Boosting your business’s resilience to cybercrime
Want to protect your business data? Start thinking like a cyber criminal, writes Suzy Clarke. Over the past 12 months, millions of customers around the world have been impacted by […]
Want to protect your business data? Start thinking like a cyber criminal, writes Suzy Clarke.
Over the past 12 months, millions of customers around the world have been impacted by some of the biggest data breaches in history. Small businesses are particularly at risk, as they work with sensitive personal and financial information every day.
October is Cybersecurity Awareness Month and a timely reminder to stay secure online. So how can you protect your business?
It all starts with understanding the mindset of a cyber criminal. Who are they? What are they looking for? Why are they stealing information? And how do they get it?
Who is behind a cyber attack?
Despite the stereotypes, cyber criminals aren’t necessarily well-funded geniuses who lurk in the shadows building sophisticated hacking programs. The barrier to entry is actually much lower, with cybercrime tools and services available to anyone with the right motivation.
There are four kinds of cyber criminals:
- Hackers, who use their skills to break into vulnerable systems and networks.
- Cyberactivists, who often have political or ideological reasons for exploiting a company and exposing their data.
- ‘Script kiddies’, who don’t have technical expertise and use off-the-shelf hacking tools to steal data.
- Malicious insiders, who are employees using their position to steal sensitive information from their company.
What do cyber criminals want?
Data is the ultimate prize for a cyber criminal. This could be anything from the personal information of staff and customers, to confidential business information like sales and inventory records, credit cards and banking information, or account credentials used to access company systems.
Personal information can be used to commit identity fraud like scam campaigns, or payment fraud like transactions on stolen credit cards. Business information can be sold to competitors or state sponsors, and used to gain access to company accounts. Cyber criminals steal this data by gaining control of the accounts that access it.
Once they have access to your accounts, cyber criminals can change your password and lock you out, then use this account to access other online services. For example, imagine if a cyber criminal was able to access your email account. They could intercept a PDF invoice and edit the payment details, to trick your customers into paying a fraudulent bank account instead of you.
How do cyber criminals access your accounts?
Cyber criminals use a number of tactics to gain access to your accounts:
- Direct attacks, using tools that allow them to guess or break passwords that are weak. If you’ve used that password across multiple accounts, the damage could be wide ranging.
- Phishing and social engineering, where cyber criminals trick people into handing over their details using links or requests in emails, texts, phone calls and other communications.
- Malware, which is malicious software that can infect your device to monitor your activity, and provide backdoor access to your systems.
- Ransomware, which spreads across your devices to lock them, so the cyber criminal can threaten to expose or erase your data unless you pay a ransom.
How can you protect your business?
Being cyber wise in your business or practice doesn’t have to be complex or expensive. It’s about taking a layered approach, to make sure you have broad protection against a range of threats. You probably already do this with your home security. Aside from locking doors and windows, you might have additional deterrents like gates, cameras, alarms, and perhaps even a dog.
Here are five strategies you can use as layers to improve your business’ resilience to cybercrime:
- Do a risk assessment on your business to identify any gaps. This might involve thinking about what data you store, which technology you use to store it, and what obligations you have to manage it.
- Get the security basics sorted, like having strong and unique passwords on each account, and switching on multi-factor authentication wherever possible. Password managers are a good option as they do the hard work for you.
- Develop strong policies and processes to help your team maintain clear and consistent cybersecurity habits. This should outline how your business or practice handles account security, device security and data security.
- Buy from organisations that adhere to data security standards, like ISO 27001 and SOC2. Use secure websites (the ‘s’ in https is the key) and make sure that accessing and sharing data is limited to staff that need the information to do their jobs.
- Don’t forget to consider the human element of security. Staff should understand how to safely use the accounts, devices and data that belong to your business. They should also feel confident about where to go for help, and how to respond if an incident occurs.
Cyber criminals are a growing threat to all of us. The best way to make sure you keep your data safe is to look at your business through their eyes, and consider what gaps or vulnerabilities might exist. That way, you can enjoy peace of mind, knowing the data you’re holding on your business and customers is safe and secure.
Suzy Clarke (pictured) is Executive General Manager of Security at Xero.