By David Prattent

MarketWatch has been doing a lot of glaring and cursing lately; glaring at an unresponsive computer screen and swearing at the NBN.  Or the non-NBN more to the point.

So while he tries to calm himself and get his blood pressure back to something approaching normal, he has been pondering on his latest anti-virus scan which told him he had one but happily it was treated so don’t worry.  But how did my machine catch it?  Quite easily apparently.

It does not matter whether your organisation is a huge multi-national business enterprise or a one-person operation, at some point your computer networks and systems will be attacked by someone with criminal intent.  Cybersecurity attacks, in all their various forms, are inevitable and relentless.

So sit back, pour yourself a glass of something (recommendation:  Wills Domain Cabernet Merlot – the 2014 and 2015 are very drinkable and would go another few years) and contemplate these true stories which Marketwatch has encountered recently.

Exhibit 1

An employee at a small company received an email from a supplier notifying a change of bank account.  Being a wary soul, he checked the email address it came from and it was correct.  The signature block on the email was for the person he dealt with.  The email was fine, so he forwarded it to the accountant to process.

The accountant turned out to be an even more wary version.  She read the email and the wording made her uneasy.  She rang the supplier and they confirmed that they hadn’t changed their banking arrangements.

So what happened?  In this case, the email account of the person at the supplier had been compromised.  One possibility was that the supplier’s system had been subjected to a “brute force attack”.  This is where finding the solution to a preventive security measure or protocol is undertaken by systematically trying many probable variants of a password, cypher, or key. Given enough time and using enough computing power, a brute force attack will eventually find the alphanumeric sequence necessary to gain access to a protected system.  From then on in, emails can be sent out and if replies are sent they can be mis-directed.  So you think you are talking to the company but you are not.

Alternatively, there was a “phishing” attack.  This attempts to collect sensitive or personal data from users.  Email is the most commonly used delivery method for a phishing attack.  Phishing attacks are often successful because they mimic legitimate communications from trusted entities or groups such as false emails from a bank or a retail website.

You can make access as hard as possible but unless you have what is known as multi-factor authorisation (e.g. every time you access the system, you are sent a one-time PIN to your smartphone) hackers may eventually get in.  Vigilance is the key.  Make sure your people know that any request to make a change in the database such as banking details needs to be independently verified.  We should all be wary of emails which ask us for information or try to get us to click on something.  Once they have a name and an email address you would be surprised at the damage which can result.  Banks have told people that they would never email requests but people fall for it all the time.

Exhibit 2

At a slightly larger company, the HR person received an email from an employee requesting they change their banking details.  He sent it on to the accountant.  He noticed that the email had been generated from a mobile phone using a gmail account.  He checked with the employee and guess what?

Again, somewhere along the line, the hacker had obtained the employees name, probably through a phishing attack.  But they didn’t get the email address so took a chance.  This one was so obviously fake it almost makes Marketwatch weep. But HR fell for it.

The main lesson to take away from these two tales is that just having good security software and a great firewall is not enough.  That helps prevent the arrival of what is known as “malware” on your system.  Malware is short for malicious software which generally violates the security and stability of your system.  It comes in many forms ranging from viruses and worms to Ransomware and spyware.  But your security software is not enough in all cases. It can’t, for example, stop you clicking on a link.

There are some simple steps you can take to complement your security system:

In the cyber world, we may never be totally safe.  But we are now dependent on it.   So make sure you are a safe as possible.

[gravityform id=”1″ title=”true” description=”true”]