How to Stay Safe When Working from Home

How to Stay Safe When Working from Home

Staying Safe Whilst Working from Home

For many businesses, working from home (WFH) looks like it is here to stay even after the COVID-19 pandemic is over. Companies are typically looking at a hybrid model where staff split their week between home working and working in the office. Cybercriminals are as usual quick to exploit any vulnerabilities so it’s important to ensure your security is at the appropriate level.

 

Train your employees on cybersecurity – phishing email and passwords

It is vitally important that all employees are trained on the basics of cybersecurity and this importance can only be emphasised when working from home as additional risks come into play.

Phishing emails are a common technique that cybercriminals use to access your network and steal your data so training your employees on the signs of phishing is very important. It’s also worthwhile doing training refreshers on password creation and security, ensuring passwords are both complex and unique. Using passphrases is a good method, for example taking the first letter from the words of songs and adding numbers and special characters.

 

Use a VPN

A Virtual Private Network (VPN) creates an encrypted tunnel and is essential when working remotely or from home. If you are accessing your network remotely without a VPN you could be leaving yourself vulnerable to cyber threats. Not all VPNs are equal and, especially if you have been using the same VPN method for a long time, it’s worth Googling the vulnerabilities of your VPN as well as making sure you are using the most up-to-date version.

 

Two-factor authentication

Using two-factor authentication is becoming increasingly common. You should look to implement this wherever it is available and ideally on your VPN and webmail. This means an attacker not only has to know your password they also need access to your text messages or authenticator app on your mobile. This is significantly more secure.

 

Device encryption

Ensure the devices being used at home are encrypted. Windows 10 Pro provides encryption and is likely to be commonplace on work laptops but if staff have taken home desktop PCs then they should also be encrypted to protect data in the event of theft. Make sure you have the decryption keys in case you need to recover data due to a lost password.

 

Anti-virus

Ensure all machines connecting to your network have regularly updated anti-virus software even if staff are using their own machines. Ideally use the same anti-virus you use at work. Some supplier licenses allow staff to install the software on their home PCs at no extra cost.

 

Wi-Fi and Network security

When working remoting you should always avoid using public Wi-Fi. Cybercriminals can use an insecure/public connection to plant malware onto the Wi-Fi. If you download or share files once you are on an insecure connection you could be potentially installing malware onto your device. Depending on the type of malware it can be used to steal sensitive business information.

 

Keep everything on your computer fully updated

It is vitally important that you keep all of your devices up to date as many of the updates will provide new security features to help protect your device against new threats. The easiest way to do this is to enable automatic updates on your device or force updates via automated policies.

 

How can we help?

At Hawsons we have a dedicated team of specialist technology and IT accountants at our offices in Sheffield, Doncaster, and Northampton.

 

Free initial meeting

Charles Kavazy

Charles Kavazy

Director of IT Services

0114 266 7141

[email protected]

The Increased Cybersecurity Risks of Home Working

The Increased Cybersecurity Risks of Home Working

With more people working from home than ever before, cybersecurity risks have increased significantly. Remote working can expose vulnerabilities within your cybersecurity and it is very important that you have the best practices in place to reduce the chances of a cyber-attack or data breach. In this article, we are going to go through some of the steps you should take in order to maintain a high level of cybersecurity and minimise risk.

 

Train your staff about cyber awareness

It is very important that all members of staff are regularly trained in cybersecurity awareness. With lockdown meaning more employees are working remotely, cyber attackers are looking to take advantage. Your employees are your first line of defence against attacks and need to be aware of the methods used by the attackers.

Training your staff in cybersecurity awareness is one of the most important steps as staff become better able to spot the signs of a potential cyber-attack. Phishing attacks can be one of the most common cyber-attacks. Find out more about phishing attacks here.

 

Make sure all software is updated on a regular basis

It is also very important to make sure that all software being used for remote working is updated regularly. The best way to ensure this is to enable automatic updates and to either force, the updates via automated policies, or if needs be to do manual checks.

The on-access virus scanning and regular scans we have in the workplace must of course continue, especially if staff are using their personal machine to facilitate remote working.

