Cybercrime unfortunately continues to be a hot topic, with businesses and individuals at risk of becoming potential targets of digital fraud. Any business or individual using electronic communication can be the subject of an attack by hackers.
ITIC has issued a number of circulars to warn members and to ensure that they implement robust systems and controls to ensure that they minimise any exposure. However, we are still seeing this type of fraud being regularly committed, particularly where communications are intercepted and bank details changed, whilst the original sender remains unaware.
The result leaves you exposed to a liability as a result of somebody else’s dishonesty. Acts of fraud can be varied, and ITIC’s experience has shown that fraudsters will often seek to make themselves respectable by associating their actions with reputable companies.
Here we outline some practical tips and checks that you can implement, to ensure that your IT systems and processes are as robust as possible. These suggestions are being shared purely to raise awareness and are not intended to constitute professional IT advice. ITIC is not able to comment on IT security products, individual systems, cyber risk self-assessments or any other element of cyber security. If you require further information, ITIC recommends that you contact an IT professional or cyber risk specialist.
Internet security... the basics
- Antivirus software: Use it and keep it up to date!
- Use a firewall: Windows has a firewall built in and most antivirus packages also include one.
- Keep your system up to date: Not just anti-virus and firewall software, but the system in general. Developers regularly issue updates/patches/fixes. These updates could be released because the developer has discovered a security weakness in their product and should not be ignored. If you are prompted to download an update then you should!
Social engineering
Bank mandate fraud is when a third party tricks you into sending a payment to a bogus account by impersonating the genuine organisation or individual. This is also known as “social engineering” and “payment diversion fraud”.
Sometimes these e-mail scams appear to be an internal request to make a payment; this is known as CEO fraud. In these cases a spoof e-mail is sent from a fraudster, purporting to be the CEO or a company director, to a member of the finance team insisting that an urgent payment transfer is needed for some reason. The member of staff, believing that the message is genuine, does as instructed only to discover later that they have sent funds to a fraudster. Read the full news article
Staff education
Make sure that ALL of your staff are aware of the dangers of clicking links and/or opening attachments from senders that are not known to them. It could be an attempt to install malware onto your computer network. The malware may be recording keystrokes so that the hacker can learn usernames and passwords for systems, or it may contain ransomware or other nasty payload.
Consider running a phishing simulator within your organisation – this is a method of testing staff security awareness. The simulator sends an e-mail similar to a malicious one with either an e-mail attachment, a link to a website or request for personal credentials and reports the results of how the staff responded to the e-mail. If the results contain a high number of fails (i.e. opened the attachment/ followed the link or provided their credentials) then additional staff training is clearly necessary.
Simple housekeeping
Regularly check your spam/ junk folder AND deleted files folder on your e-mail system. This is a good habit to get into, not only to check to see if your e-mail system has mistakenly marked a message from a client as spam, but also to make sure that a hacker has not set up an auto spam/ delete function. This happens when a hacker is impersonating your e-mail address in order to defraud another party (as mentioned above) and deleting/ spamming any message from the true third party who is asking to be paid.
Passwords
Make sure staff do not leave their usernames and passwords on post-it notes on the side of their screen (or in the back page of their notebook!). If your staff use portable devices (laptops, tablets and phones) which have access to either your work system or e-mail then make sure that they have the password or pin code lock on that device enabled. Read more
Cyber risk assessments
There are cyber security firms who can provide you with a cyber risk assessment. They can look for vulnerabilities in your system through physical attacks, i.e. can a stranger walk in off the street and get into the office as well as penetration tests…these can be internal or external. Read more
Additional cover from ITIC - cyber liability
ITIC has developed an extension to its existing cover. The policy will protect against liabilities arising from the unauthorised use of your computer network.
This insures:
- Computers operated by you along with any software and peripheral devices that are necessary to make the computers function including servers, networking equipment and data storage devices.
- Acts by people who gain access to your computer network without your permission or people who were granted access for a legitimate purpose but misuse that access to cause harm.
- Your liability to pay compensation to a third party damaged by the unauthorised use of your computer network and all associated legal and experts costs incurred by you.
For more information, contact your account executive or insurance broker.
Virtual robbery – an ITIC cyber fraud webinar
Sadly anyone, or any business, can become the victim of a cyberattack or fraud. During this webinar, ITIC’s Robert Hodge and Christopher Crane from Ince discuss the mechanics behind cyberattacks, tracking down the fraudsters, identifying phishing and spoofing and offer tips and advice on how to protect yourself against such losses.