Knowledge is power, so it’s time to take control. Protect your small business against social engineering.

Data or system breaches are potentially the number one risk for many businesses. The threat is just as real for small business owners as it is for enterprise leaders – whether it be from theft, disruption or damage, malicious or accidental.  Some threats are easier to manage than others – but there is one source of potential malice that is notoriously difficult to stay ahead of: Social Engineering, otherwise known as CEO Fraud.

The cybercrime networks are getting more advanced and sophisticated by the day and one of the ways they may attack your business is by targeting the most senior people in organisations. By using social media to thoroughly research an organisation, often with automated bots and crawlers, criminals can find out company directors, suppliers and other information and then use these insights to successfully fool unsuspecting (smart!) people. Some of the possible outcomes? Virus infection, lost or frozen data or lost money.

As the owner of your business, it’s vital that you stay informed, this is the first step in retaining control.

 

Social engineering: a big threat to your small business

 

Social engineering is an ever-evolving concept. And while it’s tempting to think, ‘That would never happen to me’, the truth is it can. No business is immune. We dealt with an established professional services firm whose finance department transferred funds to a hacker, thanks to a well-crafted email that correctly referenced a particular project, staff and customer details. Scary stuff.

As step one in keeping you informed, here is a brief overview of the terminology you may have seen referenced – sometimes interchangeably. While there are some differences, the terms are all related, and all refer to scams that try to access data and steal information or money.

  • Phishing
    Criminals send a large number of fraudulent emails out in the hope that a small percentage of business owners or individuals will click on a link or provide sought-after information.
  • Whaling or CEO FraudThis is a targeted attack on a high-profile user (such as a C-level executive). A simple, well-crafted email is sent to a specific person who has the authority to transfer money. The social engineering efforts are usually quite advanced and the email is likely to look highly legitimate. As the email appears to come from someone of influence, such as a CEO or CFO – or may even be sent from their actual email address – this provides a possible ‘in’ for the attacker.


Here are the facts you can’t ignore

 

  • CEO data fraud is big business. FBI data reveals that CEO fraud has shot up by 2,370% since January 2015, with reported exposed losses of over USD$5.3 billion globally.
  • CEO data fraud is more common than you may think. In fact, it’s the most prevalent type of attack after ransomware. Socially engineered attacks are favoured by perpetrators because the risk-to-reward ratio is huge. The most common victims? Those with financial authority.
  • You can’t afford CEO data fraud. FBI data reports that the average financial loss to individuals is USD$6,000 and an organisation, USD$130,000. These are some big numbers.

 

It can happen to anyone. Some real-life examples.

 

Before you think ‘I or my team wouldn’t fall for that’, think again. No business is immune to fraudulent attacks. Even technology giants Google and Facebook fell victim to social engineering.

Facebook and Google were hacked by a perpetrator impersonating a large Asian-based computer manufacturer – a regular supplier to both companies. Using social engineering, the hacker generated fake email addresses, invoices and corporate stamps. The result? Over a two-year period, USD$100 million was siphoned to various Eastern European bank accounts.

In one of the largest data breaches ever seen, Equifax admitted that hackers stole personal information from up to 143 million US consumers. Following the public announcement in September 2017, company shares plummeted and several C-level executives exited and were later investigated by the Federal Trade Commission.

Closer to home, we worked with a law firm that was compromised when a well-crafted email reached the finance department. By referencing the right customer and project details, the finance team were fooled into transferring funds to another account. It can and does happen.

 

Act now. Get informed and take the first steps.

 

The good news is that when it comes to IT security, small steps can make a real difference. And we can help. Our simple, actionable checklist highlights the top security-related priorities for a business running on Office 365 and is a valuable first step in helping you take control. Download the checklist here or get in touch today.

More than just good passwords and anti-virus. This is what IT security means for small business.

Small Business IT Security

As a small business owner, securing your business and customer data is no doubt on your mind. You probably have an anti-virus, (may or may not) have good passwords in place and most of your data is in the cloud. Is that enough? You’re not sure. Does it matter? Probably not; you’re an unlikely target for a cyber-attack.

Think again. The threat is more real than you may realise.

2016 data from Symantec suggests that 43% of cyber-attacks are on businesses that are small and deemed to be more vulnerable. But it may not even be external sources that are your biggest risk. The reality is that even well-meaning employees can make mistakes or have the wrong information – and this too can cost your business dearly.

The concept of IT security – or cybersecurity – refers to protecting your data and your systems from theft, disruption and damage – whether malicious or accidental.

And while no business is immune to the threat of data loss and the business disruption that comes with it, staying informed is the first step in gaining control.

 

Are you making any of these mistakes? If so, you’re not alone.

 

We get it, you’re busy working on your business. And you may trust that ‘the cloud’ is looking after all your data and cybersecurity issues.  Here are some of the most common mistakes we see small business leaders make – if any of the below apply to you, you could be doing things better.

You rely on Office 365 for backups. You may think the cloud is the safest spot for all of your data storage, yet around 32% of cloud users report data loss. You may be able to retrieve lost files, though this is not always guaranteed. But even then they may not have the same file structure and usability as they did before.

You don’t take the time to update your software. Yes, it’s yet another task and it can easily fall by the wayside, but it is worth the effort. Windows 10 – as just one example – is much more secure than its predecessors. This is likely to also be true of your other software platforms.

You don’t take passwords seriously. Your systems are only as secure as your weakest password. So even if you do take yours seriously, can you be sure that the rest of your team does too?

IT security is not on your team’s agenda. When you on-board new staff or contractors, you may not have time to make security education a priority. As for your existing team, it is easy to assume that they already know this stuff.

There are so many elements of ‘cybersecurity’. It’s not just about having antivirus software in place, a strong password and cloud backups. That is just the tip of the security iceberg. And, given that many security issues are caused by human error, it’s critical that you look at all pieces of the puzzle, such as staff education and system updates.

 

More reasons to care. Some real-life examples

 

We deal with customers every day who thought they were immune to data loss and regret not seeking help to put better processes in place. A customer using SharePoint got into a mess when someone tried to re-organise the file structure and, in the process, lost some data. In this case they were able to get it back but what they received was just a list of files, the entire file structure was gone, making it extremely difficult to use. Other customers have lost email history in Office 365, making litigation or disciplinary action – already unpleasant situations – much more complicated than they needed to be.

Then there is the ever-evolving concept of social engineering. Attackers are now using social media to research an organisation to better target them with legitimate looking emails or offers. They are able to learn about the company structure, suppliers they deal with and other information to fool people into clicking on to a malicious site (to freeze data or infect with a virus) or (increasingly) to transfer money. It’s tempting to think, ‘That would never happen to me’, but think again. We dealt with a professional services firm whose finance department transferred funds to a hacker, thanks to a well-crafted email referencing the right staff, project and customer details.

 

Act now. Small steps can reap great rewards.

 

The good news is that when it comes to IT security, small steps can reap great rewards. The first step is recognising you are not immune and deciding to take control. We can help. We’ve created a simple, actionable checklist to help you start taking control of your IT and data security. Download our security checklist here or get in touch today.