Coffee laptop and mobile phone on desk

Article

Data Hacks and Phishing Attacks

What are they and how can you protect your business?

All businesses should take steps to protect themselves online, in order to protect their data, reputation and revenues from cyber-attacks.

This is especially true when businesses have changed their ways of working in response to the Coronavirus outbreak, potentially exposing themselves to a greater risk of cyber-crime.

Cyber-crime comes in many forms but hacking and phishing – using fake emails to get security information – are among the most common.

Here’s a basic guide on how to ensure your business is protected against these two threats.

Simple steps to avoid being hacked

Unfortunately, all types and sizes of organisations and businesses are at risk from data hacking, with often larger companies making the news headlines when a hack occurs. For example, this summer came the news that universities in the UK, US and Canada have had data stolen about students after hackers attacked a cloud computing provider.

But the problem is more widespread than the headlines might suggest. In the 2020 UK Government Cyber Security Breaches Survey, almost half (46%) of businesses had identified cyber security breaches or attacks in the last 12 months.

The extent to which companies are taking action to deter hacks varies. For example, according to government research, businesses in the food and hospitality sector are among the least likely to have some basic rules or controls in place.

Here’s a reminder of some easy to implement steps to get started and help keep your business protected.

Passwords

Most businesses have basic password policies in place. But it’s important that all staff are aware of this. So, if you ensure everyone is well trained about password creation and protection, your business as a whole is likely to be safer from hackers.

At its most basic, training staff to be cyber-secure means making sure they always use strong and unique passwords for all business accounts. These can be stored using an online password manager, so they don’t need to ever be written down or shared by email.

Also, take steps like limiting how many people have access to your systems and data.

Up to date software, firewalls and antivirus systems

Make sure your apps and operating systems are up to date. Likewise, ensure you have firewalls and antivirus systems in place on all devices, which are up-to-date and using the right settings; this is particularly important as cyber-attacks are constantly changing, so your defences must adapt too.

To try and stay one step ahead, consider signing up for the free Action Fraud Alert service to receive information about recent scams and fraud.

Regularly back up data

All businesses should make regular backups of any important data, and make sure that these backups are recent, secure and can be restored.

The majority of network or cloud storage solutions now allow you to make backups automatically.

Phishing attacks and steps to avoid them

The National Cyber Security Centre (NCSC), part of the Government Communications Headquarters, warns that all businesses, big and small, will be at the receiving end of phishing attacks at some point.

Broadly, phishing is when scammers use emails to trick you into giving them sensitive information. Common phishing tricks targeting companies include bogus emails that can look remarkably authentic and fool staff into transferring money or information.

The NCSC warns that phishing emails are getting harder to spot. But there are steps you can take to minimise the risks.

Reduce the damage

Give your employees the lowest level of user rights required to do their jobs, so if they are the victim of a phishing attack, the potential damage is reduced.

‘Administrator’ user accounts may be of particular interest to attackers, as they have the privileges to change security settings, install software and hardware, and access all files on the computer. So, limit administrator accounts to those who really need them and discourage people from using these accounts to check their emails or browse the web.

Use two factor authentication

Two factor authentication adds an extra step to log-in procedures, by requiring two types of information from the user.

By ensuring all staff use two factor authentication across business accounts, then even if an attacker knows a password, they won’t be able to access the account.

Train staff to spot unusual requests

Successful phishing attacks depend on a bogus email, which can sometimes be very sophisticated and convincing, persuading a user to click on something they shouldn’t.

So, ensure your staff have had training to help them spot phishing attacks – for example, if they get an email from an organisation that they don’t do business with, they should treat it with suspicion.

This can be very challenging, but signs of phishing scams include poor spelling, grammar and punctuation, and urgent wording such as ‘send these details within 24 hours’.

Report all attacks

Encourage users to report any emails that they’re unsure about, even if they have already clicked on them.

If you believe that your organisation has been targeted report it to Action Fraud, the UK’s national fraud and cyber-crime reporting centre.

Get Support

These are just basic steps to get you started in your journey towards creating a more secure business. But there is much more that you can do.

We have partnered with cyber and privacy experts CyberScout to offer our small business and smallfarm customers free access to a 24/7 cyber helpline until 31st December 2020.

The helpline provides services such as guidance on managing cyber risks during the Coronavirus outbreak, or support following a cyber incident in your business. Call 0800 069 8203, ensuring you have your NFU Mutual business policy number to hand.

What you need to know

This is a helpline advice service only provided by CyberScout on behalf of NFU Mutual for customers who do not have a commercial cyber policy, with an annual turnover up to £3 million and less than ten employees. When you call, the scope of your cyber query or incident will be assessed in your initial consultation with CyberScout. If the team are unable to resolve your query over the phone, you will receive a full quotation from CyberScout to liaise directly with them and access the full range of services and support available.

It is not an insurance cover, and any additional costs and support are not covered by NFU Mutual,nor are these costs recoverable under your NFU Mutual insurance policy.