 

Make sure all of your data is backed up

It is crucial that all business data is backed up, so you do not lose it in the event of a cyber-attack, especially ransomware. The 3-2-1 approach for backups is the best practice being:

3 Copies of your data (1 live plus 2 backups)

2 Media types (eg. disk, tape)

1 Offsite copy (cloud or storage unit taken off-site).

Testing your backups is also vital.

 

Securing your network for remote working

It is important that you provide your employees with secure methods to communicate with each other. If you don’t, employees may use their own personal accounts to send business information to one another, which means potentially sensitive business information can be stolen from an employee’s personal account.

You should make sure your employees are using a VPN (a virtual private network) with strong end-to-end encryption when working remotely. In no circumstances should you allow your employees to use a public network for business use. Training is key in this area.

 

How can we help?

At Hawsons we have a dedicated team of specialist technology and IT accountants in Sheffield, Doncaster, and Northampton.

Free initial meeting

Charles Kavazy 1

Charles Kavazy

Director of IT Services

0114 266 7141

[email protected]

Hawsons makes history after 165 years in business

Hawsons Chartered Accountants is 165 years old

Hawsons Chartered Accountants was founded in the city of Sheffield in 1854 – more than 25 years before the creation of the Institute of Chartered Accountants in England and Wales – by Alfred Allott and John Hewett.

Hawsons remains one of the longest-standing independent firms of chartered accountants in the UK. One of the main reasons why clients choose Hawsons is not just because of our experience and expertise in accountancy but the high-quality advice and service our team delivers.

Our mission is to provide our clients with service of the highest quality and value in a professional, friendly, and responsive manner, to assist them to develop their business, to develop the maximum potential of our people and thereby be the leading independent practice in the area.

Our unrivalled history demonstrates that through many periods of change, we have evolved as a business to ensure we continue to remain relevant to our clients, providing them with the quality and breadth of service they need.  Clients understand that irrespective of how small they are when they become a client or how large they will grow, Hawsons will always be there for them.

Our belief in long-term client relationships is why we offer all prospective clients a free initial meeting so we can really get to know you and your business and you can get to know us.

Chris Hill, Senior Partner at Hawsons, said on the firm’s development: “We’re proud of our extensive history and the success we’ve achieved since we were founded in Sheffield 165 years ago. To have reached such an age and still be going strong is a great feat. Despite our company’s growth and expansion into other areas across the UK, we’ve stayed true to our philosophy that no matter what size or sector, every business we work with will always receive the same high standard of advice and service from our team.”

If you are looking for an expert accountant book your free initial meeting with us here.

If you would like to find out more about us visit our website here.

 

Free initial meeting

Are your users aware of the risk of Business Email Compromise?

Are your users aware of the risk of Business Email Compromise?

Business email compromise cyber-attacks are very low tech which means they are common and you need to be aware of them. The attacker will be using social engineering more than hacking itself.

The way it works is the cyber-criminal will spoof or even gain access to a corporate email account and make a fake email address that is exactly the same as somebody high up in the company. This is so they will be able to defraud the company, employees, customers, or executives of money.

There are many ways in which BEC can target and defraud you:

  • The attacker can pretend to be a CEO or a partner and request an employee to make an emergency payment into a fraudster’s account.
  • Sometimes they will purport to be a supplier requesting a change in payee information, which would actually transfer money into a perpetrator’s account.
  • A lawyer’s email address is sometimes used to pressurise for a payment.

These scams have resulted in worldwide losses of at least $26bn since 2016 according to the FBI in the United States. There are many measures and procedures that can be put in place to prevent Business email compromise. These include, taking care before clicking on any email links or attachments, employee education and training and changing processes to require phone verification of payment changes and having secondary sign offs.

Ryan Kalember, executive vice-president of cyber-security strategy at Proofpoint, said: “Business Email Compromise (BEC) is the most expensive problem in all of cyber-security. There is not a single other form of cyber-crime that has the same degree of scope in terms of money lost.”

How can we help?

At Hawsons we have a dedicated team who provide IT services and cyber security advice in Sheffield, Doncaster, and Northampton. If your organisation handles personal and confidential data and you need help with cyber security compliance then Hawsons can help you. We help organisations with data protection and cyber compliance, protecting their data.

If you would like to book your free first initial meeting with us click here.

If you would like to find out more information about our IT and Cyber security services click here.

