TEN TIPS
to save your business from cyber crime
MFA
Multi Factor Authentication, also known as 2 Factor Authentication or 2FA, is the idea of using multiple security checks to verify a user when they try to log in.
Think of it like using your key to open your front door and then a code to switch off your burglar alarm. Two pieces of information are needed; your key and then a code.
MFA is important because it reduces the chances of an attacker stealing your online account. Even if an attacker has a victim’s password, a second step of verification, such as a text, would keep your business accounts safe.
MFA is commonly referred to as 2FA due to the use of a login as well as one other form of verification. More advanced verification checks can include biometric tests, such as facial recognition, iris scanning or fingerprint scanning.
Microsoft has a helpful guide on how to enable 2FA, which can be found here
The Metropolitan Police have a great video to explain more, available here
Anti virus
Anti-Virus software is one of the strongest tools to defend against a cyber attack, and can protect every one of your employees. The right Anti-Virus will protect your employees from online attacks such as clicking on malicious links or cyber attacks on employees.
You can also purchase Anti-Virus software for your company networks. This could give your company a fantastic early warning system if a cyber attacker broke into your network. Your anti-virus could succeed where your firewall failed, and by noticing the breech, it could give you the early warning you need to protect your important data or systems.
Some Anti-Virus software also includes individual firewalls for every employee device, meaning higher levels of individual security, which can be tailored to your specific business!
The right anti-virus software will be a highly customisable, highly robust system which could make the difference between your company suffering from a successful or unsuccessful cyber attack.
Firewalls
A Firewall is usually a business’s first line of defence against internet attacks. A firewall’s job is akin to the physical security of your office, to stop criminals from getting in, but to allow access to employees. Cisco, a leading US networking company, produced a helpful article on what a firewall is, and is available here.
Firewalls are important because they protect networks from cyber-attacks before employees realise what’s happening. Especially with the introduction of artificial intelligence (AI), firewalls can be trained to deal with the ever-increasing complexity of cyber-attacks.
The difference between a high- and low-quality firewall could be the difference between a successful and unsuccessful defence against a cyber-attack. Find details of how to setup your firewall here: Windows | Mac
Passwords
Passwords are the most common method of verifying your identity to a system, and therefore, one of the areas cyber criminals focus attacks on. The key to staying safe online is the use of strong passwords which are different for every account.
An example of a bad password would be your pet’s name and the year they were born, e.g. Bella18. It is a balance between security and memorability. Using ThreeRandomWords or a Password Manager makes this easier. BitWarden or 1Password are good examples. Microsoft has helpful content on how to create strong passwords, available here.
Alternatively, if a password cannot be remembered, it can be stored in a password manager. A password manager is a highly secure piece of software which deals with the creation and storage of passwords for a user. The software can create and store long passwords when the user is creating a new online account, then give the user the password when prompted to log in by a website.
To keep the stored passwords secure, all passwords will be encrypted and require a master password in order to access. For more information, individuals from the University of Tennessee produced a security report on password managers which is available here. From this research, BitWarden, 1Password X and KeePassXC are sound choices, with BitWarden being free for personal use.
Patch Vulnerability
Patch management is the idea of keeping your software as up to date as possible. Everyone sees updating your computer or phone as an annoying waste of time, but sometimes it might save your company from a cyber attack.
This is because sometimes suppliers notice a problem with the software you are currently using. Instead of changing supplier, a patch may become available to fix the problem. If the fix isn’t applied in time, hackers may take advantage of this problem to do damage to your company.
By fixing your problem before a hacker can take advantage of your systems, you have patched the problem! Unfortunately, problems in software are discovered all the time, so patching has become a common occurrence. Once a problem has been detected, it is an arms race between the product supplier and a hacker to either fix or take advantage of the problem.
Therefore, you can defend against the hacker by updating your systems as soon as a patch becomes available. Ideally within 24 hours. The National Cyber Security Centre has a fantastic article available online, which describes this in further detail. It is available here.
Alert from haveibeenpwned
“Have I Been Pwned” is a website that checks if your user credentials have been involved in a data breach. It can check if your email address and passwords are available online.
The website is free to use. Just type an email or phone number into the search bar on the website’s main page and search to see if it’s been pwned. Passwords can be checked on a separate page.
