Last year, nearly a third of UK businesses reported they had suffered a data breach or cyberattack in the previous 12 months. The figure, from the Department for Digital, Culture, Media and Sport (DCMS)*, and the increase of scams targeting HR departments highlight that none of us can afford to be complacent about security.
Cybercriminals assess every organisation with a business-like approach; they consider the time and effort needed to break through your defences, and profits they’ll gain. So, the harder it is to penetrate your data security, the less likely it is for attackers to target your organisation.
A crucial step to ensuring your organisation’s data security – and putting in place appropriate measures to protect yourself – is being aware of the dangers, so here are the four most common ways cybercriminals can attack an organisation.
1. Phishing/Malicious Emails
Phishing is the use of hoax emails to trick the recipient into handing over sensitive information. This might be an email that looks like it’s coming from someone higher up in the organisation, or a supplier sending an invoice. It’s become increasingly difficult to differentiate phishing emails from real ones, which unfortunately means many people can fall victim to them. DCMS found that 80% of the businesses who were cybersecurity victims had experienced phishing attacks.
Another common tactic cybercriminals use is hacking and extortion. This generally involves hackers gaining access to your computer systems or database and then using, or threatening the security of, your sensitive data to extract money from your organisation.
Some of these attacks can take the form of ransomware, which is a piece of software or a virus that prevents your computer systems from functioning, stopping the targeted organisation from carrying out their normal operations until they give in to the hacker’s demands – often a monetary sum.
3. Distributed Denial of Service (DDoS) attack
This is orchestrated by a network of computers, called botnets, that sends an overwhelming amount of traffic to your computer systems or website, with the intention of making the organisation’s online services unavailable to its intended users.
4. Insider attacks
It’s not just cybercriminals outside of the organisation you should be aware of; disgruntled or negligent staff are also a risk. A study by research organisation The Ponemon Institute** found that the number of insider-caused cybersecurity incidents increased by 47% within two years, with 62% of incidents a result of negligent employees or contractors.
How can you protect your organisation from cybercrime?
1. Data security training
Your organisation should already have a data security programme in place: you may be in breach of important legislation, including GDPR if you don’t. Included in this should be periodical data security training provided to all members of your organisation, including any contractors or volunteers.
Tip: Ensure everyone knows cybersecurity best practices by incorporating the training as an essential part of your onboarding programme.
Staff with access to sensitive data, or a login to an internal system that could provide a back door to a hacker, should be warned to be extra vigilant. Hackers could, for example, claim to be the new account manager for a service your organisation uses through a fake email. It’s too easy for staff to be less alert to security threats when they appear to be an existing connection.
Regardless of how harmless you think a phishing email is, report it to your IT team. Not only will it allow them to verify its potential risk but alerting them will prevent colleagues from falling prey to similar types of attacks.
Tip: Don’t open any attachments in these emails before the IT team has had the chance to check the email. Once the file is downloaded, the damage is done.
3. Check validity
Phishing emails are getting more convincing each day, so even when you receive an invoice or a bank transfer/data request etc. from a known supplier or individual – including any of your staff – always call the sender to confirm that this came from them. If the email gives a sense of urgency and mentions they can’t be reached through alternative routes of communication, you should be highly suspicious of its legitimacy.
Tip: Check telephone numbers or email addresses on suppliers’ websites, rather than using the contact details you’ve been provided with.
4. Share data safely
Never rely on email when sending confidential or personal data. Use a secure sharing tool with end-to-end encryption to protect this data from hackers.
Tip: Even password-protected Excel spreadsheets can be vulnerable.
5. Store data in secure systems
Store your staff’s personal data in a secure HR system that lets you restrict access based on roles. That way, you can be sure that information is only accessible to those with appropriate permission. For example, an employee wanting to update their bank details should be able to make the request via their secured HR software login – allowing you to validate that the request is genuine.
Tip: Make sure your HR software comes with advanced security features, such as data encryption and dual authentication, and that your supplier keeps a high standard of data security: achieving the ISO27001 certification demonstrates their commitment to keeping their software and customers’ data secure, and independent penetration testing provides evidence that these measures work.