Black Friday, Cyber Monday, the January and Boxing Day sales. The busiest retail period of the year is almost upon us. But while the holiday season often brings with it bumper sales figures for retailers and bargains for consumers, it also comes with a heightened risk of cyber threats. 

For example, November 2020 saw an 80% increase in the number of common email phishing scams reported. Meanwhile, the UK’s National Cybersecurity Centre (NCSC) has been gearing up for the period by releasing updated guidance for consumers on how to shop online safely. 

However, what’s often less widely discussed is the impact this can have on small businesses. Even if your business has nothing to do with retail, you’re still at risk. Here’s why and what to do about it. 

What risks does the holiday season bring? 

Before we look at the risks themselves, it’s important to note that the festive season doesn’t necessarily mean more targeted attacks on SMEs themselves. 

However, who among us hasn’t done the odd bit of lunchtime shopping on company devices or personal devices used for work? And it’s this clandestine bargain hunting that poses the problem. It gives cybercriminals a route into your business. 

Phishing scams

Phishing scams are a year-round problem. But during major retail events like Black Friday, the chances of a successful attack grow exponentially. With so many of us frantically shopping around for the best deals, our ability to spot the telltale signs of a scam often diminishes as quickly as our bank balances. 

It’s a simple but potentially disastrous equation. If you’re in a bit of a rush, you’re not in the best frame of mind for considered judgements. And, if you’re already shopping, a fake email claiming to relate to what you’re doing online might not set off the alarm bells it normally would. 

Fake online retailers 

Black Friday often comes with a deluge of fake websites claiming to sell this year’s must-have products at bargain prices. Unfortunately, most of these are simply fronts for cybercriminals to acquire consumers’ data or launch attacks. Like phishing scams, these can be hard to spot in the hurly-burly of major retail events, making a successful attack much more likely. 

Outdated software 

Again, this is a problem 365 days of the year. But the festive season provides the perfect cover for hackers to test out the vulnerabilities of popular software. 

Firstly, because technical teams’ attention tends to be focused on ensuring apps can handle the sudden surge in demand rather than security. Secondly, because many consumers will suddenly be using apps they haven’t used or updated in months, often on devices with access to your business data. 

Public and home networks

You probably have decent network protection in your physical workplace, but do your staff working from home? And does the cafe around the corner with the free WiFi that everyone uses?

Unsecure public and home networks don’t stop being a problem for the rest of the year, but during busy retail periods, when people are much more likely to shop online, the risk is heightened. It gives cybercriminals an unbelievably simple way to hack into any unsecured devices on the network. Once in, they’ll be able to get to any company assets accessible from that device. 

Weak passwords 

You’ll hear us talking about the importance of strong passwords a lot. It’s the simplest thing you can change to improve your cybersecurity. However, passwords become doubly important in busy retail periods due to the amount of traffic on popular sites. It’s the perfect setting for cybercriminals to try out large-scale brute-force attacks and find out whose passwords aren’t strong enough. 

What can you do to protect your business? 

1. Educate your team about the risks

A huge proportion of successful cyber attacks stem from human error (95% according to some) so helping your team understand the risks is crucial to avoiding them.

You should approach this in two ways: immediate education and long-term training. In the short term, educate your people on the risks outlined in this piece. It doesn’t have to be more than a short email sent out before the festive season really kicks off.

However, a quick nudge to your staff to be mindful of the risks is no substitute for long-term behavioural change. For this, you need security training. How you approach this will largely depend on your business and the cybersecurity knowledge within it but, to get you started, we’ve put together a short blog on the subject. 

2. Patch your software

The importance of updating your software can’t be overstated. Without regular updates, you leave plenty of little holes in your software for cybercriminals to exploit. So, ensure everyone in your business is constantly installing updates and patches for the software on their devices – even if it’s an app or tool they rarely use. 

It’s a simple thing and won’t take you more than a few minutes each month. But, it can also work wonders for improving your cybersecurity. 

3. Provide staff with clear cybersecurity policies 

We say this a lot but it never gets any less true. If your people don’t know what security behaviours are expected of them at work, they’ll keep getting it wrong.

