Don’t think that it is not happening here.
Massive number of Cyber-attacks among Australian SMEs, with over 200,000 ransomware attacks in April and May last year, more than any other country in the world apart from Japan. This was reported by a major security organisation, Trend Micro.
Ransomware, fake invoices and email scams can cost an average of $1.9 million a hit for companies with 100 to 500 employees, according to a recent survey of 600 IT decision makers by internet security company, Webroot.
These are only direct costs and don’t include reputational damage. As mentioned before, this month the Notifiable Data Breach Scheme will force companies to report cyber-attacks to their customers and business partners.
Security is no longer just the IT department’s problem. Hackers regularly target organisations with Trust accounts for obvious reasons. Every employee is a potential entry point for a hacker to access internal systems. So what should you do?
1. Be aware
Sometimes the simplest checks are best. Your accounting team should always ask: “Is there anything suspicious about this email?” Giveaways of phishing emails (fake emails) are spelling mistakes or a missing or incomplete signature. If the sender is not known, always check the email header to see the server domain of the sender. Sender names and email addresses are easily faked. And if unsure, links should not be clicked on. Check the organisation and see whether there is a telephone number to call or Google the organisation.
We came across 1 organisation where their supposed supplier sent them an admin email months before they usually transact with a change of bank account details. If they had called their supplier to check then they would not be down by about $500,000 months later which will never be recovered…….lost forever.
2. Social requests can be a worry
Double-check connection requests on LinkedIn. If the name, occupation and location is not familiar to you, then reconsider whether to accept. It may be flattering to amass a large social following, but this is also a first step to infiltrating your company.
When you connect to someone on LinkedIn, they can see your email address by default (this can be switched off). Most software uses the business email address as the username, so a hacker now has half the login details. If an employee is using a password at work they use in their personal accounts, they are very susceptible to a hack. For example, Yahoo reveals that hackers have gained access to most passwords of its three billion accounts. A hacker can search the stolen database, match the name, get the password and with the email address on LinkedIn they can use your account.
A first-level LinkedIn connection can also search your contacts for the name of the CFO or other key personnel. Targeted attacks, where fake emails are addressed to targets by name, are called spear-phishing and can be very effective.
3. Get clever with your $ processes
What is one way to check that the urgent invoice from your CEO asking to pay $100,000 immediately is legit? Pick up the phone and call to confirm. Even if they are travelling.
Clever hackers will monitor the CEO’s movements and send money transfer requests just before they board an international flight. A hacker can add “I can’t attend to this because I’m overseas” to give context, which adds legitimacy to the request.
It doesn’t take much to confirm with the CEO via a quick text message to their mobile. If it’s a large amount, then make the phone call and get verbal confirmation. It is possible to spoof SMS messages, but nearly impossible to fake a spoken conversation. A second pair of eyes on transactions will also increase the chance of spotting a suspicious error.
4. Call suppliers to confirm new invoices or when you get a request to change bank accounts.
Create a policy for the finance team to call new suppliers before they pay the first invoice. Don’t call the number on the invoice itself: hackers are very enterprising and can pay someone to act as a receptionist. Even if the email address, email signature and logo appear to be genuine, the phone number may be fake. Look it up online and make sure you’re on the correct website. The supplier should be listed in Google Maps or other directories.
5. What is an e-invoice service?
One way to eliminate fake invoices is to use a third party to authenticate them. Link4 takes invoices from one accounting program such as MYOB and automatically enters the details in a different program such as Xero or QuickBooks Online. The service requires the supplier and the customer to sign up separately. Once connected, the supplier can send invoices directly into the customer’s accounting software.
Xero has created an internal network for sending and receiving invoices from two companies on Xero by using a network key to validate the connection. If the finance team knows that all invoices for that supplier appear automatically in Xero, then any invoice from that supplier appearing in an email should automatically be treated as suspicious.
6. Use 2 people to make a payment.
Remember when we used cheques? Businesses often required two signatories to withdraw money. The same process should be followed for online banking. Many banks can set up safeguards for two authorisers to approve payments over a certain amount. Newer banks such as Tyro are more sophisticated in permissions. When the finance team makes payments, Tyro automatically notifies the business owner or manager with an alert on their mobile phone. They then swipe to approve each invoice directly.
7. Many banks use multi-factor authentication
Multi-factor or two-step authentication should be a mandatory policy – definitely on your online banking and accounting software, but also on business software you use regularly. It usually involves sending a time-sensitive SMS code or using an authentication app on your mobile phone.
Some banks still use dedicated tokens to provide the second piece of authentication. These little gadgets attach to your keyring and display a randomly generated number to supplement your password. We use these.
8. Don’t rely on default protection
Cloud productivity software is better protected than the desktop equivalent, because it has anti-virus scanning built in. Any email sent through Microsoft Office 365 is checked to see whether it is carrying malicious code and if it is – it will block access to the attachment. However, companies shouldn’t rely on these default settings. Microsoft has taken it a stage further with Advanced Threat Protection. This is a must for all organisations and something Microsoft spent US$1B on alone in 2017. Ask us how to set this up.
A phishing email may contain a link which directs the receiver to download a file from a website directly. For a few dollars a month per employee, you can subscribe to the ATP security module that will download attachments into a “sandbox”. The software checks the attachment and only gives access if it is free of malware, neat.
9. Continuous validation through simulations which we organise
How aware is your team?
It is good practice to train your staff to recognise phishing emails and other cyber-security attacks. It is better practice to continuously validate how well they follow the recommendations. One subscription service simulates a phishing campaign by sending one fake email a week to your finance team. The emails look genuine, but if an employee clicks on it, the email displays a message explaining it was against policy to do so or a reminder that these types of emails are dangerous.
Free testing services include Trend Micro’s Phish Insights. Paid services include Shearwater’s Phriendly Phishing and Phishingbox. You can find more phishing services here.
10. Monitor staff behaviour changes as they might be leaving
There is evidence that the social behaviour of a person in the 2 to 3 weeks leading up to their resignation changes dramatically. The volume of email may increase or decrease, or the frequency of logins to a particular website may alter. That employee could be planning on taking company secrets with them.
Another red flag is when a hacker obtains the identity of a legitimate employee and infiltrates the corporate network. Behavioural software flags the activities of the fake employee as suspicious because they are different to the usual pattern. Consider installing apps that analyse employee behaviour. Apps such as Blindspotter, Veriato and Splunk use algorithms to detect changes and altert IT staff.
Go Systems is very aware of the security needs of the modern enterprise and can assist you with getting it right.