By Suzy Clarke, Executive General Manager of Security at Xero
Over the last few years, consumers around the world have been impacted by some of the biggest data breaches in history. For a small business, this can be quite daunting to think about as you work with sensitive personal and financial information every day. So, how can you protect your business? It all starts with understanding the mindset of a cyber criminal. What are they looking for? Why are they stealing information? And how do they get it?
What’s the ultimate prize for a cyber criminal?
Data – This could be anything from the personal information of staff and customers, to confidential business information like sales and inventory records, credit cards and banking information, or account credentials used to access company systems.
Personal information can be used to commit identity fraud like scam campaigns, or payment fraud like transactions on stolen credit cards. Business information can be sold to competitors or state sponsors, and used to gain access to company accounts. Cyber criminals steal this data by gaining control of the accounts that access it.
Once they have access to your accounts, cyber criminals can change your password and lock you out, then use this account to access other online services. For example, imagine if a cyber criminal was able to access your email account. They could intercept a PDF invoice and edit the payment details, to trick your customers into paying a fraudulent bank account instead of you.
How do cyber criminals access your accounts?
Cyber criminals use a number of tactics to gain access to your accounts.
- Direct attacks, using tools that allow them to guess or break passwords that are weak. If you’ve used that password across multiple accounts, the damage could be wide ranging
- Phishing and social engineering, where cyber criminals trick people into handing over their details using links or requests in emails, texts, phone calls and other communications
- Malware, which is malicious software that can infect your device to monitor your activity, and provide backdoor access to your systems
- Ransomware, which spreads across your devices to lock them, so the cyber criminal can threaten to expose or erase your data unless you pay a ransom
5 ways you can improve your business resilience to cyber crime
- Do a risk assessment on your business, to identify any gaps. This might involve thinking about what data you store, which technology you use to store it, and what obligations you have to manage it.
- Get the security basics sorted, like having strong and unique passwords on each account, and switching on multi-factor authentication wherever possible. Password managers are a good option as they do the hard work for you
- Develop strong policies and processes to help your team maintain clear and consistent cybersecurity habits. This should outline how your business or practice handles account security, device security and data security.
- Buy from organizations that adhere to data security standards, like ISO 27001 and SOC2. Use secure websites (the ‘s’ in https is the key) and make sure that accessing and sharing data is limited to staff that need the information to do their jobs.
- Don’t forget to consider the human element of security. Staff should understand how to safely use the accounts, devices and data that belong to your business. They should also feel confident about where to go for help, and how to respond if an incident occurs.
Cyber criminals are a growing threat to all of us. The best way to make sure you keep your data safe is to look at your business through their eyes, and consider what gaps or vulnerabilities might exist. That way, you can enjoy peace of mind, knowing the data you’re holding on your business and customers is safe and secure.
Suzy Clarke is the Executive General Manager of Security at Xero, responsible for improving the technical security of the global small business platform, as well as its customers and partners. She has worked in the technology sector for 24 years, both in England and New Zealand, and prior to Xero held senior technology roles across a range of industries.