Cybersecurity

Cybersecurity Issues for Small Businesses on Eyre Peninsula GW 3/8/24

• Staff Training

• Scam Phone Calls

• Scam Emails

• Scam Invoices

• Scam web pages

• Scam Text Messages

• Ransomware

• Set your own financial risk limit

• Cyber Insurance?

Please note this is not an exhaustive list, there are numerous other scams operating in different areas however this web page is focussed on the scams we have seen in disturbing numbers across Eyre Peninsula.  There are also new scams being perpetrated on a regular basis, often framed around media topics of the day, so constant review is paramount,

Staff Training GW 3/8/24

This is the single most important component of Cyber Defence for any business, large or small.  There should be a separate induction held for every new employee covering all of the above topics.  There are formal cyber awareness programmes aimed at small business which you may find suitable, we are very happy to give feedback on any programme you feel may be of benefit.  

Workshopping the above topics with your staff is a good starting point for any business.

Scam Phone Calls GW 3/8/24

• It's not who you think it is!

• Most phone based scams will pretend to be from well known businesses and other organisations

• Including Telstra, Microsoft, NBNco, your bank, Amazon, PayPal, the Tax Office or Australian Federal Police

• Sometimes, you will call a number from an email or text message pretending to be one of the above

• The giveaway when you call the supplied number is that the scammer will answer straight away which does not happen with most of them!

• Check with someone you know personally

• If you don't know the caller personally, you must be very careful

• Check with a work colleague, friend or family member especially where any financial scenarios are involved

• The person you talk to must take you seriously and help you work out the bonafides of the call

• Just hang up

• Most people don't want to be rude which is why they can be caught by the scammer

• To be polite, say "I think this is a scam phone call" and then hang up

• Do not say "How do I know this is not a scam?" they are always ready for this question

• Just hang up and find  a way to contact who you think it is independently of the phone call

Scam Emails GW 3/8/24

• It's not from who you think it's from!

• Scam emails often look genuine

• You cannot rely on the content of any email, you must check the sender email address

• Even then, the sender email address can be fabricated

• It is easier to detect a scam email on a computer rather than a phone which has a much smaller screen area

• If the email asks you take any kind of action, be very careful

• It's not a refund

• The banking details have not changed

• Do not call the number

• Do not click the link

• Do not enter any login credentials behind the link

• Check with someone you know personally

• Check with the sender using independently obtained contact details

Scam Invoices GW 3/8/24

• You cannot trust the banking details on any emailed invoice!

• PDF invoices are easily altered by scammers

• If you are making a payment, make sure the bank details on the invoice match the existing bank details in your payee list

• Most email compromise occurs at the receiver's mailbox

• Scammers routinely infiltrate mailboxes and wait quietly for a financial transaction to pop up

• For the first payment to a new payee always independently check with the sender

• You can do this by phone but only if you know the phone number is genuine

• If you pay a scammer instead of your supplier using intenet banking, you will never see your money again

• It seems odd to say, but paying by credit card is much safer than online banking, if you do pay a scammer, you should get your money back

• For larger amounts, check with someone you know personally

• Scam invoices can target individuals just as easily as they target businesses

Scam Web Pages GW 3/8/24

• Web page addresses are complex at best

• Everyone must learn how to tell the difference

• Scam web pages often have realistic content cloned from the genuine web site

• Scam web addresses are often very close to the genuine address, sometimes just a single letter is different

• Ignore the content on any web page until you have confirmed the web address is genuine

• Check with someone you know personally

• Ask a work colleague, friend or family member to confirm the web address for you

• If you are not certain you are on the genuine web page, do not take any action offered by the web page

Scam Text Messages GW 3/8/24

• It's not from who you think it's from!

• Note the classic Hi Mum scam where the scammer will pretend to be one of your children

• Do not trust any text message which invites you to click a link in the message

• Do not trust any text message which invites you to call a number pretending to be a large organisation with a familiar name

• Check with the sender using independently obtained contact details

• Or just ignore the message, if it is genuine they will find another way to contact you

Ransomware GW 3/8/24

• This is not a big issue on Eyre Peninsula but it is very real

• If you fall for any of the above scam attempts you may find you are locked out of all of your data

• You will be encouraged to contact the scammer and pay money to regain access to your files

• The secret is to have a backup copy of your data on an external back device which is only connected during the backup process

• We have not seen Ransomware compromise data store din the Cloud, ie on the Internet, yet....

• Backup, backup, backup!

Set Your Own Financial Risk Limit GW 3/8/24

• Banks should do this for all Internet banking

• The idea is that you set a dollar amoiunt which defines what you are prepared to lose if you get scammed

• For a small business, let's say you set your financial risk limit to (say) $5000

• What this means is that below (say) $5000 you behave pretty much as you do now, not withstanding the advice above

• However for payments above (say) $5000 you have a much more stringent set of in-house rules which come into effect

• You should also consider your rules for payments made to your business which are above your financial risk limit

• Which will protect your customers, even though they will lose financially if they pay a scammer, you may still lose a customer

• The rules you set will vary somewhat from business to business

• For example, you would logically implement a procedure where two staff members are involved in all payments over (say) $5000

• You would also implement a procedure for all invoices sent over (say) $5000

• You might insist that customers paying invoices over this amount must contact you by phone to confirm your banking details

• If the payment in either direction is over your financial risk limit, double-check every time

Cyber Insurance? GW 3/8/24

• A one-size-fits-all approach cannot work for small business

• If you have seen a Cyber Insurance application form, the technical detail they require before they even quote is onerous

• It is our view that if you jump through all of the hoops required to obtain cyber insurance, you probably don't need cyber insurance

• You need to define what Cyber Security events you are trying to insure against

• For example, if you want to insure against paying a fraudulently altered invoice, what should the maximum cover be?

• Same for scam phone calls etc, how much should each event be insured for

• Note that your Internet Security software will not prevent you from being scammed if you are operating your own computer

• What level of trickery is covered?  All scams involved trickery, how on earth can a policy cover all of them?

• I think Insurance companies should target their policies to their market

• Small busineses do not need the same type of cover as large organisations, even if there is overlap in terms of risk

• By all means consider Cyber Insurance but I am not sure your Insurer is your best source of advice!

For more information

• Contact us at your convenience

• All of the advice above is by Greg Williams, let him know if you have any questions or comments!

• This advice is fluid and will change from time to time, please note the date attached to each topic as a guide