We’re living in a digital world where everything is connected and everything is online. Any weaknesses in our security practices can make us vulnerable to a cyber security attack.
And it’s not just large organisations or businesses that are being targeted – it’s equally as important for small businesses and individuals to be vigilant against cyber attacks, too.
Small businesses in particular are a growing target for cyber attacks. One in four New Zealand and Australian small and medium businesses experienced a cyber attack or hacking attempt in 2017 (per the Norton SMB Cyber Security Survey 2017).
The most prevalent security threats at present are via email. Email filters manage to identify and bin most suspicious-looking emails, but attacks can take several forms, and it’s important to be educated about how to identify an email hacking attempt.
Phishing to steal online banking or cloud accounting credentials
Hackers send an email that looks like it’s from a well-known website, with a login button which redirects to a legitimate-looking, but fake, website, prompting you to login. If you login, the hackers can obtain your credentials and use them to access your account, potentially providing access to financial or other sensitive information that can be used for fraud or other crimes.
The information that hackers steal from a compromised website can be used in a ‘brute force’ attempt to access a range of other sites or systems. Put simply, now that hackers know your username and password for one site, they try to use that same information on a range of other sites, too. This is why it’s so important to use different passwords on different sites, rather than one password for multiple sites.
Business email compromise
Perhaps the most difficult to identify. Hackers can compromise an email account and intercept a legitimate email from a legitimate business requesting payment for legitimate goods or services, edit it with a different bank account number and send it on to the customer, who then pays into the fraudulent bank account. These campaigns have been on the rise, often targeting the building industry in New Zealand and Australia, and solicitors, trusts and real estate in the USA.
Another example is ‘spear phishing/whaling’, where a hacker compromises or spoofs (impersonates) an executive’s email account and sends an email with payment instructions to the finance team. If the fraud is not detected, the business then pays money into a fraudulent bank account.
So, how do we stay safe against these cyber crimes?
Set strong, unique passwords for each service
Hackers can crack a weak password in minutes so it’s essential that you have strong, long passwords. It also important to use a different password for each site. If you use the same password for multiple sites, an attacker who gets hold of one of your account passwords now has access to any other accounts that share the same password.
Using personal information as your password is also a big no-no. Using your name, your pet’s name or your birthday should be avoided at all costs as hackers can easily find this information online (especially through social media). Make each of your passwords long, strong, and unique. To create a strong password use numbers, letters and symbols and make sure it is at least 10 characters long. Password manager software can help you manage your multiple logins and make it easy to maintain good password practices.
Use two factor or multi-factor authentication
Two factor or multi-factor authentication is like having a second lock for your front door. It adds an extra layer of security to your accounts. These could include a password and entering a unique code that is generated by an app on your smart device or sent to you by text (SMS). 2FA adds an extra line of defence when you login online and significantly reduces the risk of anyone getting access to your account.
Be aware of security risks
One of your best defences against email scams is to be vigilant about what the threats are. If an email looks in any way suspicious, don’t open it, don’t open any attachments, don’t click on any links or buttons. Get in touch with the apparent sender to clarify its legitimacy. Banks and other reputable websites will never ask you for your login credentials. Many organisations, such as Xero, run a security noticeboard or page on their website to warn of phishing and scams exploiting their brand.
Keep your software and operating system up to date
A lot of people are guilty of ignoring app updates, but these updates aren’t just about adding new features, they’re also about fixing vulnerabilities that hackers can exploit to access your information.
Up-to-date operating systems and apps are your first line of defence against many bugs and viruses. Updating operating systems is one of the easiest ways to protect yourself. Just make sure that when an update for an app or your OS pops up on any of your devices, install it right away. You can even set your system preferences to install updates automatically. Then you don’t have to think about it.
It’s also a good idea to check the permissions and settings on your apps too, to ensure they don’t have access to other features you’re not comfortable with, such as location sharing.
Check your privacy settings
Consider what you share on social media and with who. That includes not only information you choose to share about yourself, but also what you’re asked to share by companies you have online accounts with.
Hackers can use your personal information to steal your identity or get into your online accounts. Ensure that your privacy settings are set so that only your friends and family can see your details. Another thing to keep in mind is that some websites ask you to set some account recovery questions in case you forget your password. Make sure the answers to these aren’t posted online or on social media – for example, the school you attended, your pet’s name, or where you work.