Policy Monitor

Covid-19 related cyber scams – 3 ways SMEs can better protect their business

Cyber criminals are exploiting concerns over Coronavirus to perpetrate cyber-attacks. Guy Lloyd at Policy Monitor explains the 3 steps SMEs can take to proactively protect their business and their data.

The coronavirus pandemic has taught us the importance of hand hygiene and now there is a need for greater cyber hygiene. As our day-to-day lives have changed, so too has the security threat landscape. With many workers remotely accessing vital business applications from home, security risks have inevitably increased. Cyber criminals have no morals or ethics and don’t stop their activities even for a global pandemic. In fact, attacks have stepped up as the bad guys find ways to exploit our fears to perpetrate cyber-attacks.

It’s time to get proactive and here are 3 steps businesses can take to protect themselves.

  1. Educate Employees

Employees are the best and first line of defence, which is why regular security awareness training is vital.

Employees should be trained in what to look out for to help prevent a variety of breaches, the most common of which are phishing scams. These are fake emails sent to millions of people asking for sensitive information (such as bank details) or containing a link to a rogue website.  Google announced that during April 2020, it prevented 100 million phishing emails daily from reaching their targets. More recently, they have seen 18 million daily malware and phishing emails related to COVID-19.  UK’s National Cyber Security Centre and the US Department of Homeland Security issued a joint advisory and the NCSC said it has spotted more UK government branded scams related to the disease “than any other subject”.   Phishing emails are becoming harder to spot and will get past even the most observant employee.

Therefore, educate employees to identify the techniques phishers use in emails. This can include urgency or authority cues that pressure employees to act quickly without double-checking. Ensure employees know the company’s policies and processes, this will make it easier to spot irregularities.  Have a process advising employees of what to do if they accidentally click on a phishing link or enter details into a website. It can happen to the best of us, so avoid blame and just have clear steps ready, outlining what to do.

  1. Ensure all employees are aware of data compliance processes

More businesses are operating online due to the coronavirus and now is the time to review data practices and assess how remote working may impact them. Transitioning from office-based to remote working is new for many employees and they may not be aware of what security measures they should be taking:

  • Encourage employees to use strong and complex passwords for each device and application they use. Ensure that employees don’t use their private passwords for company applications. They should instead use complex but memorable passwords, for example three connected words meaningful only to them.
  • Only give employees sufficient access to applications and devices for them to perform their role. Extra permissions should only be granted to those who need them.
  • Advise employees to lock devices after use or if they step away from their working desk.

Size is irrelevant when it comes to a data breach, big organisations may make the headlines but SMEs are statistically more likely to be targeted. A recent report from insurer Hiscox, revealed a sharp increase in reported cyber-attacks year-on-year among small firms (from 33% to 47%) and medium-sized businesses (36% to 63%) across UK, Europe and the US. It is important to educate employees and embed data protection and data security into the company’s processes and procedures.

May 2020 marks the 2nd anniversary of the introduction of the EU General Data Protection Regulation (GDPR). Since the legislation was launched, many organisations have put effective data processes in place should the inevitable breach happen. EasyJet is the latest high-profile victim of a cyber-attack resulting in a data breach. EasyJet has admitted that a “highly sophisticated cyber-attack” has affected approximately nine million customers. Email addresses and travel details have been stolen and 2,208 customers have also had their credit card details accessed.

All business owners need to get proactive in protecting their data and that of their customers and suppliers. In the event of a breach your organisation will need to demonstrate that it ensured appropriate security was in place to protect its own and other people’s data. It is not a matter of eventually getting around to it – it’s a legal requirement and failure to comply comes with a hefty fine from the Information Commissioner’s Office (ICO).

  1. Be security aware – become certified

Becoming certified with an accredited scheme provides a practical framework for an SME to assess its current cyber security and compliance levels. Certification also demonstrates to customers that the company takes cyber security seriously. It can also attract new business with the assurance that cyber security measures are in place.

Certification lays the foundation to developing policies and procedures to mitigate against threats that can impact business operations. In the UK, certification can be achieved through Cyber Essentials, a low-cost, government and industry backed scheme to help all organisations protect themselves against common cyber-attacks. In collaboration with Information Assurance for Small and Medium Enterprises (IASME), it sets out basic technical and compliance controls for organisations to use which are annually assessed.

Make yourself a harder target to attack

Being fully Cyber Essentials compliant is said to mitigate 80% of the attacks faced by businesses. It aims to provide businesses with a strong base from which to reduce the risk from these prevalent cyber-threats, therefore, making your business a tougher target.

The process to becoming and remaining certified can seem daunting but it doesn’t need to be. Using an online information security management system (ISMS) that incorporates GDPR and Cyber Essentials is a simple and cost-effective way to carry out a gap analysis and highlight the areas that your business needs to focus on.

Policy Monitor’s cyber-security solution, CSPM, is a virtual online security officer designed to deliver these quick wins by guiding you through a staged approach to compliance and certification.

We may be living in uncertain times however your business can stand out from the crowd for all the right reasons. At less than the cost of a daily coffee you can proactively protect your organisation against a whole range of the most common cyber-attacks with Policy Monitor. To read more, download our recent white paper entitled “Small Business and Cyber Security” by visiting http://www.Policy Monitor.ltd

[i] https://www.bbc.co.uk/news/technology-52319093

[ii] NCSC Joint Advisory COVID-19 exploited by malicious cyber actors V1.pdf

[iii] https://www.hiscox.co.uk/cyberreadiness

[iv] https://www.ncsc.gov.uk/news/easyjet-incident

[v] https://www.ncsc.gov.uk/section/products-services/cyber-essentials

About Policy Monitor Ltd.

Policy Monitor is a cybersecurity company founded by experts with extensive experience in operational and risk management.  The company has offices in London (UK) and Policy Monitor’s flagship solution – Cyber Security Policy Manager (CSPM) is a policy management system that incorporates GDPR, US NIST and UK CE cybersecurity standards to guide organisations through complex, emerging safety procedures and protocols, improve their online security and reduce the risk of cyber threats.

For more information, please visit www.policymonitor.co.uk

Press contact: Mary Phillips/Andreina West

PR Artistry Limited

T: +44 (0)1491 845553

E: mary@pra-ltd.co.uk