It’s Cyber Smart Week, and while it’s important to always keep cybersecurity in mind, it’s a good idea to take a few minutes this week to review your online safety practices.
The theme of Cyber Smart Week this year is ‘Protect Yourself Online’, which aims to bring cybercrime out of the shadows and put cybersecurity in the spotlight.
Small businesses are a growing target for cyber attacks. One in four New Zealand and Australian small and medium businesses were victims of cybercrime in 2017 (per the Norton SMB Cyber Security Survey 2017).
The primary attack channel is email. These attacks can take several forms, and it’s important to be educated about how to identify a hacking attempt.
Phishing to steal online banking or cloud accounting credentials
The standard ploy here is to send an email that looks like it’s from a well-known website, with a login button which redirects to a legitimate-looking, but fake, website, prompting you to login. The credentials the hackers obtain can then be used to access your account, potentially providing access to financial or other sensitive information that can be used for fraud or other crimes.
The information stolen from a compromised website can be used in a ‘brute force’ attempt to access a range of other sites or systems. Put simply, now that hackers know your username and password for one site, they try to use that same information on a range of other sites, too.
Business email compromise
This has several different iterations. A legitimate email from a legitimate business requesting payment for legitimate goods or services can be intercepted, edited with a different bank account number and sent on to the customer, who then pays into the fraudulent bank account.
These campaigns have been on the rise, largely targeting the building industry in New Zealand and Australia, and solicitors, trusts and real estate in the USA.
Another example is ‘spear phishing/whaling’, where a hacker compromises or spoofs (impersonates) an executive’s email account and sends an email with payment instructions to the finance team. If the fraud is not detected, the business then pays money into a fraudulent bank account.
So, how do we stay safe against these hacking attempts?
Set strong, unique passwords for each service
Hackers can crack a weak password in minutes so it’s essential that you have strong, long passwords. It also important to use a different password for each site. Having a unique password helps prevent a compromise of one login becoming a compromise of many. Using personal information as your password is also a big no-no.
Using your name, your pet’s name or your birthday should be avoided at all costs as hackers can easily find this information online (especially through social media). To create a strong password use numbers, letters and symbols and make sure it is at least 10 characters long.
Password manager software can help you manage your multiple logins and make it easy to maintain good password practices.
Use two factor or multi-factor authentication
Two factor or multi-factor authentication is like having a second lock for your front door. This means you need to present at least two separate items to gain access.
These could include a password and entering a unique code that is generated by an app on your smart device or sent to you by text (SMS). 2FA is excellent as it adds an extra line of defence when you login online and significantly reduces the risk of anyone getting access to your account.
Be aware of security risks
One of your best defences against email scams is to be vigilant about what the threats are. If an email looks in any way suspicious, don’t open it, don’t open any attachments, don’t click on any links or buttons. Get in touch with the apparent sender to clarify its legitimacy.
Banks and other reputable websites will never ask you for your login credentials. Many organisations run a security noticeboard on page on their website to warn of phishing and scams exploiting their brand.
Keep your software and operating system up to date
Cyber threats are changing all the time so it is important that you keep abreast of updates. Up-to-date operating systems and apps are your first line of defence against many bugs and viruses.
Updating operating systems is one of the easiest ways to protect yourself. Just make sure that when an update for an app or your OS pops up on any of your devices, install it right away. You can even set your system preferences to install updates automatically. Then you don’t have to think about it.
Check your privacy settings
Consider what you share on social media as hackers can use your personal information to steal your identity or get into your online accounts. Ensure that your privacy settings are set so that only your friends and family can see your details.
Another thing to keep in mind is that some websites ask you to set some account recovery questions in case you forget your password. Make sure the answers to these aren’t posted online or on social media – for example, the school you attended.
Article by Xero's Paul Macpherson.