It seems every day we are hearing about the latest loss of data, how companies and individuals have been “tricked” into handing over large sums of money and how our personal information is being used without our knowledge.

I am sure that many of these things have always happened, confidence tricksters and “con artists” have been with us for a long time, so why is it happening more frequently now?

Technology has indeed made it easier to communicate and move information around, but unfortunately, this makes it easier for the fraudsters too.

Over the last few months, I have seen a growing number of organisations caught out by such fraudsters. These tend to be smaller businesses where staff know the CEO or Owner and are used to taking informal instruction from them and do not question too much when this happens.

So, what can we do to combat this? One piece of advice I can give is to take an “old fashioned” approach.

This may seem at odds with today’s fast-paced world of technological marvel, but just think, in the past did shops give you something essentially on the promise that you would pay? It would have been interesting to go into a shop and tell the staff that their Manager before going on holiday, said that it would be okay for you to pick up the latest TV for free whilst they were away. And just to prove it, you have an unsigned letter with their name on it. I suspect you would have been politely asked to leave!

Adopting an “old fashioned” approach is one way to combat this. Don’t give anything to anyone until you have spoken to the person who has authorized it, either face to face or on the phone (and of course, you ring them, not vice versa). Always be suspicious if the authorizing person is conveniently on holiday or not in the office.

Be “old fashioned”, take your time, check and do not be hurried into making a decision. If the person doing the asking in the email is really your CEO, they should appreciate your thoroughness.

And if you are the CEO and have just received a quick phone call from your accounts person while you lie on the beach in the Bahamas, don’t be upset with them for double-checking. That few minutes of your time could probably be the best investment you have ever made. After all, where can you save £100,000 by taking a 2-minute call today?

Unfortunately, it’s a sad fact that smaller companies are more likely to fall victim to cyber criminals than larger ones. You may think that because you don’t have a high turnover or a prominent public profile that you can escape detection from cyber criminals, but don’t be fooled. Criminals know that larger companies have significant security resources, thus making circumvention of these defenses much harder and this challenge often acts as a deterrent.

If they do manage to break-in, the payback may be substantial, but so is the risk. Spending three months trying to hack into an organization takes significant investment from a hacker and the risk of detection will grow each day. A large company is far more likely to report a breach to the authorities and try to recover its lost data or money.

Often it is easier to target 50 small companies, where the risk of detection is minimal. These small companies won’t have the skills or the resources to put in place complex defenses and 50 small targets can often be more valuable than one large one.

I often hear “well the hacker will get in anyway, won’t they? So why bother spending all this money when it won’t do any good!” A well-resourced hacker or sovereign state with limitless resources will indeed get in, but this is not what you are trying to defend against. Making your company less palatable, is the goal you want to achieve.

Most hacks, like thefts, are opportune. The hacker will scan thousands of IP addresses until they find a vulnerable one and then exploit it. They may even be in your system for months or years, gathering information before you are aware of it. On average, it takes 177 days for a break in to be detected, for every threat that is detected quickly, there are far more that are not. Your company could have been breached in January and you may not even be aware yet!

So, what can you do?

Well, you wouldn’t leave your car unlocked in the street, would you? Yes, we all know that if someone wants to steal it they will. You lock it to prevent the opportune thief and that is what you need to do with your IT systems.

If you’re not a cyber security expert, where do you start?

Luckily you don’t have to be an expert to make a difference. Schemes such as Cyber Essentials and Cyber Essentials Plus address the most common themes. Think of these as mini-audits of your IT systems against the most common ways hackers get in. If you carry out a Cyber Essentials certification, you will address 80% of the most common vulnerabilities in IT systems today. This may not be 100% foolproof, but it goes a long way in helping you to deter that opportune hacker, encouraging them to move on to the next easier target, the next car in the street.

So lock your car – show clients and hackers that your company takes information security seriously. Complete Cyber Essentials/Essentials Plus and help to secure your IT systems from attack

We’ve written a short guide to help you better understand Cyber Essentials Certification and how it can benefit your organisation.

The lack of multi-factor authentication helped criminals to steal usernames, email addresses, social media tokens and 4.7 million phone numbers from 21 million users of social media app Timehop. The app, based in the cloud, resurfaces old photos and posts by connecting to your social media profiles. “Access tokens”, which are allocated to Timehop by social media providers, were also taken and could allow criminals to view a range of social media posts without permission.

Multi-factor authentication is the process of confirming your identity in two different ways before access is granted to an account or service, such as a PIN or password, a secondary device such a key fob or card reader, or via biometric data such as a fingerprint. We recommend that all our clients implement a multi-factor authentication process to help protect they IT systems and data.