[BreachExchange] One secret all successful startups know: keep ahead of the online fraudsters

[Audrey McNeil]

https://www.theguardian.com/barclays-lets-go-forward/2017/
aug/14/one-secret-all-successful-startups-know-keep-
ahead-of-the-online-fraudsters

The head of the payments department at a small tech startup – let’s call
him Peter – receives an urgent email from his CEO requesting £20,000 to be
transferred into an account.

Account numbers, names and sort codes are provided, and the transaction is
completed within seconds.

Later that day, Peter makes reference to the remittance during an accounts
payable meeting. His CEO, in attendance, is baffled and denies any such
authorisation being made.

Peter, confused, brings up the email on his laptop. His boss remains
adamant that the order could not have come from him. They both scrutinise
every detail of the message, before spotting that the domain name of
“their” company has used a Unicode character that looks the same as a
letter in the company’s genuine URL.

The startup has been scammed.

Such fraudulent practice – insidious and out of the blue – is giving
startups pause for thought. According to a 2016 study by the Federation of
Small Businesses (FSB), 66% of its members had fallen victim to cyber
breaches over the previous two years. The total annual cost to businesses
was £5.26bn.

This is money that startups, often operating on shoestring budgets, can ill
afford to lose. Passion, imagination and ideas might be the key to getting
a business off the ground, but it is the companies that best protect their
finances in those tough early days that will prosper.

“People running startups really care about what they do – whether they are
a carpenter, plumber or app designer – but they may not be aware of the
breadth of fraudulent activity out there given they are so focused on
running and growing their business,” says Adam Rowse, head of business
banking at Barclays.

“So those skills needed to manage cash flow and keep on top of
administration and bookkeeping are vital. The businesses that have the
right skills or people to manage these functions, and mitigate risks, are
the most successful.”

The main form of cybercrime startups currently have to contend with is
phishing, whereby fraudsters send emails to obtain personal information –
such as credit card numbers or passwords. Recently, links to fake social
media platforms requiring login details have become the most effective lure
to dupe employees.

According to a report released by cybersecurity firm phishd in February
2017, over three quarters of employees at small businesses and startups
admitted to having fallen for phishing links – and surrendering password
details in the process.

Spear phishing – by which individuals are tricked into providing sensitive
information in response to a fake email address that resembles a real one –
is also on the rise, accounting for 37% of attacks registered in the FSB
report. Malware attacks, at 29%, are the third most common form of
cybercrime in the UK.

So, what’s to be done? Businesses with more capital at their disposal may
be inclined to invest in cybersecurity software, to enhance their firewalls
and email spam filters. But arguably the best way of keeping sensitive data
under lock and key is by working on removing human error.

Workforces – no matter how big or small – should have a strong enough
grounding in cybersecurity to be able to spot immediately a sham email
address or suspicious link. Education is a must.

“Awareness is vital,” says Rowse. “In business, there tends to be quite
large cash balances sitting in the account, with the expectation of payment
being made to new suppliers and contractors.

“This, in turn, means there is a larger opportunity for fraudsters to come
and trick companies into making payments they shouldn’t make. Workforces
need to be vigilant of these security threats.”

Young businesses also need to guard their intellectual property (IP).

Innovative ideas – whether for a new app or solar-panelled car – are what
separates the wheat from the chaff regarding high-growth companies, and
should be viewed as their most valuable asset.

Despite this, securing IP often remains far down the list of priorities for
startups. Other needs, such as marketing and advertising, often take
precedence. Instead, companies should be looking to protect their ideas
from competitors. Businesses can also look to take out IP insurance in case
of trademark disputes.

Protecting IP from infringement can be a costly affair – insurances
packages start from £2,000 per year – but the pay-off in not having one’s
business undermined is surely worth it.

“It’s important, too, to remember IP can include other things like customer
information, contracts and pricing models that you really don’t want in the
open domain,” adds Rowse.

“If it does get out, a competitor might be able to undercut your pricing
model, or copy it. So you need protections in place, whether it’s insurance
or strong cloud software. Your business might not have to be perfect when
you start out, but it has to be secure enough that you’re not a target.”

Robust procedures should be in place to safeguard customer data, too. The
damage to reputation that follows a data breach can have a massive impact
on multinationals, let alone on startups. Managing this risk should also be
a priority.

Startups are often described as being the lifeblood of the modern economy.
This is a fair narrative, but in their bid to secure funding and garner
publicity, protecting the very assets that make them so promising can
sometimes be lost in the mix.

In such a cut-throat and saturated market, failing to recognise a phishing
scam, or a competitor sniffing around a piece of IP, can result in a host
of damaging consequences, from a loss of trade to reputational damage.

Put simply, taking steps to secure your business from fraud can be the line
that defines success and failure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170815/d3355c5e/attachment.html>