The five most common cyber threats involve a failure to install updates, ransomware, scam emails and phishing, outsourcing and equipment acquisitions, and the threat of attacks.
1. Failure to install updates
Criminals scour the internet every day in search of devices that have not been properly updated. They hijack such devices as resources for criminal use and use them to infiltrate organisational systems.
Ransomware, or programs that lock up data and demand a ransom for it, are a notable and popular source of income for criminals, which is why they are also a threat to all organisations regardless of their industry.
3. Scam emails and phishing
Billing and CEO frauds can cause huge difficulties. User IDs and passwords obtained from companies through phishing are used for many types of criminal activity.
4. Outsourcing and equipment acquisitions, networking of companies
Outsourcing offers savings and improves performance, but it also reduces the visibility of risks. Cyber attacks on an organisation’s partner or customer can also have significant knock-on effects on the organisation itself. Agreeing on data security and data protection matters in advance with all partners is important.
5. Threat of attacks
Blackmailing by threatening with a data system break-in or other type of attack has become more commonplace. Some of the threats may be actually realised, but in most cases the attack is never realised and the blackmail remains just a threat.
How can I safeguard my organisation against online intruders and known viruses?
Protect all of your company’s computers with at least a firewall and antivirus software. Always keep the software in active mode and make sure that there are backup copies of all important data and systems.
- All Windows computers and Macs have a firewall by default. If you are not sure whether your computer has a firewall, you can check it from the computer’s data security settings.
- Purchasing antivirus software subject to a charge when purchasing a computer is recommended.
- Mobile devices should also be appropriately protected.
How do I make sure that confidential information stays within the company?
Create instructions for all data processing at the workplace. Provide instructions on how confidential information can be securely saved and shared. This reduces the risk of any leaks of the personal data of your customers or employees, or the company’s business secrets.
- The larger the company, the more important it is to provide employees with instructions on how to correctly process data.
- Data to be protected includes your customers’ personal data, such as their names, addresses and payment details, as well as the company’s internal data.
- In addition to protecting the IT environment, protecting all storage media, such as cloud services and external hard drives, is important.
- Unprotected USB flash drives cannot be used to save the above-mentioned customer data or business secrets. If flash drives must be used to store such data, they must be encrypted.
To whom within the company should I grant system administrator rights?
You should grant administrator rights only to those employees who need these rights in their work. Malware that infiltrates a workstation cannot cause as much damage when it is not possible to access the entire system through any user.
- Assign two users for each workstation.
- Only allow the administrator to install software; a person who uses a computer in their daily work rarely needs any administrator-level rights.
- If malware infiltrates a workstation, it cannot spread into the entire system due to the limited user rights of the daily user.
How can I prepare for recovery from cyber damage?
Add a cyber damage recovery plan as part of your company’s continuity management plan. This will ensure that your company can quickly recover and continue its operations in case of any cyber damage.
- The cyber plan should be included in the company’s general risk management plans.
- When preparing the plan, the following must be taken into account:
- All potential cyber threats
- How the company has protected itself from these threats
- What to do in case a threat becomes reality
- An entrepreneur may require expert assistance in creating the plan.
- The entrepreneur has two options:
- They can accept the data security risks and not do anything. If a cyber risk becomes a reality, this will pose a threat to the continuity of the business.
- They can protect the company from the data security risks by improving data security with competent partners, for example, and by transferring part of the financial risk to an insurance company by taking out an insurance policy.
- Continuing with business as usual will be much quicker when the company has prepared for the incident and the required expert assistance is quickly available.
How can I prevent vulnerabilities in the systems I am using?
Regularly update the operating system and all the software you are using. Using automatic updates is recommended, provided that the software supports this feature. This way, your devices will include fewer vulnerabilities that malware could utilise.
- Make sure that the data security of your smartphone is up to date. You should use automatic updates also in mobile devices if this is possible in practice:
- The mobile device has enough storage space.
- Updates have been set to start automatically when the device is connected to a wireless network, or
- using mobile data has been allowed in the smartphone’s settings.
- Only download apps to your phone from the official app store.
