Cybercrime – Don’t be a victim

Last year, over one billion pounds (£1,079,447,765) was reportedly lost by businesses to online crime, with each police force in the UK recording an average of £19,626,323 in losses in their area (1). Far from being an insignificant amount of money, these statistics reveal the true impact online crime has on many businesses' bottom line.

In reality, the amount of losses could be even higher as not all organisations choose to report the money that's been stolen to the police.

Unfortunately, when it comes to cybercrime, too many businesses are often failing to learn lessons from other companies' misfortune. They fall into a false sense of security and assume they won't be a target, so don't do enough to protect themselves until it's too late. Taking this risk is by no means worth it either, as the consequences of failing to protect themselves can negatively impact on the reputation of the company and those employees involved. What's more, businesses have more to lose than the initial cost of these crimes as they could be fined for breaking data protection rules as well.

One of the main problems businesses face is hacking. It comes in a variety of forms, but remains one of the most widely reported types of fraud in the past 12 months, with 1,314 reported cases across the UK (2). Without the appropriate mechanisms in place, fraudsters can hack into business servers, an employee's personal computer, or even access email and social media accounts to obtain private information.

In order to keep hackers at bay, business should make sure that all operating software, application software, mobile apps and web browsers are fully kept up to date. This is important as these may contain vital security updates that can be used to keep sensitive data safe. They should also look to increase protection on their networks from external attacks, including wireless ones, by using firewalls, proxies, and access lists.

Businesses can also look to put a set of policies in place to help ensure that data is kept safe. This can cover restricting employee and third party access to certain IT equipment, systems and information. The use of removable media such as USB drives, CDs, DVDs and secure digital cards can also be restricted as they are often lost or ‘misplaced'. This might result in the loss of important data, or can also leave the company at risk from viruses if these are infected.

While building all the necessary technological defences is extremely important, it is vital that businesses also look beyond these and encourage staff to change their behaviour in a way that helps protect company data. With the rise in mobile working, some businesses are struggling to control how devices and company information is used outside of the office walls. Refreshing company policy can go a long way to controlling this.

Data should only be able to be accessed by authorised users, as well as being encrypted when stored or transmitted online. They can also introduce guidelines specifically on safe mobile working for employees, taking into consideration the use of unsecured Wi-Fi hotspots, ‘shoulder surfing' in public places and contingency plans for lost or stolen devices. Some employees may even be tempted by using their own devices for their work, so business need to have a proper BYoD (Bring Your Own Device) policy in place to ensure data is sufficiently protected.

While policy documents are important, bringing them to life through ongoing employee education and awareness training is as equally important. This can help you ensure that staff across the board recognise the importance of keeping company data private and their specific role in keeping the business secure. A substantial amount of attempted fraud against businesses is successful due to lack of knowledge or sloppy habits by employees.

What's more, something that nearly half (43%) of us are guilty of in the UK, is using the same password across multiple online accounts (3). It's these kinds of habits that don't just stay at home, but are brought to the office. Personal accounts could extend to company email addresses, which, if compromised, could expose important confidential information not just about your employee, but the business as well. 

Businesses need to stay constantly vigilant as cyber criminals become more sophisticated. Mandate fraud, which in the last year increased by more than two thirds (66%) (4) occurs when a fraudster pretends to be a company you would normally make regular payments to, but asks victims to change the details of their direct debit or standing order. These can be highly targeted attacks, perhaps even using the official email address of a supplier you trust to catch you out. It's cases like this that continue to highlight how important it is not to solely rely on technology to protect your business, but also ensuring that your staff have sufficient training and support to help them spot these types of scams.

These threats aren't only external though, as fraudsters may also use internal channels to trick employees in giving away information and money. In cases of CEO fraud, employees are tricked into making a payment because someone more senior to them has had their email compromised. In this case junior employees will receive an email purporting to be from someone superior, asking them to send money, data or information to the fraudsters. As well as educating employees to spot this sort of tactic, encouraging them to double check with colleagues on the phone or face-to-face before making the transaction can also add a layer of protection.

Corporate employee fraud is another type of fraud companies should be careful to protect themselves against and is listed in the top ten most reported crimes by businesses in the last 12 months. This is where employees or ex-employees have obtained property or compensation through fraudulent means, or by misusing corporate cards and expenses. Corporate employee fraud is on the rise (5)and it goes to show how vital it is for all businesses to provide their staff with the right tools and training to be able to identify signs of fraud or suspicious activity. They also need guidelines in place to facilitate whistleblowing, before it's too late.

Hopefully, with more businesses using policies like this and training their staff sufficiently we'll start to see more organisations reporting online crime. To tackle this issue head on, however, businesses need to review their own skills and knowledge, determine if they need outside help, and then create measures to prevent, detect and respond to potential security threats. It's all about education, and staff must be made aware of cybercrime and trained to prevent it.

Get Safe Online recommends that all businesses ensure that at least the following basic measures are in place to protect their organisation from online crime. Comprehensive expert, impartial, practical, free advice can be found at
www.getsafeonline.org/business.
If you think you have been a victim of fraud you should report it to Action Fraud, the
UK's national fraud reporting centre by calling 0300 123 20 40 or by visiting
www.actionfraud.police.uk.

¹ Crimes reported to the NFIB between 31st March 2015 - 31st March 2016

² Crimes reported to the NFIB between 31st March 2015 - 31st March 2016

³ Survey conducted by Censuswide on behalf of Get Safe Online in 2016 with
2,000 UK Adults

⁴ With 2323 reported cases to the NFIB between 31st March 2015 - 31st March 2016 compared to just 1403 the year before

⁵ 1440 cases reported to the NFIB between 31st March 2015 - 31st March 2016