If you find your email address or password has been involved in password breach, it is advised you change that account’s password.
Checking “Have I Been Pwned” is part of a good personal digital hygiene routine. Knowing and understanding your digital footprint is important. The National Protective Security Authority (NPSA) advises checking your digital footprint regularly.
See our top tips (Top Tips to Reduce Your Digital Footprint)
And a little bit of trivia for the next pub quiz… The word “pwned” is derived from video game culture and is a play on the word “owned”, due to the proximity of the “o” and “p” keys.
Phishing & Spear-Phishing
As of February 2023, NCSC received over 18 million reported scams, resulting in 117,000 scams being removed across 214,000 URL website addresses. Two of the most common types of scams seen were phishing and spear-phishing.
Phishing is a method of untargeted mass emails sent to large numbers of people, asking for sensitive data (usually bank details) or trying to encourage an email recipient to go to a fake website. Alternatively, Spear-phishing is targeted phishing. The email or communication is designed to look like it is from a familiar source that the recipient either knows and/or trusts.
A good way to spot these attacks is to ask yourself some questions like: Is it too good to be true like a big lottery win? Or bad news that is asking you to pay a speeding fine? Does it put you under pressure or play on your good nature? Is it time critical, giving you less time to think?
If you suspect you have a scam email in your main inbox, the best things to do are not to click on any links or open any suspicious attachments and forward the email to ‘report@phishing.gov.uk’.
Supporting Content:
Met Police – Phishing – YouTube
Phishing: Spot and report scam emails, texts, websites and… – NCSC.GOV.UK
Step 5 – Avoiding phishing attacks – NCSC.GOV.UK
Social Media
Sharing your holiday snaps with family and friends is great fun, but if a cyber-criminal can see them and can learn about your life, to use it against you. Do you know who can see your LinkedIn profile and what you are sharing? Do you know the person who wants to “Link” or make friends?
Criminals and hostile actors may act anonymously or dishonestly online to attempt to connect with you and gain valuable information for a cyber attack. This information can be used to by criminals to trick people, whether it’s a phishing email, a bogus telephone call, or an SMS message from offering you a discount on your bills. Our Top tips are: Don’t share too much. Limit your audience. Know your privacy settings and don’t be too trusting.
Supporting Content:
Social Media: how to use it safely – NCSC.GOV.UK
Think Before You Link
Report it!
Cyber security incidents can take many forms but generally fall into two types: Security incidents, attacks that do not result in loss of sensitive information, and, Data breaches, that involve the loss of sensitive or valuable information.
Knowing what type of cyber incident has occurred can help with knowing who to report it to and how quickly you need to report it. Unreported cyber incidents can cause more damage, cost more money, and come with costly fines.
Knowing who to report it to can be challenging. If unsure, the UK government’s Cyber Incident Signposting Service (CISS) can help. Where to Report a Cyber Incident – GOV.UK (www.gov.uk). Alternatively, the National Cyber Security Centre Report a Cyber Incident – Report a Cyber Incident – NCSC and the Information Commissioner’s Office (ICO) (Report a breach | ICO) both have online advice. You may also need to tell your insurance company!
Talk to James and Michelle!
James Squire is the Cybercrime and Fraud Coordinator for Warwickshire Police. His input on cybercrime in Warwickshire and the UK is invaluable.
James offers a friendly face as a subject-matter expert on the current cybercrime trends, offering insight on current cybercrime and ones to watch out for. He is more than happy to come into your organisation and talk to your teams. For more information, please contact James, or visit the West Midlands Cybercrime website, Home – WM Cyber.
Michelle Ohren is Head of Cyber and Innovation at the West Midlands Cyber Resilience Centre. Michelle has been in policing since 1996, joining CID since 1999, this has given her a wealth of experience in policing a variety of different crime types throughout the West Midlands, making her a highly knowledgeable subject-matter expert and a key ally in the fight against cyber crime.
The West Midlands Cyber Resilience Centre offers a plethora of different services and support to both individuals and small companies. To better support small businesses, they offer free membership to companies and employees if the business has less than 50 staff. More information can be found at https://www.wmcrc.co.uk or you can contact Vanessa and the team at https://www.wmcrc.co.uk/contact-us.
