How do I protect my business against cyber attacks?

Prevention is cheaper than a cure

Businesses of any size and nature are susceptible to cyber attacks and should remain aware of the key threats they may face without sufficient infrastructure and awareness.

Often, smaller businesses, or those not in the public eye, may consider themselves immune; however, the unfortunate truth is that all businesses are attractive targets for different forms of cyber attack. Smaller businesses can be more vulnerable due to their lack of formal policies and controls, making them more commonly targeted than one might initially think.

Price Bailey aims to inform you of and prepare you for the continuing dangers of cyber threats, debrief you on various real-life examples of cyber-crimes suffered by businesses, and advise you on steps every business should take to avoid cyber attacks.

Below, we detail some recent cyber incidents we have observed and provide recommendations on how you can be better prepared to combat them:

Payroll fraud – false requests to change employee bank details

We frequently see that businesses lack sufficient controls and expectations regarding fraud when handling changes to employee bank details. This is an extremely common form of fraud, and all businesses should be aware of, and prepared to address, it.

Typically, this involves a fraudster emailing from a fake personal account, asking your payroll department to change an employee’s bank details to a new, fictitious set. The request, appearing to come from the employee, may be queried, but sometimes the query is sent to the same email address, or another form of communication controlled by the fraudster, leading to a false confirmation.

Once the details are changed, the victim usually discovers the fraud when they are not paid on the next payroll run, by which time it is often too late.

False requests to change employee bank details are relatively simple but have unfortunately caught out many of our clients.

This fraud can be prevented with a few simple steps:

  • Ensure any communications are made to a known address.
  • If possible, ask the employee directly in a face-to-face conversation if they requested the change.
  • Remain sceptical about any change requests that have not been discussed in person.

Invoice fraud – alteration of payment details on invoices

Invoice fraud involves intercepting and altering a purchase invoice’s payment details so the intended supplier’s payment is instead paid to a fraudster’s account. This type of fraud is preventable by both the supplier and the payer, though each has different responsibilities to mitigate the risk.

As a supplier, ensure a segregation of duties between those who can change your bank details and those who approve these changes.

As a payer, be cautious about changes to payment details that haven’t been communicated by your regular account contact.

Consider the following:

  • Is the email address new or slightly altered? For example, ‘price.bailey.co.uk’ is different to ‘price.baiIey.co.uk’ (because a capital ‘i’ looks like a lowercase ‘L’).
  • Is the contact number on the invoice consistent with other documents, and can you call to confirm the change?
  • Is the sender someone new, or is it someone you are familiar with?

For charity or NFP clients who provide grants, this also applies to grant payment details, especially when recipients request a bank account change. Any such request should be verified through multiple sources to ensure it is legitimate and not fraudulent.

If in doubt, seek additional forms of verification.

Phishing emails – accessing details through harmful links

Phishing involves criminals using scam emails, texts, or calls to trick victims into releasing sensitive information. Typically, this includes links to harmful websites which steal data, malicious attachments, or false instructions.

Phishing is notoriously difficult to prescreen because the harmful website link isn’t always evident in the email. The responsibility therefore falls on the recipient to identify the scam.

All employees should be wary of unusual emails, especially those containing links to external websites or requests for data entry, to avoid unintentionally giving away information.

Ransomware – hackers gaining total access to systems/data and demanding a ransom

Advanced hackers can lock you out of your own system if they obtain the right information. System ransom attacks often result from phishing emails or similar information leaks.

Hackers typically demand a cash sum to unlock the system, leaving the business unable to operate while they deliberate. This can be devastating, leading to significant time and money spent resolving the issue.

A key preventative measure is to have regular backups of your key systems stored in a separate location. While this doesn’t reduce the risk of a ransom attack, it can minimise or even eliminate the impact if one occurs.

It is important to note that hackers can still make financial gains even if a ransom is not paid, as they can sell your data on the dark web. In the event of significant data breaches, especially ransomware attacks, the Information Commissioner’s Office (ICO) should be informed, so it can assist with appropriate further actions.

Key considerations

How should I protect my business?

In addition to awareness of the threat and internal vigilance, proactive management, education and a company-wide security culture will go far in countering the threat, while at the same time ensuring more trained eyes to help counter potential attacks and enhance overall business resilience. Specific measures you should consider include:

  • Having a cyber insurance policy: This makes good sense, but it is by no means a silver bullet and may not cover all outcomes such as reputational damage.
  • Consider obtaining Cyber Essentials Certification: Cyber Essentials is a UK government-backed certification that helps businesses protect themselves against common cyber threats. It focuses on five key security controls: firewalls, secure configuration, user access control, malware protection, and patch management. Businesses should get Cyber Essentials certified to demonstrate their commitment to cybersecurity, reduce the risk of attacks, and build trust with customers and partners. Certification also helps ensure compliance with regulations and can be a requirement for some government contracts.
  • Contingency planning: Boards should plan how they would react to different scenarios and have a mitigation plan for when their business is hacked or compromised. It is important that all departments are involved in this; cyber security is as much an HR issue as an IT one.
  • Awareness: Senior managers should ensure all employees are cyber aware and alert to scams and social engineering, including not sharing passwords or memory sticks and are aware of public Wi-Fi risks.
  • Supplier Integrity: Cloud and IT providers must demonstrate the integrity of the security protocols they have in place and their disaster recovery plans.
  • Audits: Conduct a data audit to classify your most sensitive data.
  • Antivirus: Always have up-to-date antivirus software and check that all mobile phones and tablets have antivirus software installed.
  • Multi-Factor Authentication: Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to provide multiple forms of verification, like a password (something you know) and a code sent to your phone (something you have). Businesses should enable MFA to protect against data breaches, phishing attacks, and unauthorised access. It strengthens security across critical systems, ensuring that even if a password is compromised, the additional verification step blocks potential attackers. It’s especially important for protecting sensitive data, financial systems, and employee accounts. Typically, it is now recommended that MFA should be enabled wherever it is available.

Those unaware of modern cyber attacks may believe that having a strong IT team with appropriate firewalls and monitoring facilities is sufficient to eliminate the threat of attacks. This lack of knowledge can make them prime targets for scammers. Adequate training and a culture of awareness within your environment are essential for stronger prevention.

From a cyber perspective, a business is only as strong as its weakest link. Therefore, consistent awareness among all staff is imperative in the fight against cyber crime.

We can help

Contact us today to find out more about how we can help you

Get in touch

Read our insights here

Meet the team

James Hart

James Hart

Manager

Suzanne Goldsmith

Suzanne Goldsmith

Partner

Michael Cooper-Davis

Michael Cooper-Davis

Partner

Top