Well publicised statistics about the unprecedented rise in cyber crime last year can make the issue of online security feel overwhelming for Gloucestershire businesses, but when it comes to providing an antidote the county is particularly well-placed.
Cyber security and managed business IT expert, ReformIT, shares some simple advice and effective steps everyone can take right now to protect their systems.
About the expert - Neil Smith of ReformIT
Neil Smith is the founder and managing director of ReformIT, an IT support specialist headquartered in Cheltenham, covering the UK. Its skilled technicians can advise on all IT matters, from computer and internet security, computer software, cloud solutions, IT support and managed services such as VoIP telephone services and website hosting.
ReformIT is a Microsoft Silver Partner, Small Business Specialist and Microsoft Office 365 consultant that also provides a customised range of managed IT services for business. From a full out-sourced IT department to third-line support and project management, ReformIT will customise its services to fit your requirements.
What is a spam email?
Spam is an unwarranted email. It does not have to be malicious. Literally, any unwanted email in your inbox is spam.
Why should my business be concerned about that?
From a security perspective, it is the unwarranted emails ‘bad actors’ use to get into your systems. And what they want to do is exactly what you need to guard against. The majority of these tend to be phishing emails.
They deal in what we call ‘social engineering’. They aim to trick you into thinking you are dealing with a legitimate person. We have all seen these fake UPS emails – ‘we have tried to deliver a parcel to you, but need to re-arrange delivery, please click here’. You are in a rush, you think ‘I’ve missed it’ and before you know it you’ve clicked on the link. It might even take you to a web page that looks like a genuine site.
In other words, be wary of any emails designed to trick you into clicking a link, that will then trick you into delivering details such as usernames, passwords or personal details.
What impact can it have on a business?
At best it’s just a waste of employee time. At worst the financial and reputational cost can be horrific and very often nothing happens straight away. What we often find is that the successful attacks are those which no one remembers. There are no alarm bells that go off to alert you. The ‘bad actor’ will have the details they want and they will be on sale on the Dark Web for other criminals to use or they will sit, lurking in your system waiting for the right time to pounce.
Okay, you have my attention. Anything else?
Many attacks will look for financial gain. They will watch your emails and figure out if you are the managing director or the financial director and will be waiting for an email conversation about financial aspects of your business. They might wait for an invoice to arrive for example.
Before you have spotted it, they will have transferred it into another folder, modified it, perhaps with their bank account details on, and sent it back into your system – perhaps to your financial department – and the invoice gets paid into the attacker’s bank account!
Are there simple steps to take to help keep emails more secure?
Multi-factor authentication for email accounts is one way to improve security and significantly cut down the risk. A decent spam filter will block anything it deems suspicious and help identify any potentially malicious items. Really decent spam filters will have a ‘sandbox’ system that will test clickable links in an email to see where they might take you – and if its dodgy – stop them working.
This technology can also identify emails which have come from outside organisations and raise alarm bells when emails appear in threads from unknown addresses or ‘spoofed’ domains.
Is there anything else businesses can do?
Often, the weak link is the squidgy bit between the keyboard and the chair, the human being!
The final aspect is training. Spoofs can be good, but if your staff are trained they might spot a lack of clarity in an email, different language than the sender would usually use, or that the email comes from a different address.
In IT security nothing is ever 100 per cent secure. Training can influence how secure a system is.
It can be delivered in bite-sized videos that last five to 10 minutes. We can put together fake phishing exercises to test staff before and after training and help your staff develop the right skills.
Also important is that you develop a culture that encourages everyone to flag any issues as soon as they are aware.
It sounds like an awful lot to keep on top of when trying to run a business?
The job of a firm like ours, which can manage your IT and security, is to keep on top of all of this and report back. We can advise on measures to take, make sure they happen, monitor, report and keep security up-to-date so businesses – and business owners – can get on with doing what they are good at.