Keeping our clients updated with practical business advice during the Covid-19 pandemic.

Visit our hub

Is preparing against cybercrime really something you can afford to ignore?

Is preparing against cybercrime really something you can afford to ignore?

Is preparing against cybercrime really something you can afford to ignore?

We’ve all come across horror stories of unsuspecting businesses paying across thousands of pounds of their hard-earned cash to opportunistic criminal gangs. Hopefully it is something you will never encounter, but the reality is that sophisticated cybercrimes are becoming increasingly prevalent. In 2018 alone, the UK’s Action Fraud agency estimated that fraud cost small and medium enterprises an enormous £18.9 billion.

How do cyberattacks happen? 

As fraudsters become more astute to our wariness of phishing scams, they’ve had to become more targeted in their approach. A criminal can easily obtain details of the finance team and directors of a company – be it through Companies House, LinkedIn or your company website. Armed with these details, they can impersonate an email from a director, requesting the financial controller to execute a seemingly legitimate bank payment. Sadly, many financial controllers have fallen for such ploys.

Cybercrime is, of course, also synonymous with malware and hackings. Viruses are the most common form of malware, which are self-copying programs that infect legitimate software. Once infected, the virus can hijack your systems – corrupting and deleting business-critical files. 

Furthermore, some of these malicious viruses can potentially hold your business hostage. Ransomware can threaten to leak the victim's data or block access to its systems, unless a ransom is paid. Even if, in desperation, the ransom is paid, there is no guarantee that the hijacker will actually unlock your computer system. 

What’s the damage?

Not only is there the potential loss of important papers, there’s also downtime whilst the systems are locked-down, plus the added risk of a data-leak. In 2018, a high-profile airline was subject to a data breach which saw hackers steal the bank details, names and addresses of half a million customers. As if the reputational damage was not enough, the airline has also been subject to a record £183 million fine for failing to protect its data, and is now exposed to litigation from affected customers. Clearly, failure to protect against cybercrime can result in devastating consequences, even if the attack has not led to any direct financial loss.

How to protect your business 

Small and medium businesses often put internal controls and procedures on the backburner. Perhaps they’ve more important things to focus on – like innovation, growth and survival. Yet a small finance team and an unblemished fraud history often creates the perfect storm for cybercrime to occur. As well as speaking to your IT support providers we therefore advocate a pragmatic approach to IT resilience, with some small but effective combat techniques outlined below:

1. Keep your systems up-to-date and protected

Most operating systems now include their own firewalls and defence systems; they just need turning on! Many banks also offer free anti-virus packages, which create an additional layer of protection against malware. 

Perhaps, even more importantly, is ensuring that you accept software updates as and when they become available. Yes, they can be frustratingly slow, but the patches issued in these updates are often designed to counter specific vulnerabilities.

2. Rights of access and passwords 

Set up internal controls to prevent cybercrime occurring. This involves setting responsibilities amongst the team; for instance, making sure that large bank transfers are approved by at least two people before being executed. The spreading of responsibilities should also mean that only a few people (and their respective devices) know the login details for different applications. In the unfortunate event that one device is breached, this makes it harder for a potential hacker to become privy to the details of the whole system. 

Where possible, always make use of two-factor authentication services provided by banks and other apps. Passwords should be unique for each site and something that you can’t guess easily.

Lastly, only password-protect the things that really need it! Staff can only remember so many, so it’s unsurprising that eventually the same one is used across all apps – which is when the danger comes to the fore.  

3. Back-up your files

How much data does your business generate on an hourly, daily, weekly basis? Consider your business continuity risk and take regular back-ups of your business files and store them remotely; either on a separate hard drive, or online using one of the various cloud storage providers. In this way, you should never completely lose your data and, hopefully, should be able to continue functioning, from back-up files. Another tip: test the back-ups regularly, if you ever need to rely on them you want to ensure they are working! 

4. Build a culture of vigilance and trust

Finally, and perhaps most importantly, regularly remind all your team to stay vigilant and encourage them to ask for help if they are unsure about any transaction or suspect they might have been a victim of a phishing attack.

Ultimately, if something doesn’t feel or look quite right, trust your instinct. Never phone the telephone number on the bogus invoice or email; instead, discuss the matter with your usual contact to check its legitimacy. 

With recent UK government data showing that one in three businesses has been affected by cybercrime, now really is the time to prepare yourself. 

If you would like to know more about how we can assist you in designing internal control systems to combat fraud, please get in touch with your usual Creaseys contact on 01892 546546.