We all know the pandemic has changed the way many of us work – and for the cyber criminals who feed off our businesses and strike while we are distracted, it has proved a lucrative time.
In 2020 UK business lost an estimated £6.2 million to cyber scams, according to Security Magazine, with 31 per cent of those cases at the height of the pandemic.
Some 3,445 UK businesses were victims to cyber scams with 30 billion data records stolen in 2020 – more than in the previous 15 years put together.
Neil Smith, of ReformIT, has some clear messages to minimise your chances of becoming a feature of the statistics for 2021.
About the expert - Neil Smith of ReformIT
IT firms are always telling us to beware of cybercrime. Businesses were listening, what went wrong over the last few months?
Before lockdown a lot of businesses had done a lot of work to protect themselves. We found that small businesses were really starting to think carefully about IT security. It was becoming hard to ignore it, or at least it was a nagging doubt in most people’s minds. Then along came lockdown.
It was not that businesses didn’t care anymore, they simply had other priorities. It suddenly became about health and safety of their staff and the public and they had to get their staff working from home straight away. It was completely understandable.
Why did that make such a big difference to the security of their businesses?
The conversations became about how can we get staff operating now, have they got a computer and in some cases any computer, any phone, just to get up and running. That might be a laptop their children also used to download stuff onto or their own phone they were using to connect to work on. In the rush to get everyone operational, security became a secondary concern in many cases.
Imagine a warehouse which you owned and had put good locks on every door. That was your business pre-pandemic. Suddenly you were carving a whole load of new windows and doors, but were there good locks on those doors too? It only takes one open door or window to let a criminal inside.
People might say, ‘well, I only use the machine for my emails’ or ‘I only VPN into the office on it’, so where’s the risk? The risk is just that. All of these things connect into your work systems. And that’s all the criminals need.
For example, once they get access to your emails, they will sit waiting and watch – for weeks or months sometimes – for the right information to arrive.
Let’s say that information is a legitimate invoice, the criminals will see it before you know it, amend the bank details, and that email gets forwarded straight to accounts and paid.
The impact can be huge and devastating.
Sounds like what you are saying is ‘I probably don’t know if my company has been compromised!’ So what do I do now?
We are beginning to return to some kind of normal. Some people will continue to work remotely, some will be coming back into the office. Now is a good time to take stock of all your IT assets. Where are they? Who is using what? Where is your data being accessed or stored?
Are you keeping on top of GDPR recommendations about data being encrypted on portable devices?
The first thing I would do is make a list of company IT assets that are being used by employees. Then take a look at your ‘Bring Your Own Device’ or BYOD policy and establish how many employees are using their own personal tech to enable them to work.
Ask yourself what is the risk of that? Have they got anti-virus software, are they up-to-date, is their home WiFi and router secure?
Then what? And can you name one major plus of using a firm like ReformIT if we still have staff working out of the office?
We can help. For example, we have a remote management and monitoring tool installed on all of our client’s machines, which allows us to audit your IT assets, support each user with critical updates and anti-virus software amongst other things. We can connect remotely and do that.
When all else fails, we are there to help your business continue to operate safely wherever your staff are.
The world of IT and cyber security is a constant game of catch-up. You should do everything you can, but also be prepared that a breach will happen. Our entire support ethos and focus is built around keeping our clients and their data safe.
There has been a 400 per cent increase in Covid-related fraud cases – but if you are ready, have processes in place, you can react, shut it down, maintain confidence inside and outside the company, and learn.
Surely if my company is breached I’m going to keep it to myself?
ICO (Information Commissioner’s Office) rules are clear when it comes to GDPR and such situations where sensitive data may have been breached – you have 48 hours to report it.
What we have found with businesses who report is they are not facing big fines. The ICO is concentrating on education – not punishment. If you can demonstrate that you found it, learnt from it and put things in place to prevent a recurrence generally they are happy. They are looking for the businesses that bury their heads in the sand when it comes to information security and end up making the same mistakes time and again. Those are the ones who will face punishment.
Frankly, as a business, we would rather work with clients who have been breached and learned from it. They are the responsible ones who want to work towards best practice and that breads confidence.
If I’m putting all this effort in, is there a way I can ‘Kitemark’ my business to tell the world I am pursuing the highest standards?
There is something called Cyber Essentials – a government-backed, industry-supported scheme to help organisations protect themselves against common online threats. It is something the government wants all businesses to reach for.
There is the Cyber Essentials Basic, which costs £300 for a self-assessment process. As an IT company we can do this for you and have done for many of our clients.
Then, on top of this, there is Cyber Essentials Plus, where a third-party assessor audits your assessment and runs tests such as attempting to hack into your system, independent of us to check our work. Pass that, you and your customers get the confidence boost of knowing your business is in the top two or three percent of firms.
ReformIT is Cyber Essentials Plus certified too.
Cyber Essentials is backed by Federation of Small Businesses, the CBI and a number of insurance organisations which are offering incentives for businesses From 1 October 2014, Government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme.