The last two days at Xerocon New Orleans have been a fantastic whirlwind, and I was particularly thrilled to speak about my favourite topic – how to keep your practice cyber safe – in a breakout session on the second day for our delegates.
As Xero’s General Manager for Security Assurance, this is a topic very close to my heart, and it’s this education and awareness piece that makes up a huge part of the work my team and I do on a day-to-day basis.
While it may come as no surprise that cybercrime is evolving, what you might not know is how simple keeping your business safe in this new era of online working can actually be. So, when it comes to the top three security challenges to be across as you look ahead, here’s what you need to know.
Your employees make up ‘the human firewall’
When it comes to the greatest risk you face as a practice or business owner – even a leader of people – it’s your employees falling victim to an online scam, or targeted cyber criminal attack. Phishing remains the cyber scam with the highest victim rate (92%1), and phishing attempts can reach you and your employees at any time of day, by any communication medium.
Phishing uses a type of preying tactic called social engineering to impersonate an entity or a person that you or your employees would know as bait. It can come in the form of a telephone call asking them to urgently pay an overdue invoice, an email disguised as a vendor or client requesting them to hand over important credentials, or an SMS from an entity posing as their manager requesting them to complete a critical task.
In many cases, the employee performs the action as requested, and without any ill intent. Once an adversary has important information to your business, though, it can be very hard to retrieve and regain control. Running regular phishing simulations with your team members, where you teach them to pause on something that doesn’t look or feel right can be the difference between an attack – and a near miss.
Help them to understand what sort of red flags exist in a phishing attempt – generic greetings, suspicious links, spelling errors, a sender email that looks odd on a second glance, and encourage them to always investigate that the request is legitimate with the real entity if in doubt. An urgent request is usually a huge red flag that the sender is not who they are claiming to be, and signals that something may be awry.
While your people can be targeted by phishing adversaries, they can also be your biggest strength if you empower them to be.
Backup anything (and everything) critical
While it’s a good idea to remain vigilant of cyber attacks, if you are one of the 43%2 of small businesses who fall prey to a data breach, make sure you have a disaster business continuity plan in place to minimise the impact to you, your staff, and your clients.
A solid business continuity plan is a huge marker of your cyber resilience, and will help you focus on what you need to do, who you need to contact, and where to find important data at a time when stress and panic are at an all-time high. Anything particularly sensitive should be encrypted, but as a general rule of thumb, a business continuity plan should contain anything that cannot be easily replicated or remembered. Think things like the final drafts of documents, client contacts and financial information, and critical files.
This plan should be accessible from a reputable source, like a cloud system with secure passwords, or a portable hard drive that you can physically store and keep safe. It’s a good idea to notify clients or customers if a data breach happens to you so that they can also put the relevant provisions in place to protect their own identities and information. You can also use it as an opportunity to remind them you have stored all critical information, and are taking steps to shut down any further attacks or impact.
If you are ransomed, remember that most agencies do not recommend making ransomware payments. There’s no guarantee that the cybercriminal will honour the deal, and once you’ve paid once, you are usually marked as a payer which can lead to subsequent ransoms.
Deadbolt using multi-factor authentication
Your digital data is extremely valuable to cyber-attackers, but there’s a common misconception that a cyber-attack all boils down to a lump sum figure lost. Often we hear about someone getting their card skimmed or account hacked (which is obviously impactful), but the risk actually goes much further.
Credential gathering is one of the most common, serious and long-term risks that come from a cybercrime. Attackers want your money, but they don’t want it just once – they want to extract it again and again, and in every way they possibly can.
Using your details, they can create new credit cards, bank accounts, driver’s licence and passports in your name, or open, sell and buy things as if they were you. With access to your client details to boot, it presents a goldmine of opportunity for them.
Strong password health can make a huge difference to your business, so invest in password manager software that creates strong passwords for all your accounts, syncs them to multiple devices, and allows you to quickly log in without typing anything. Even better, enable multi-factor authentication for all company email accounts or critical services – or search for software that has these inherent safety measures built in, like Xero Verify when using Xero.
Think of multi-factor authentication as the deadbolt on the door in your business. When it’s enabled, you’re required to enter your password – something you know – along with a pin code generated by your smartphone – something you have. To gain access, an attacker must now be in possession of both things, which in most cases is nearly impossible. Even if your password has been compromised, multi-factor authentication can still save the day.
Ultimately, you should think of your online safety as something that requires a multi-pronged approach. With a bit of prevention and attention, we can make sure the online world is a safe place to be.
1 Source: ProofPoint’s 2021 research
2 Source: Symantec’s 2016 Internet Security Threat Report