Checking your cyber security set up during the lockdown phase of COVID-19 is essential.
We are seeing so much kindness during the coronavirus pandemic, but sadly it has been a massive opportunity for cyber criminals. And I predict it will still get worse yet.
Many businesses will have already been attacked and won’t be aware of it for many months down the line.
The good news is that there are some simple steps you can take to improve your cyber security – and reduce the chances of your business becoming a victim of this type of crime.
Just last week I was told about a company MD that was a victim – he lost £20k. He was just paying a new supplier, but all the bank details were arranged over email.
Please remember – NEVER trust an email based simply on the sender’s address. There’s a simple fix in the last section of this blog entitled ‘How to avoid paying a criminal instead of a supplier’.
This month Sussex Police has reported phishing email scams that included fraudsters:
- claiming to be from a research group that mimics the Centre for Disease Control and Prevention (CDC) and World Health Organisation (WHO). They claim to provide you with a list of active infections in your area, but to access this information you would click on a link, taking you to a fake website to harvest (phishing) your personal and financial details
- providing articles about the crisis with a link to a fraudulent website, where victims are encouraged to subscribe to a daily newsletter for further updates
- sending investment scheme and trading advice, encouraging people to take advantage of the coronavirus downturn
- appearing to be from HMRC offering a tax refund and directing you to a phishing website
Why are you more vulnerable to cyber crime now?
With so many people now working remotely during lockdown – and it all happening pretty quickly – security has been lax. Business owners need to ensure that people can not only function at home, but also keep up their security practices.
For example, for speed and ease, team members have been sharing passwords, using the same password for multiple sites, using personal devices and not operating via more secure corporate systems.
You only need one person to have a breach and all shared passwords are at risk.
Sadly, I expect a huge number of people and companies who have already been compromised, may not even realise for a few months.
And, this is just my hunch, but more criminals could well be turning to online crime because their traditional income streams are less profitable, if at all, during lockdown.
Immediate action you can take now for improving your cyber security
There are a few straightforward steps you can take to quickly gain some protection for both your business and your personally.
Here are my top cyber security recommendations for with some useful explanations and links below:
- Enable/turn on two factor authentication (2FA) on every account you possibly can (see more below)
- Update all your software and apps on all devices (this includes website software, themes and plugins too). If you are not on the latest release or update, your device could more easily be compromised
- Use a password manager to generate and remember numerous complicated passwords so you don’t have to (see more below)
- Check your antivirus software is up to date and ask an IT specialist about overall business security – particularly remote desktop connections, firewalls and similar (contact me for an initial chat). Another useful link if you want to do some general reading is the Small Business Guide to Cyber Security from the National Cyber Security Centre (NCSC) and their coronavirus guidance
- Check the default username and password has been changed on all smart devices that use your internet connection (routers, wifi hotspots, printers, and also security cameras and even things you may have forgotten are connected now such as new smart kettles or fridges)
- Check if you have already potentially been compromised and change those passwords. Sussex Police recommends visiting https://haveibeenpwned.com/
- Use a credit card or PayPal for online purchases, since you are more protected if the supplier is not legitimate
- Don’t click on any links or attachments in emails you don’t recognise, or where it doesn’t look like a typical email from that person. Some emails look very convincing with company logos etc, (the email address may or may not be as it should), but never respond to requests for your personal and financial details. You can sometimes hover your cursor over attachments without clicking on them to see a bit more detail about where they are sending you
- Check your privacy settings on all social media sites and don’t share your address and date of birth online with people/companies you don’t know. This is a great/scary video clip about how easy it is to get your details – even from just liking a Facebook page to get a free coffee
- Empty your downloads folder and recycle bin regularly. It’s easy to forget how much sensitive info is in these folders. Make a diary reminder to empty daily or weekly.
You can also read about cyber security for video conferencing and how to avoid ‘zoom bombing’ in my blog.
Two factor authentication (2FA)
Turn on 2FA wherever it is available in the account security settings of your sites and systems. (Sometimes called 2 step verification or multi-factor options.)
This would include all your social media accounts, your website content management system (CMS), your cloud-based accounting system (like Xero) and main platforms such as G Suite, Microsoft Office 365, your password manager tool, Paypal, Amazon etc.
Password Manager Tool
It’s so important that you don’t share passwords with anyone and use a unique password for every site and system you access.
And make those passwords as complicated as possible.
My advice for business related accounts is to use a password manager and DON’T save your passwords in your device’s browser or agree to ‘remember this login’.
This is because anyone with access to that device or the devices that are synced with it, can now access all your passwords.
For non-business computers, using the browser to save your password is definitely safer than using an easy to guess or the same password. The following information from the NCSC is good advice for people who don’t want to learn how to use a password manager for their personal accounts:
“Using the same passwords for all your accounts makes you vulnerable – if that one password is stolen all your accounts can be accessed.
It’s good practice to use different passwords for the accounts you care most about.
Of course, remembering lots of passwords can be difficult, but if you save them in your browser then you don’t have to.”
80-90% of cyber attacks are due to password issues
8 or less characters are highly likely to be breached, just adding a number or ! is not enough.
Swapping numbers for similar looking letters is not a strong password either.
Don’t use information that is easy to gather from your social media account like your children and cat’s name either!
What is the answer to not having to remember unique and complex passwords?
A password manager tool effectively enables you to remember just one password, or pass phrase (ie a 3 or 4 word phrase, with spaces between them), in order to open up a vault containing all the complicated, unique passwords.
While you are logged in, it will then autofill the login fields for any site you visit.
A great tool is LastPass – I’ve been using and recommending this for some years now. You can set up LastPass as an app on mobiles and tablets, as well as a browser extension on laptop/desktop computers.
My clients use LastPass for their business and personal passwords (you can have folders within LastPass that only certain people can access.)
Read a LastPass case study for a Sussex based bookkeeping business that I worked with when I was at Flying Fox IT (that also features on LastPass’ website too)
For a business team of 5-50+ users, there are packages from £3.07 to £6.14 per user per month.
There is a free version for one user that you can try out personally.
And finally – in terms of cyber security, remember to have 2FA set up on Last Pass!
How to avoid paying a criminal instead of a supplier
You may or may not have email security solutions in place to detect and block phishing emails, but even if you do, some human intervention is required in this scenario.
You and your team need to have a business process that ensures that every time a supplier, customer or business partner asks to change a bank account number, you telephone them to confirm this is correct.
Don’t leave it all to email communications. It’s a perfect way to minimise the risk of fraud.
While everyone is working from home it is more important than ever to be vigilant against the threat posed by all types of phishing emails.
I hope this all these cyber security tips help you to feel you can keep safe from an IT perspective during COVID-19 and beyond.