BIFAlink
Policy & Compliance
www.bifa.org
Reducing cybercrime: get smart, not lucky
With cyber criminals increasingly targeting smaller companies, BIFAlink gives some advice on what to make your staff aware of and how to protect your company
The threat of cybercrime is ever present and it takes many forms, from the rather clumsy “You have won umpteen pounds, please give me your bank details so it can be paid to you”, to major cyber attacks such as that on Maersk in 2017. There have been many similar attacks since 2017, some of which have been directed against transport and other infrastructures. However, they have not been as extensively reported upon. Looking at statistics, approximately one third of all data breach victims are small businesses, and given the fact that attacks are increasing in number Members should consider how best to protect themselves. Many larger organisations and government departments, unfortunately, use older legacy systems that are more difficult to upgrade in order to protect the business. Also, given the nature of forwarding with multiple customers and suppliers and its international nature, the industry is uniquely attractive to cyber criminals. Some will ask what a cyber attack is. The classic definition is, ‘When a cyber criminal launches an attack on a computer, or more than one such device or network(s) with the purpose of disrupting, disabling or maliciously controlling a computer environment or infrastructure; or destroying the integrity of the data or stealing controlled data’. The reasons for such attacks are varied. At one end of the scale are criminal gangs attempting to hold businesses/individuals to ransom; at the other end may be the disgruntled employee seeking revenge. The end result in all cases is usually disruptive and can lead to considerable cost to the business in terms of reduced productivity, reputational damage, repairs to existing systems and the purchase of new equipment. Outside of these impacts, additional ones can include lawsuits and regulatory fines. IT providers and those who work in countering such attacks all have varying views on the best method to protect yourself from attack. Here are a few of the main ones that BIFA has been advised about. Know your network, including what software is used and how many devices are actually connected to the system. In addition, it should be known which devices are running what software packages and especially identify those with access to the internet. Strict protocols should be established to control access to the internet and prohibit staff downloading additional software without approval. More difficult, given the growth of home working, should be
controlling the connection of private equipment to office networks, or business equipment to poorly secured home networks. Closely linked to the above topic is staff training, as the individual employee may inadvertently be responsible for a data breach. Home working has increased that risk. All staff who use the company’s IT network should undergo basic cyber security training. It is important to teach staff the basic principles of protecting the system. This may include: • Training about creating a password and ensuring that it is a strong password, • How to manage the passwords and not use the same one multiple times, • Signs of what constitutes a suspicious e-mail, etc – was I expecting this message? Do I know the sender, either the individual or company? Is the e-mail address suspicious? And be very wary of items from g-mail accounts, etc. Training should match the risk. For instance staff in finance and other more sensitive areas may require additional training. The other piece of advice is to keep software updated; research has indicated that 60% of data breaches were linked to an available but not applied software patch. These patches are usually available only because the software provider has identified a problem and the patch is designed to overcome the issue. For the individual users, passwords can be problematical as they have to be remembered and that causes issues. Staff should be encouraged to use strong passwords for all devices and logins. Every account should have a different and unique password, incorporating upper- and lower-case letters, symbols and numbers. This is a very important element of cyber security and one to which individual employees can contribute. Protocols should be established for the frequency of updating passwords and prohibiting the sharing of such information.
Whilst taking steps to protect the data are very important, it is equally essential to backup and securely store the data on a regular basis. Backups should be securely stored in a way that is not connected to the network, nor easily available to any party attacking the network.
10
January 2022
Made with FlippingBook Annual report maker