Free initial meeting

Charles Kavazy

Director of IT Services

0114 266 7141

[email protected]

43% of businesses have potentially lost vital data

43% of businesses have potentially lost vital data

Report shows 43% of businesses have lost or potentially lost vital data

A recent survey concluded that as many of 72% of businesses are “happy” to lose over 24 hours worth of data after a cyber breach. This means that if businesses were targeted by a widespread cyber attack, it would cost the UK billions.

The survey, conducted by Cloud Computing experts, asked participants to complete questions based around Disaster Recovery preparedness within the participants company.

It is worth noting that the survey was conducted just two days after the WannaCry incident that affected the NHS among many other organisations across the globe, so there was a heightened awareness of data protection overall.

Disaster Recovery preparedness has been surveyed before and compared with last year, there has been a slight improvement in overall trends. However, far too many companies are running the risk of serious consequences should an incident occur.

The number of businesses continuously protecting their data has increased by 8%, compared to last year. Also, compared to last year, businesses were more confident in their continuity plans that they had in place, with a 2% increase in those who had an active recovery plan in place.

The report concluded that only 41% of businesses were confident they had a business recovery plan in place, the results also showed that there were was a huge lack of education surrounding disaster recovery. Astonishingly, 13% of companies had never backed-up any of their businesses data.

The research showed that a staggering 43% of businesses had either lost or potentially lost vital company data over the last two years. Surprisingly, 28% of recipients had a turnover of over £10m and 44% had more than 51 employees.

Furthermore, 28% of businesses did not know that whether they would be able to recover any of their data if their systems were breached. While under 30% of companies protected their data on a regular basis.

Last year, it was reported that 15% of businesses knew that if their systems were attacked, they would not be able to recover all of their data, this year it is down to 13%.

Scott Sanderson, Partner at Hawsons, had this to say: “It cannot be stressed enough the importance of protecting your data. While it is understandable that when running a business, other things can get in the way, businesses must regularly back-up and protect all of their company data just in case of a breach. Cyber crime is on the rise, and as we saw with the WannaCry data breach, these attacks are getting more and more sophisticated.”

Scott Sanderson

Scott Sanderson Partner

Scott Sanderson began his career with Hawsons and trained as a Chartered Accountant, becoming a partner in 2015, specialising in the healthcare sector and small businesses. For more details and advice, please contact Scott on [email protected] or 0114 266 7141.[/author_info]

Charles Kavazy

Charles Kavazy

Charles Kavazy heads up the firm’s IT services providing independent IT advice helping businesses with data security. He also helps businesses purchase, implement and get the most out of their software and hardware. For more information or advice on anything covered in this article, please contact Charles on [email protected] or 0114 266 7141.[/author_info]

CEO Fraud – Is your organisation at risk and how do you prevent it?

CEO Fraud – Is your organisation at risk and how do you prevent it?

CEO Fraud is nasty and it can ruin both businesses and careers. More than 22,000 organisations across the world have been victims of CEO Fraud with losses estimated at more than £3 billion. In this article, we look at what CEO Fraud is and the techniques that can be used to help prevent it from happening to you.

What is CEO fraud?

CEO Fraud involves convincing somebody in your business to make what they think are legitimate payments but which are actually paid to fraudsters. The scam is often carried out by compromising business email accounts through the use of techniques such as social engineering or computer intrusion.

It’s not just email accounts that can be compromised, the criminals are also known to tap into phone numbers. This process involves the criminals obtaining the phone number of a CEO, and sending a text message to the CFO (Chief Financial Officer) which appears to come from the CEO. The message asks the CFO to make a bank transfer. To make it more realistic, these cyber-criminals often wait until the CEO is away on business and the unlucky recipient of the text message is oblivious to the fact it’s not a legitimate request. In addition, the criminals will often ask the recipient not to contact them as they “are in an important meeting” and “it needs paying promptly”.

While you may think it’s just the larger businesses which are targeted, smaller businesses are just as likely to be hit – the criminals don’t discriminate, everyone is a target.

While it is probably impossible to predict which business will be attacked and when, it is useful and interesting to understand some of the methods they often use.

