Cybersecurity
Please note that this advice is general in nature, every business has different circumstances so please contact us for specific advice related to your business activities
Cybersecurity Issues for Small Businesses on Eyre Peninsula GW 3/8/24
Staff Training
Scam Phone Calls
Scam Emails
Scam Invoices
Scam web pages
Scam Text Messages
Ransomware
Set your own financial risk limit
Cyber Insurance?
Please note this is not an exhaustive list, there are numerous other scams operating in different areas however this web page is focussed on the scams we have seen in disturbing numbers across Eyre Peninsula. There are also new scams being perpetrated on a regular basis, often framed around media topics of the day, so constant review is paramount,
Staff Training GW 3/8/24
This is the single most important component of Cyber Defence for any business, large or small. There should be a separate induction held for every new employee covering all of the above topics. There are formal cyber awareness programmes aimed at small business which you may find suitable, we are very happy to give feedback on any programme you feel may be of benefit.
Workshopping the above topics with your staff is a good starting point for any business.
It's not who you think it is!
Most phone based scams will pretend to be from well known businesses and other organisations
Including Telstra, Microsoft, NBNco, your bank, Amazon, PayPal, the Tax Office or Australian Federal Police
Sometimes, you will call a number from an email or text message pretending to be one of the above
The giveaway when you call the supplied number is that the scammer will answer straight away which does not happen with most of them!
Check with someone you know personally
If you don't know the caller personally, you must be very careful
Check with a work colleague, friend or family member especially where any financial scenarios are involved
The person you talk to must take you seriously and help you work out the bonafides of the call
Just hang up
Most people don't want to be rude which is why they can be caught by the scammer
To be polite, say "I think this is a scam phone call" and then hang up
Do not say "How do I know this is not a scam?" they are always ready for this question
Just hang up and find a way to contact who you think it is independently of the phone call
Scam Emails GW 3/8/24
It's not from who you think it's from!
Scam emails often look genuine
You cannot rely on the content of any email, you must check the sender email address
Even then, the sender email address can be fabricated
It is easier to detect a scam email on a computer rather than a phone which has a much smaller screen area
If the email asks you take any kind of action, be very careful
It's not a refund
The banking details have not changed
Do not call the number
Do not click the link
Do not enter any login credentials behind the link
Check with someone you know personally
Check with the sender using independently obtained contact details
Scam Invoices GW 3/8/24
You cannot trust the banking details on any emailed invoice!
PDF invoices are easily altered by scammers
If you are making a payment, make sure the bank details on the invoice match the existing bank details in your payee list
Most email compromise occurs at the receiver's mailbox
Scammers routinely infiltrate mailboxes and wait quietly for a financial transaction to pop up
For the first payment to a new payee always independently check with the sender
You can do this by phone but only if you know the phone number is genuine
If you pay a scammer instead of your supplier using intenet banking, you will never see your money again
It seems odd to say, but paying by credit card is much safer than online banking, if you do pay a scammer, you should get your money back
For larger amounts, check with someone you know personally
Scam invoices can target individuals just as easily as they target businesses
Scam Web Pages GW 3/8/24
Web page addresses are complex at best
Everyone must learn how to tell the difference
Scam web pages often have realistic content cloned from the genuine web site
Scam web addresses are often very close to the genuine address, sometimes just a single letter is different
Ignore the content on any web page until you have confirmed the web address is genuine
Check with someone you know personally
Ask a work colleague, friend or family member to confirm the web address for you
If you are not certain you are on the genuine web page, do not take any action offered by the web page
Scam Text Messages GW 3/8/24
It's not from who you think it's from!
Note the classic Hi Mum scam where the scammer will pretend to be one of your children
Do not trust any text message which invites you to click a link in the message
Do not trust any text message which invites you to call a number pretending to be a large organisation with a familiar name
Check with the sender using independently obtained contact details
Or just ignore the message, if it is genuine they will find another way to contact you
Ransomware GW 3/8/24
This is not a big issue on Eyre Peninsula but it is very real
If you fall for any of the above scam attempts you may find you are locked out of all of your data
You will be encouraged to contact the scammer and pay money to regain access to your files
The secret is to have a backup copy of your data on an external back device which is only connected during the backup process
We have not seen Ransomware compromise data store din the Cloud, ie on the Internet, yet....
Backup, backup, backup!
Set Your Own Financial Risk Limit GW 3/8/24
Banks should do this for all Internet banking
The idea is that you set a dollar amoiunt which defines what you are prepared to lose if you get scammed
For a small business, let's say you set your financial risk limit to (say) $5000
What this means is that below (say) $5000 you behave pretty much as you do now, not withstanding the advice above
However for payments above (say) $5000 you have a much more stringent set of in-house rules which come into effect
You should also consider your rules for payments made to your business which are above your financial risk limit
Which will protect your customers, even though they will lose financially if they pay a scammer, you may still lose a customer
The rules you set will vary somewhat from business to business
For example, you would logically implement a procedure where two staff members are involved in all payments over (say) $5000
You would also implement a procedure for all invoices sent over (say) $5000
You might insist that customers paying invoices over this amount must contact you by phone to confirm your banking details
If the payment in either direction is over your financial risk limit, double-check every time
Cyber Insurance? GW 3/8/24
A one-size-fits-all approach cannot work for small business
If you have seen a Cyber Insurance application form, the technical detail they require before they even quote is onerous
It is our view that if you jump through all of the hoops required to obtain cyber insurance, you probably don't need cyber insurance
You need to define what Cyber Security events you are trying to insure against
For example, if you want to insure against paying a fraudulently altered invoice, what should the maximum cover be?
Same for scam phone calls etc, how much should each event be insured for
Note that your Internet Security software will not prevent you from being scammed if you are operating your own computer
What level of trickery is covered? All scams involved trickery, how on earth can a policy cover all of them?
I think Insurance companies should target their policies to their market
Small busineses do not need the same type of cover as large organisations, even if there is overlap in terms of risk
By all means consider Cyber Insurance but I am not sure your Insurer is your best source of advice!
For more information
Contact us at your convenience
All of the advice above is by Greg Williams, let him know if you have any questions or comments!
This advice is fluid and will change from time to time, please note the date attached to each topic as a guide