Cybercrime is back in the news. This time it's an
especially nasty 'Trojan' called Zeus v3.
What this malicious piece of coding does is attack online bank
accounts, clean them out and then issue false statements showing
nothing is amiss.
Not nice.
And if you believe that SMEs are unlikely to be targeted in such
a sophisticated way, you might want to think again.
Research carried out in February 2009 by the Federation of Small
Businesses (FSB) found that over half of small businesses reported
being a victim of fraud or online crime in the previous 12
months.
The FSB's survey, 'Inhibiting Enterprise',
found phishing emails, card-not-present fraud, and IT system
problems - viruses, hacking, interruption of service - were the
most common crimes experienced. One third of SMEs did not report
incidents to the police or bank.
The average cost of each security lapse is £30,000, according to
'Cybercrime, what every SME should know', published by the Fraud
Advisory Panel. Several companies said viruses, fraud and
hacking had cost them well over £500,000.
So, are there some basic steps pretty much every small business
should take to increase online security?
The first thing to realise is that if you're a small business
you can be open to a wide range of fraud risks.
The Fraud Advisory
Panel lists the key parts of fraud risk management for SMEs
as:
- The company should implement a culture, supported by policies
and procedures, to prevent the business from becoming a victim of
fraud, and identifying the areas within the business which are most
vulnerable to cyber attack.
- Detection: implement systems and procedures to detect the early
warning signs of fraud.
- Investigation: prepare for fraud by having an up-to-date
response plan.
- Identify any further controls to ensure they are being
implemented effectively.
- Assess the controls to account for any changes or developments
made in the operation of the organisation.
- Ensure that procedures and controls are workable and supported
by a sufficient level of resources.
- Insurance: review your business's insurance policies to ensure
they are consistent with current business risks.
- Establish a regular review procedure.
It's also recommended that a Whistle-blowing policy is
introduced. This means that employees should know that
whistle-blowing is necessary to prevent cybercrime.
They should have a simple procedure form reporting their
suspicions that cybercrime is taking place. This may include an
internal email address to send details to or a fraud hot line to
let them report quickly and anonymously.
Finally, what to do if cybercrime is detected? Here are
some actions to take:
- Assess the situation fully before taking action
- Isolate the computer so it can't be tampered with.
- Record where the computer is based and all who had access to
it.
- Consider securing all relevant logs - building access logs,
server logs, Internet logs - and any CCTV footage as soon as
possible.
- Call in IT security staff or outside consultants.
