根据最近的一项政府调查, almost 50% of SMEs believe their business is protected from cybercrime through their Microsoft or Mac software and updates or through having a limited online presence. 然而, security professionals agree this is not the case – it’s actually people and processes that pose the biggest risk.
说到网络安全, 防火墙和反病毒等防护技术是最重要的. The notorious WannaCry and Petya attacks earlier this year also highlighted the importance of using the latest software versions and ‘patching’ regularly to fix security vulnerabilities.
然而, what may be less well known is that innocent employees and suppliers can cause as much damage as malicious hackers. Staff are already inside a business’s security frame工作 and can easily be exploited to bypass security controls. Surveys confirm that over 60% of security incidents involve human error or naivety.
这些事件包括:
- Using ‘unpatched’ applications where software updates containing security fixes are not installed
- 使用易于猜测的密码或默认密码
- 打开受感染的附件或使用不安全的URL
- 成为社会工程诈骗(如网络钓鱼)的受害者
- 忽略操作进程或安全协议.
Here are some real-life examples of these breaches that we’ve come across and some simple precautions that businesses can take to protect themselves.
社会工程诈骗
Scam emails look more authentic than ever before and can easily be mistaken for emails from the ATO, ASIC或银行. We recently heard of a bookkeeper who received an email from a supplier informing them of a change of bank account details. That email was not really from the supplier, and payments of $30k a month were at stake. Another case involved a PA who received an email from her boss to transfer $200,为了达成一笔生意. She did as requested – only to find out later that the email was not from her boss.
Staff vigilance and due diligence are key to avoid falling victim to these types of attacks. No email, however plausible, can be depended on as being reliable and from the right person. Checking transactions and requests like these should be done personally – by calling the sender and asking for verbal confirmation. It would even pay to check with familiar contacts if you receive an email from them with a link which seems ‘out of the ordinary’.
当涉及到更新银行信息和付款时, two different people in your organisation should be required for authorisation. 作为额外的保障措施, run monthly exception reports on creditors to check if any unusual changes have been made. 骗子可能会等上几周或几个月才采取行动.
使用不安全的移动设备
我们很多人都使用免费的Wi-Fi网络,尤其是在旅行的时候, but remember this is dangerous as any information transmitted and received is vulnerable and your usernames and passwords are easily obtained. A case we are aware of involved a company director who checked his email over a public Wi-Fi net工作 while on an overseas business trip. 黑客们设置了一个电子邮件转移, and email the bank who subsequently failed to properly examine a forged signature sent to them by the scammers. This led to an unauthorised transfer of significant funds (later refunded by the bank).
网上银行最好避开公共Wi-Fi热点, 购物, 输入个人信息,发送机密邮件. Consider turning Wi-Fi off on your mobile settings so you don’t connect to Wi-Fi net工作s by default. 如果你真的必须使用免费Wi-Fi, make sure that websites you go to are fully encrypted by checking the browser bar has http:// (instead of http://) and shows the locked padlock symbol.
快速提升网络安全
中小企业可以采取一些简单的步骤来提高其安全性. These include ‘people,’ policy’ and ‘process’ controls, as well as technological defences.
建立安全策略和文档流程 – Consider implementing information security policies and data classification that clearly set out how different types of data should be handled and controlled. Ensure that employees are aware of the sensitivity of data and their individual responsibilities for protecting it.
员工定期培训 – Accidental clicks on infected emails are the most common entry points for hackers to business net工作s. 让你的员工意识到安全问题和骗局. (见scamwatch.政府.au) Staff should be aware of the risk of human error and what is expected of them – for example, 澳门赌场官网连接到公司网络的个人移动设备, usb和密码.
密码管理 -确保使用强身份认证和密码管理. Staff should use passwords with alpha-numeric complexity and change them every 90 days.
防病毒保护 -不要使用免费的反恶意软件-购买信誉良好的软件包, 保持更新,每周运行全系统扫描.
打补丁 – Make sure you install all updates available for both operating systems AND applications. 有许可证的软件补丁是免费的,可以设置为“自动更新”。. 考虑升级到微软最新的Windows 10,它更安全.
备份 – Make frequent backups using an external hard drive and disconnect it from your net工作 when completed. 测试你恢复数据的能力. 良好的备份程序有助于恢复,如果你受到攻击.
考虑网络保险
许多保险政策都提供了防止数据泄露的保障, 电脑黑客, 员工错误等等. Look for a combination of first and third-party coverage and watch the small print and check what is/isn’t covered as some are becoming stricter on exclusions.
任何企业,无论大小,都不能忽视网络安全. 如果您需要一些初步指导,请澳门赌场官网您的Accru顾问.
