Cybercrime might feel like something that generally happens to other people, but it’s never been more prevalent. The Office for National Statistics recorded 4.7 million incidents of fraud and computer misuse last year, including a 145 per cent rise in computer malware and distributed denial of service attacks. These are designed to crash servers, forcing websites offline.
DDoS attacks are frustrating yet temporary, but there’s nothing short-term about the consequences of malware. This was clearly demonstrated by the WannaCry ransomware cryptoworm, which locked and paralysed computer systems around the world until bitcoin payments were received. Yet despite a rapid response from Microsoft, over 200,000 Windows computers were affected by WannaCry across every continent; total costs were estimated in the billions, while some smaller firms never recovered. And this was just one of the innumerable pieces of malware detected online in the last twelve months. Little wonder that PwC declared cybercrime the most reported fraud type earlier this year, as well as the most feared among businesses in future.
Preventative measures to prevent cybercrime:
1. Educate staff about the risks.
Knowing the difference between worms and Trojans is helpful for staff, especially if their jobs involve specific elements like research or accounts management. Once they’ve been educated, you can test their knowledge…
2. Send employees a spoof spam message purporting to be from a client, with a harmless hyperlink to a random web page.
See who clicks on the link, and consider additional training if anyone walks into what might have been a cyberattack.
3. Practise what you preach.
By the same token, be very wary of incoming emails. Does the sender’s address match their claimed web address? Are you expecting to receive a Word invoice? Spelling mistakes and missing graphics should raise doubts.
4. Ensure every device has an active and updated antivirus package.
Don’t believe the old myth that Apple devices are immune to infection – this is no longer true. Install and update antivirus tools, permitting them to monitor email and web traffic.
5. Sandbox incoming files.
Sandboxing involves saving files in a secure, sealed environment like a Dropbox folder. Opening the file here will prevent any malicious payload discharging, and any malware should be rendered inert.
6. Avoid visiting insecure websites.
There’s a reason why search engines mark down websites lacking HTTPS security. Malware is more easily hidden in these less secure platforms, especially in the dormant or obsolete plugins of WordPress websites.
7. Permit system updates.
When a security update is announced for an operating system or program, download it. These are often patched in response to newly identified malware threats – it may not be safe to use these systems until they’ve been updated.
8. Set up hardware to maximise protection.
Make sure that computers and tablets log off after a few minutes of inactivity. Set passwords on any portable devices in case they’re lost or stolen. Offer clients 2FA login portals, and do the same with company intranets.
9. Firewall your internet connection.
Firewalls can be as simple as a redundant desktop PC plugged into the broadband connection before connectivity is distributed to other computers. However, very importantly a firewall often stops malware spreading any further.
10. Back up data.
This might be offline, on a data key stored in a safe. It could also be an automated daily process, with a server mirror saved into the cloud. Full data backups effectively negate the risk of ransomware.
If the worst happens
Even if your company is unfortunate enough to be targeted by cyber attacks, these steps will mitigate any damage:
- Make a full and frank disclosure. Post-GDPR, it isn’t really acceptable to bury bad news. Given the prevalence of cyberattacks and malware, few people would be surprised if a company they dealt with reported a security breach. Clients will often be supportive, but they rarely forgive a cover-up, especially if their data is involved.
- Restore lost or compromised data from backup sources. As per the Preventative Measures advice above, it’s time to roll out your data backup. This will enable the business to continue operating reasonably normally, even if individual devices are ruined. Most clients are only interested in a firm’s ability to maintain service.
- Investigate what happened, and consider possible system improvements. Being able to say “it happened, but we’ve learned from it” will demonstrate contrition and a determination to avoid any repeats. If the attack related to insecure web hosting, for instance, it might be time to switch host. Which brings us onto…
- Trust the team at UK2.NET. We provide secure web hosting, taking every precaution against cyber attacks. Customers use 2FA to log into their UK2.NET accounts in order to prevent hacking. We offer SiteLock security for protection against SQL injections and malware, while Cloudflare checks all traffic against a live database of known threats.