Clear, well-crafted company policies on cybersecurity and data protection can go a long way to removing confusion around the subject. And, most importantly, help diminish the risk of a successful attack. 

A good cybersecurity policy should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision making. For more on how to build one, read this.

4. Practice good password hygiene 

Like patching, this is a simple fix that can immediately improve your cybersecurity. So what does good password hygiene look like? Well, we recommend four steps:

• Use complex passwords that make it difficult for cybercriminals to guess or brute force their way in. The NCSC’s ‘three random words’ is a great approach to this
• Change passwords regularly
• Set up different passwords for different accounts, tools and software. If you struggle with remembering them, consider using a secure password manager tool like LastPass or 1password
• Use two-factor authentication (2FA) wherever possible

And, once you’ve undertaken these four steps, roll it out to your business. Create a password policy and make sure everyone follows it.

5. Use a VPN 

Last, use a Virtual Private Network (VPN) for all remote work, even those trips to the local coffee shop. If your employees are using public networks or their home router it’s likely to be far less secure than your office network. According to a report from BitSight, home office networks are 3.5 times more likely than corporate networks to be infected by malware.

A VPN can help you counter this by creating a secure connection to business systems and data, from wherever your staff choose to work. 

Want to know more about how to switch to hybrid or remote working safely? Download our guide, Cyber Safety in a New Era of Work here.

Still using the password you conjured up for your first email account in 2002 featuring your favourite footballer? We hope not. Passwords play an absolutely essential role in the security of your company and weak passwords are some of the easiest way for hackers to breach your cyber defences through employee accounts.

In this article we’ll be sharing advice on how to avoid this common, but easily avoided, security pitfall.

Minimum password length for systems

For all password-protected systems, your business should try to follow these basic steps when configuring them:

• The minimum length for a password should be at least 8 characters including all alphabets, symbols, and numbers.
• There should be no maximum password length.
• The system should not allow the user to set a password that does not meet the minimum length requirements for it.

The requirements mentioned above are simple to understand but can be difficult to implement. It is important to note that these rules need to be established across all password-protected devices and software.

To meet this requirement, you need to consult with your IT manager to ensure that all devices and software (whether third-party or proprietary) enforce the minimum password length.

Enforce a secure password policy

A password policy is used to establish the rules and requirements for setting passwords. Creating a secure password policy for staff helps businesses protect themselves and allows them to meet the password requirements under the government’s Cyber Essentials certification scheme.

The goal of a password policy is to take away the burden of individual users to create solid passwords. However, users should still be made aware of the password policy so that they pick sensible passwords for their email, devices, and other accounts.

Other than the minimum password length requirement mentioned above, your employees should:

• Avoid obvious passwords that can be easily discovered or guessed such as their name, phone number, birthdays. That goes for your pet’s name too.
• Not choose common passwords such as the ‘abcdefgh’, ‘12345678’. This can also be implemented through a blacklist that prevents users from keeping common passwords.
• Memorise their passwords instead of recording them whenever possible. Don’t email them to yourself or keep them in your Notes.
• Not use the same password for different accounts. 45% of Brits have the same password for half of their online accounts. Not great.
• Use password management software or other secure mechanisms for storing and retrieving passwords.
• Require the system to:
  • Protect against brute-force password guessing algorithms by locking accounts after a set number of unsuccessful attempts to enter the password.
  • Change default or common passwords to random non-guessable passwords.

If you want to see how long it would take a computer to guess your current passwords, check out HowSecureIsMyPassword.

Conclusion

Ensuring the use of strong passwords is a key step towards becoming digitally secure. 

CyberSmart helps businesses comply with Cyber Essentials by simplifying the process of compliance for them including complying with password regulations. If you would like to learn more about how to implement a password policy for achieving Cyber Essentials, get in touch with us.

Cybersecurity and data protection can be overwhelming. There’s enormous amount of advice on the internet, but it can be difficult to know how to get to started. At CyberSmart, we believe that Cybersecurity should be accessible and easy for everyone. So we’ve created a series of guides on how to protect your data, this week we’re tackling passwords. 

(more…)