The methods

  • Phishing: These are emails sent in large numbers to numerous accounts simultaneously in order to “phish” sensitive information by posing as legitimate sources. These emails are getting much more sophisticated – gone are the days of poorly worded emails that were obviously fake. These emails often have logos, are well-written and look like they could be from a bank, credit card provider, law enforcement or government agencies, delivery companies etc. While many people won’t use the bank or service provider the email is claiming to be from, due to the sheer numbers that they send them out to, it has a certain percentage of hit rate. The criminals are smart and may change the spelling of words which can easily catch you out. For example, an email from [email protected] seems legitimate, doesn’t it? Unfortunately, this is NOT from Companies House. Notice the spelling of webfiling at the start of the address and webfilling at the end.

 

  • Spear Phishing: These attacks are emails which usually only go to one person or a small group of people at the most. They are much more focused and the cyber-criminals have often done their homework on the target by gathering data from social media sites in order to fool the unfortunate target. Usually some form of personalisation is included such as the person’s name or client’s name.

 

  • Executive “Whaling”: This one can be very sophisticated. The criminals have detailed knowledge of who they are targeting and the business they are attacking. They target the top executives and administrators to draw money from accounts or to steal confidential information.

 

  • Social Engineering: This is the psychological manipulation to trick people into giving away sensitive information or providing access to funds. All of the previous methods are aspects of social engineering. The act of social engineering might include mining social media sites such as Facebook and LinkedIn. These sites provide a wealth of information about a company and individuals, such as names of staff, contact numbers and emails addresses.

Unfortunately, these scams have a fairly high success rate. The Verizon 2016 Data Breach Investigations Report revealed that 30% of recipients open these phishing emails and thus provide an open gateway for malware to infect their systems and the possibility of CEO Fraud.

Prevention

The majority of the following steps must link together to form part of an effective prevention plan forming ‘layers of defence’.

  • Training: While all the steps below will help, if a member of staff isn’t properly trained a breach could be inevitable. Make sure all staff are aware of the things to look out for when opening emails and provide general security awareness training. Is the email sender legitimate? Always be sceptical and hover over links to see if they’re going where they say they are going. Beware slight changes in company names (r and n together to imitate an m). Another tell-tale sign is emails requiring urgent action.

 

  • Technical controls: Email filtering is an example of this. If you don’t have a filter you need one. If you do have one you need to make sure you understand its features to get the most out of them and also accept that mail filtering won’t always prevent phishing emails coming through. Two factor authentication is a good way of making it harder for the criminals to steal sensitive information, such as sending a code to your mobile phone.

 

  • Simulated Phishing: This should be accompanied with the training. It is the process wherein staff are sent emails purposefully to see which staff are at risk and who needs more training.

 

  • Identifying high-risk job roles: High-risk roles include accounting, payroll / HR and IT staff. It is recommended to impose more safeguards in these areas such as having layers of authorisation before, for example, a payment to an account can be completed. It is important to assess all high-risk staff to see how exposed they are.

 

  • Security policy: While every company should have a security policy, it does sometimes slip under the radar when there are more important things to deal with. But in this day and age when cyber-attacks are frequent, it should be on your to-do list. It should be reviewed regularly for gaps and should be published somewhere that all staff can find. It should include things such as staff not opening attachments or clicking on links from unknown sources, password management policy (not reusing work passwords on other sites or machines), don’t use USB sticks on office computers as well as much more security diligence.

 

  • Procedures: IT should have security measures in place to block sites known for their spread of ransomware. All software security patches and virus signature files should be kept up-to-date, conduct penetration tests on Wi-Fi to determine how easy it is to gain entry, ensuring backups are actually working as well as much more.

 

  • Cyber-risk planning: This is no longer just a technical problem or just an IT problem. This should be managed from the very top (the CEO) so they are aware of the company’s cyber risks and how they can manage those risks. CEO Fraud should certainly be included in the risk management assessment.

 

CEO Fraud and cyber-attacks in general are more frequent now than they ever were. It is wise to review your procedures and put the appropriate controls in place to stop it from happening to you. It could save you a lot of money.

If you would like to discuss any of this further, please get in touch.

Charles Kavazy

Charles Kavazy

Charles Kavazy heads up the firm’s IT services providing independent IT advice helping businesses with data security. He also helps businesses purchase, implement and get the most out of their software and hardware. For more information or advice on anything covered in this article, please contact Charles on [email protected] or 0114 266 7141.[/author_info]

Free initial meeting