
It’s also vital to make sure that people understand the implications of risk. The reality is that carelessness or apathy can bring a business to its knees – and that means their job could go. It’s good business practice to run a test phishing scam on your staff from time to time. The aim isn’t to catch people out but to remind them to pay attention to emails, SMSs and messages on social platforms.
With the increase in employees working from home due to COVID, there’s a corresponding rise in connected devices. Many of these devices are personally owned by employees and may already be compromised. They include not only phones, tablets, laptops and desktops but also modems, routers, webcams and other connected “smart home” devices from TVs to home automation systems.
It’s not practical to audit all of these devices and lock them all down. But helping employees secure home routers and WiFi networks with strong passwords, firewalls and encryption, and providing staff with VPN access to the company network, is a good start. Employees should also be required to have strong passwords and change them regularly.
The same goes for second-hand hardware that a business may invest in. Hard drives should be fully wiped or replaced. The BIOS should be flashed to ensure no malware is lurking on the motherboard.
Getting hit with a ransomware message is a terrifying prospect. However, all is not necessarily lost. As with real viruses like COVID-19, a critical first step is to limit the spread – shut all systems down to prevent more devices and your backups from being affected. Then you need to establish whether it’s actually a hoax, and if it’s wise to employ experts at this point. Even if the threat is real and your systems have been compromised, it may be that your backups are sufficient to restore everything without needing to pay off the attackers.
Bear in mind that you are legally required to report breaches in most jurisdictions, and laws may vary between states and different industries. In Australia, under the Notifiable Data Breach (NDB) scheme an organisation or agency must notify affected individuals and the OAIC about an eligible data breach.
No matter how many precautions you take, some companies will fall victim to cybercrime. But taking a proactive approach, educating employees and closing as many holes as you can will reduce your overall risk. And as simple as it sounds, make sure you always back up relevant (sensitive) data that can be swiftly recovered so if ransomware or a cyber-attack happens, your business can keep running.
Gavin Costello, Senior Product Manager, Wontok