Cyber crime is rarely out of the news these days and the reasons are obvious when the sums of money are so large and the risks to consumers so great. The personal data advice firms hold in respect of clients – passports, utility bills, payslips, bank statements, etc – are all valuable items for criminals intent on cloning someone’s identity.
No surprise, then, to see the FCA highlight cyber security as a priority area in its 2018/19 Business Plan.
The regulator wants firms to become more resilient to cyber attacks, to protect the interests of clients. The introduction of the General Data Protection Regulation has raised the stakes further, meaning any failures could result in heavy fines and penalties.
There are various types of cyber crime, with some of the most common being:
- Phishing: An increasingly common threat, this involves an attempt to acquire sensitive information such as usernames, passwords and credit card details for malicious reasons, by masquerading as a trustworthy entity. There are many different types of phishing but typically this involves an email posing as something innocent, such as a bank asking a customer to update their password. It will contain a link to what looks like the bank’s internet banking page, but it will be a fake page set up to capture the log in details.
- Ransomware/extortion: This involves the criminal infecting a person’s computer without their knowledge and withholding the information on it. This is generally by encrypting data. The criminal will only unencrypt it once a payment has been made, if at all.
- Data theft/credential hijacking: These types of crimes usually use Trojan software, which enters the computer from an untrustworthy source and waits silently until certain sites are opened. The software then captures usernames and passwords, and downloads them via the internet to the criminals who use them fraudulently.
- Identity theft: This involves searching for personal details online and increasingly includes harvesting information from social media sources. Criminals then use the person’s details to set up loans and bank accounts to siphon money or buy goods online, resulting in major financial losses that can also affect the victim’s future credit history.
Regardless of the size of a business, the principles around cyber security remain the same. Here are some simple tips to help protect your clients’ data and your business’ reputation:
- Make sure every individual in the business understands what is at stake. Any suspicious e-mails with unexpected attachments or links should not be responded to, and do not click on any links or open any documents in the email. Search the internet for a contact number if possible and check the validity. If you are unable to verify the sender, delete it.
- Make sure macros are disabled for all installations of Microsoft Office (new versions are disabled by default).
- Make sure all your computer’s operating systems (Window 7, etc.) are kept up-to-date with the latest security patches and ensure auto-update is enabled within the computer’s settings. Malware often takes advantage of known software vulnerabilities to hack into systems.
- Make sure you have internet security/anti-virus software installed and that it is up-to-date and set to automatically update and run continually, checking files as you open them.
- Keep business and personal activities separate and do not use your work device for personal use even with a different login.
- Wherever possible, do not use computer administrator accounts for day-to-day activity. This will reduce the risk of accidental infections, as these generally prefer to run on a computer to install files with administrator privileges.
- Make sure your data – particularly where it is needed for audit purposes – is securely backed-up. Do not forget cloud accounts can be accessed and encrypted too, so use a business cloud account not a personal one, especially those that are free-of-charge, as their security is likely to be minimal, if at all.
- Use a business-focused e-mail service from a reputable supplier who can help filter malware before it reaches you or your employees – for example, Google for Business or Microsoft Office 365.
- Change your passwords regularly. A password should be a minimum eight characters using a mix of symbols, numbers, upper and lower case letters and should be unique to every site you use. Try to avoid the temptation to use the same password for each site. Keep your passwords personal and secure. No one should ever ask you for your password. If they do, terminate the call or discussion and report it immediately.
- Be careful what you post online. Do not give a stranger all the details needed to guess your password or change it using your security questions.
Linda Preston-Todd is head of bespoke solutions at Bankhall