- A device that has not been updated is a data security risk. That is why you should not postpone the offered automatic updates even if the update and subsequent rebooting of the devices will cause a short interruption to your work.
How do I identify cyber threats?
Regularly provide your employees with training on how to identify the different types of cyber threats, such as phishing emails, risks involving flash drives, sending company data via unprotected email or saving data in saving/sharing services available free of charge online.
You can avoid unnecessary cyber damage by ensuring that these risks are identified.
- If you even slightly suspect that an email could be phishing, check at least the following:
- Who sent the email and from which address?
- How likely is it for the person in question to send such a message?
- Before clicking any links, check where the link would take you. You can do this by hovering your mouse over the link.
- If you know the sender, you should check that the message is genuine by calling them or sending them a text message.
- Sending confidential information via unprotected email should be avoided. If email is the only possible way to send a document, the sender must have permission from the recipient and the owner of the data to send the document.
- Instead of unprotected email, you can use a secure email account or send the document by regular post or through a secure online service with which the company has an agreement.
How do I prevent unwanted users from accessing my devices?
Always lock your device when you are not using it. Choose strong passwords for all services and do not use the same password in all services. This ensures that nobody will gain access to your company’s data or be able to install anything harmful in your computer when you are not looking.
- A strong password is as long as possible and contains uppercase and lowercase letters, numbers and special characters.
- Such a password can still be easy to remember if you create it in the format of a combination of words that is easy to remember, such as “#1t’sAsunnY&warmDay”.
- There are also password services that allow you to securely save your passwords.
How can I ensure that data which is important to my company will be retained in case of an incident involving my company’s confidential information?
Always take backup copies of your company’s important data daily, and save the backup copies in a location that is not the company’s network or any of the company’s computers. Regularly verify the integrity of the backup copies. This will ensure that your company can quickly recover and continue its operations in case of any cyber damage.
- Save the backup copies in an external hard drive or a separate, password-protected cloud service.
- If ransomware takes over your computer, any cloud content that is accessible by logging onto the computer will end up in the hands of the blackmailer. This is a major risk, especially for small companies.
What should I do if I notice that my company is the victim of a cyber attack?
When a data security incident has occurred, the most important thing is to minimise the damage. It is likely that all companies will experience cyber damage of some sort at some point in time, and many already have. That is why you should know what to do in such a case.
- If possible, prevent the computer corrupted with malware from accessing the network. This may prevent the attack from spreading to all of your company’s hardware.
- Start implementing the continuity management plan you have made to prevent the cyber threat without delay.
- Do not pay any ransom demanded by the ransomware or any money that the blackmailer requests, as this will usually do more harm than good:
- A payment would not secure the continuity of your business, and it is unlikely that the criminals would then leave your company alone; quite the opposite, in fact – the criminals would most likely attack your company again in six months or a year.
- Contact the helpline included in your cyber-insurance without delay; acting fast is the key during such an incident.
- When you have succeeded in managing the acute situation, find out what caused the incident and make sure that it will not reoccur.
- Improve your data security, provide your employees with training and take out an insurance policy, unless you already have one.
Examples of situations in which Pohjola Cyber-insurance covers a company’s data security losses:
- An employee clicks on an advertisement that is actually a phishing email. Clicking on the link installs a “Cryptolocker”, a program that proceeds to lock more than 72,000 files, in the network. The policyholder incurs expenses from the removal of the malware and the recovery of the files. The Cyber-insurance compensates for these losses.
- A retailer thinks that they are emailing a discount voucher to their customers, but accidentally sends them an attachment containing customers’ personal data and credit card details instead. The insurance covers the costs caused by fulfilling the company’s notification obligation specified in the General Data Protection Regulation.
- A company’s data system is subjected to an extensive denial-of-service attack that paralyses its business for several days. Expert services included in the insurance are able to stop the attack and the insurance covers the profit lost due to the business interruption.
- A factory’s computer-controlled production equipment is hacked, causing production to come to a halt. This results in extensive business interruption losses. The insurance covers the profit lost due to the business interruption.