You can find a whole range of freely downloadable resources to make it easy for you, your staff, and your customers to get cyber smart too at the CERT NZ website.
The Companies Office regularly hears about companies who have lost their data or their dosh. While there is a focus on cyber security, we talked with CERT NZ about some of the common cyber security issues being reported by professional services firms like yours. Here’s a story they said was common.
People often share documents for work. So when Trevor in accounts receives an e-mail asking to share an invoice file and providing a link to click and log in to download the file, he didn’t think twice. Even though Trev is pretty tech savvy, he couldn’t see anything out of the ordinary — the link looked legitimate. He clicks on the link which takes him to a convincing looking website that looks like an Office365 login. He enters his user name and password and this is all the scammer needs to send the same phishing e-mail to all of the contacts in Trev’s address book. But that’s not all he does.
The scammer uses the information they’ve accessed from Trev’s accounts to create fake invoices with the wrong bank account details that look just like Trev’s company, and sends them to Trev’s address book. Some of the company’s clients pay, and these funds can’t be recovered. Trev’s customers are also hesitant about doing business with the firm again given their systems had been compromised.
CERT NZ has some advice on their website about how to avoid this happening to you, including enabling two-factor authentication (2FA) across the company e-mail. 2FA is an extra layer of protection on top of your password. With 2FA in place, even if an attacker knows your password — they still can’t get into your accounts.
If you’re a bit more tech-savvy, take a look at CERT NZ’s critical controls 2018 — PDF 1.4MB or if you’re just keen to keep your business safe by keeping your staff safe, go to the Cyber Smart Week section of the CERT NZ website.