Protect your business online and offline

Risk of physical attack will always be there, but new threats are emerging

It used to be the case that if somebody tried to steal from your business, an alarm would go off and the authorities would act accordingly. In the 21st century however, the landscape is entirely different and changing rapidly.

Of course, the threat of physical attack is much as it always has been, and the Garda has guidelines for business owners on its website as to how best to mitigate the risk to your business and what to do if the worst happens.

These include keeping the premises well lit, utilising grilles or shutters at entrances and windows, keeping tills out of the sight of the public, employing anti-ram bollards outside, and investing in appropriate locks and CCTV.

But how can you protect your business when the assailant is not barging through the front door with a spanner in hand but rather manipulating staff and covertly gaining access to sensitive information before you have even noticed.

Protecting your business is about knowing what the risks are, how to recognise the signs when they appear and taking the necessary action to fend off attacks.

The Irish Small and Medium Enterprises Association (Isme) produces a crime survey of its members each year. Last year, 79 per cent of companies who responded said they had been targeted by computer-related criminal activity.

Some 51 per cent said their business had fallen victim to a “virus infection”; 51 per cent to “hacking or electronic intrusion”; and 20 per cent to credit card fraud.

Among the things to look out for is “ransomware”. One of the fastest-growing types of cyber threats, it encrypts data on infected machines before asking businesses to pay ransoms in hard-to-trace digital currencies to retrieve their data. Companies with an online presence are also facing what is called a “distributed denial of service” attack, which is when so much traffic is sent to a website that it cannot cope and legitimate users cannot gain access. Like ransomware, a sum of money is demanded before normal service can resume.

"It's become much more prevalent, and particularly with small- and medium-sized enterprises because they may not have the resources to dedicate to these types of issues," says information security consultant Brian Honan.

“If your website is of high value to your business, you need to make sure you’re talking to your host and provider to make sure you have appropriate protection in place.”

In terms of a defence against blackmail or extortion, something as simple as backing up your data could make all the difference.

There is also an attack called “CEO fraud”. This is when company employees receive emails or correspondence purporting to be from the chief executive or a senior member of staff requesting money transfers to specific accounts that are under the control of the perpetrators.

“The emails will look like they come from the company’s CEO and sound like the company’s CEO in tone but in actual fact they’re coming from the criminals, who may have hacked the CEO’s email account,” says Honan.

Among the most serious type of attack is what is known as an “advanced persistent threat”. This uses multiple phases to break into a network, avoid detection and harvest valuable information over the long term. Perpetrators will often employ a combination of social engineering, blackmail and malware to achieve their aims.

Paul Dwyer, president of the International Cyber Threat Task Force, believes breaches are inevitable these days. Criminals, he says, want to "work under the radar" and detection is key to prevention.

“Data is the new cash,” he says. “What bad guys want is to get your data. Once they have it, they can sell it a number of times on underground stock exchanges. All different types of data have different values.”

Another safeguard is to employ proper anti-malware controls, and to carry out regular security checks to make sure the system is actually working.

“People need to look from the inside out as well,” says Dwyer. “They need to look at whether, if somebody does get in, they do have any safeguards. If they are in, will we actually be able to detect them?”

Whether you are protecting your business from physical or online attack, a key thing to do is identify what is most valuable to your business, whether that is information, cash or stock.

Steal information

“If you’re connected to the internet, you need to realise the internet is connected to you,” says Honan. “It doesn’t matter where you’re located, criminals can still reach out and attack you or steal information. The biggest and best way to fend against them is to identify what information it is you’re trying to protect, where it’s located, and how best to protect it.

“If it’s on a mobile device, make sure it’s encrypted and that you have anti-virus software installed. On your company network, make sure you have appropriate firewalls to prevent malicious traffic getting into your network.”

Another important defence is to train staff to be aware of the risks and how to identify suspect attacks before it is too late. Government website provides more information on how best to do this.

On April 1st, the International Cyber Threat Task Force will host a conference in Dublin's Shelbourne Hotel to discuss "cyber risk oversight". The event is directed towards business leaders who wish to learn more about cyber attacks.

Dwyer says this “collaborative approach” will be vital in terms of online security. “The criminals collaborate,” he says. “They share information, intelligence, techniques, and they assist each other. That’s what businesses need to do. We need to share intelligence and give each other the heads-up in terms of the modus operandi, what they do, and what they’re after, and that’s the best way to thwart these guys.

“You can invest in tonnes of technology, but active intelligence that can prevent this stuff is far more beneficial, and it costs next to nothing for businesses to be in touch with one another on a sector by sector basis.”

Isme estimates the direct cost of crime per enterprise has risen to €9,539 per annum and the annual cost of prevention is €4,652 per company. This gives a total average cost of €14,191 per company annually. Chief executive Mark Fielding says finding the necessary resources is often a key constraint preventing businesses from employing the necessary security measures.