Q3 2021

27 | Q2 2021 With cybercrime costing the UK economy £27bn a year, financial fraudsters commonly target routine activities that SMEs undertake. Scam texts, emails, and messages purportedly come from third parties such as banks, broadband providers and government agencies like HRMC encouraging businesses to take action, while other scams exploit vulnerabilities such as the purchase of sub- standard goods and services from fraudulent websites. The problem has been exacerbated by remote working, digitalisation strategies, and criminals exploiting system vulnerabilities. Being savvy While it is impossible for businesses to remove the challenge of ‘human error’ which is a leading cause of money lost through fraud, training can aid in reducing the frequency. Encouraging employees to question what they are seeing, check the source and legitimacy of requests for payment, and teaching them the major signs of cyber attacks can all help reduce the overall value of money lost to fraudsters. In particular, digital crime poses a mutable threat in many different ways to businesses, including computer viruses, hacking, theft of data, and theft of financial information. Businesses holding personal data and those where staff use personal devices for work, are at increased risk and are where breaches tend to be identified most often. Examples of cybercrime ‘Phishing’ is just one of the various techniques used to steal information, where attempts are made to trick victims into clicking a bad link that can download malware or direct the recipient to a website that requests personal passwords or account details. These attacks can be made via email, text, social media or by phone. ‘Smishing’ involves receiving text messages impersonating other organisations to trick people into giving away sensitive details, while ‘spoofing’ can make a message appear within a chain of genuine messages from that organisation. The latter is commonly used to raise faux invoices which are then paid by unaware financial teams. Helping SMEs fight back against cybercrime and fraud So, what can SMEs do to protect themselves against the rising problem of digital scams? • Undertake a self-assessment Undertaking a cyber security risk assessment and reviewing cyber security risks posed by suppliers is a recommended starting point for businesses. The NCA offers a useful guide which highlights areas for improvement to help prevent cyberattacks. • Strengthen passwords Employees using weak passwords or the same password across multiple accounts means more risk of data becoming compromised. The National Cyber Security Centre (NCSC) recommends using three random words to create a strong, unique password that is more memorable. • Secure social media profiles Although social media can be an effective tool for SMEs to communicate and update clients, it’s vital to be wary about how much information is shared on a public platform. Ensure regular checks and reviews of privacy settings – it is not always obvious, but updates can affect settings and make unwanted changes. • Raise staff awareness Make staff aware when opening emails and texts, especially if the sender is not known. If one isn’t already in place consider having a business continuity plan that covers cyber security with policies that cover home working and the use of personal devices for work. With more businesses using smart devices in workplaces, this opens a potential new area of cyber risk for organisations to address. Testing staff, for example through mock phishing exercises, is another effective way to practice vigilance and actively minimise risk for SMEs. Back up data Regular backing up of documents and data is crucial and reduces the risk of wiping out everything due to a virus or a ransomware attack. This should be done in at least one place, whether online or offline. Being a computer expert is not essential to reduce the chances of businesses falling victim; however, practising due diligence and regularly reviewing and maintaining online security measures are. Further information Any SMEs experiencing a live cyberattack (in progress) should call the police at any time on 101 and report the attack to Action Fraud on 0300 123 2040 immediately. For more detailed information on cybercrime, click here. Support, advice and resources are also available online at The National Cyber Security Centre (NCSC) and The National Crime Agency (NCA).