Procurement · 25 February 2016

HR, ransomware and invoices: You need to expect to be hacked

Many vulnerable small firms are still getting the basics wrong
Trustwave EMEA Systems Engineering Manager OlI Pinson-Roxburgh spoke to Business Advice about the increasing sophistication of hackers and how small firm owners are making themselves vulnerable.

With one in four small business owners falling victim to fraud in 2015, and Action Fraud estimating that such attacks cost SMEs almost 20bn each year, the bosses of small firms are increasingly turning to experts for advice on how to mitigate the threats posed by hackers.

Trustwave was acquired by telecommunications giant Singtel in 2015, and includes teams of ethical hackers? looking for loopholes to close as well as forensic experts who work backwards from a security breach to find out what went wrong.

lots of small organisations arent able to detect fraud until a bank or a client points it out to them, especially if it isnt having an impact on the bottom line. Sometimes it takes companies more than six months to realise. In the most extreme cases, breaches go on for years. And the longer it takes for them to be noticed, the higher the clean-up costs, Pinson-Roxburgh explained.

the motivation of hackers who target small companies tends to be opportunistic rather than targeted. They will send out junk links to as may people as they can, especially HR managers because they are used to getting CVs so are more likely to open attachments, he added.

Pinson-Roxburgh has seen a rise recently in the use by hackers of ransomware software which encrypts the hard disc of the target computer and denies a user access to their data unless they agree to pay a hefty ransom. He was also of the belief that fraudsters are becoming increasingly businesslike in the way they work, and explained: There’s a whole industry providing managed services for hackers and subscription-based tools which deliver returns of thousands of per cent.”

Yet in spite of the increasing professionalisation of attackers, he believes that many vulnerable small firms are still getting the basics wrong. Pinson-Roxburgh highlighted the importance of simple steps like putting strong password policies in place, removing the guest accounts which are automatically configured on Windows terminals, and installing patches and updates as soon as they become available. The more measures you put in place, the more expensive it is for hackers to target you. These business-minded individuals are looking for low hanging fruit, so deterrents are important.

And crucially, preventing fraud is about behaviour as well as technology. He explained: You need to make it easy for people to make good decisions. Weve had finance directors emailed directly by fraudsters posing as suppliers, asking them to send over money, and some of these emails sound very legitimate. There should be a process in place to make sure individuals can’t transfer company money in response to such an email, and staff need to be encouraged to take a more defensive stance.

in my experience, people don’t ask enough questions. There’s a real mindshift change needed. Business owners need to assume they’re going to be hacked, and be looking out for malicious attachments or unusual friendship requests on social media platforms. If you have customer data which you’re the sole custodian of, that is a big responsibility, so be on guard.



Hannah Wilkinson is a reporter for Business Advice. She studied economics and management at Oxford University and prior to joining Business Advice wrote for Kensington and Chelsea Today about business and economics as well as running a tutoring company.

Tax & admin