#CyberSecMonth: cybersecurity is a shared responsibility

October is officially European Cybersecurity Awareness Month. #CyberSecMonth is a month long campaign promoting cyber security among citizens and organizations highlighting the importance of information security. The campaign highlights the simple steps that can be taken to protect data, whether personal, financial or professional. The campaign started in 2012 as a pilot project across Europe where participating countries took part in various activities to produce a combined synthesis of the findings, in which can be found on the ECSM website.

In 2019 the general message of the campaign is that cyber security is a shared responsibility. Cifas echoes this message as we rely on the collaboration of our member’s data to prevent billions of pounds worth of fraud each year.

Cyber hygiene: keeping your organisation squeaky clean

Cyber hygiene is one of the particular focuses of the campaign, looking at establishing and maintaining daily routines, checks and general behaviours needed to ensure your organisation is staying safe online. When it comes to cyber hygiene there are some simple things that can save your organisation from future blunders.

Password management

Using a weak password is the equivalent of using a weak lock for your front door – neither is a problem for a criminal to break. One of the best ways to protect yourself is to begin using a password manager tool. A password manager helps keep store of passwords and helps create strong new ones for every different site you use. Check out this previous blog where our Head of Fraud Intelligence offers her best tips for eliminating your digital footprint and staying safe online.

Social engineering:

Social engineering is when criminals use manipulation tactics to acquire personal information. This can be done over the phone, email, or sometimes in person. Having open conversations with employees about what red flags to watch out for can slow down the criminal in time to eliminate the risk.

Phishing: don’t take the bait

Fraudulent emails can be one of the most dangerous types of fraud risks. In some cases all it takes is a click of a link in an email for the fraudster to obtain your personal information or data from your organisation. It’s important to educate employees of the risk of clicking links in emails.

Phishing red flags to watch out for:

• Credentials: emails asking you for any login details, or contain a hyperlink to a log in page.
• Financials: emails asking for any financial details such as bank details, or asking you to make a payment.
• Urgency: Emails that demand an immediate action such as clicking on a link or opening an attachment – especially if there’s a threat behind the urgency.
• Hyperlinks: Hover your mouse over a hyperlink that’s displayed in the email message, if the link-to address is for a different website do not click (This is a big red flag).
• Date: Receiving an email that you would normally receive during regular business hours, but it was sent at an unusual time like 3 a.m.
• To: Receiving an email that was also sent to an unusual mix of people. For instance, it might be sent to a random group of people at your organization whose last names start with the same letter, or a whole list of unrelated addresses.
• From: Receiving an unexpected or unusual email within your organisation that includes an embedded hyperlink or an attachment from someone I haven’t communicated with recently.

For more check out our recent blog post we published in collaboration with City of London Police about not taking the bait and avoid phishing emails.

Human Firewall

Vulnerabilities in technology are always being discovered and in response, vendors regularly issue security updates to plug the gaps. Applying these updates - a process commonly known as patching - closes vulnerabilities before attackers can exploit them. This is not just something that can be done through technology, but can be a process exercised in organisations by ‘patching your people’. This can be done by making sure that employees are educated around the potential risks of fraud. Cultivating a no blame culture in the workplace helps employees to ask questions and come forward about mistakes, which can in turn save an organisation a lot of agony in the long run. The National Cyber Security Centre has produced a free online training package that is written for a non-technical audience.

Top tips to secure your business:

• Password management: implement password managers to help store and create effective passwords.
• Educate employees: an employee who is aware of phishing emails is less likely to click fraudulent links.
• Check your electronic defences: configure firewalls, anti-malware software and email/website filters properly and ensure they are always up to date. Use two factor authentication where you can.
• Workplace expectations: recognise that anyone can fall for a phishing scam regardless of experience, so encourage people to report all attacks and to ask for help.

It’s also worth getting a second opinion – hiring security experts to penetration test your systems can help you understand where your defences work well and where they don’t. It’s better to find any gaps before the criminals do.

What is Cifas doing?

As the UK’s leader in fraud prevention we naturally have a strong focus on security at all levels, from cyber-security to physical safety. Some of things we do to stay secure are simple enough that almost every organisation can do themselves, but we also go further:

• Cyber Essentials: Cyber Essentials is a government backed scheme with basic practice that every organisation should have and look to as a standard. Cifas is certified to Cyber Essentials.
• Information security management: Cifas is certified to the international ISO 27001 standard.
• Staff awareness sessions: focusing on what is relevant to their role, with practical tips to keep the information that Cifas has safe and secure.
• No blame culture: make sure all levels of staff feel comfortable to come forward to the security team.

For more information on European Cybersecurity Awareness Month and their current campaign please visit their website at cybersecuritymonth.eu.

If you have been a victim of fraud or cybercrime, report it to Action Fraud.