Defending your business from phishing attacks, how to check if your use of AI is compliant with health and safety, and harsh lessons to be learned following a data breach
Today we talk about the risks of phishing attacks on businesses and how you can work to protect your organisation as far as possible. We also look the use of AI in business and how to check if your usage is compliant with health and safety.
How to defend your business from email compromise
Email phishing attacks that target senior leaders and finance personnel in the business are on the increase. The National Cyber Security Centre (NCSC) has published guidance aimed at helping small to medium sized businesses to deal with Business Email Compromise (BEC).
The guidance considers actions that you can take to reduce the likelihood of being affected by BEC, and what to do if you think you’ve already been compromised.
What is BEC?
Criminals try to access a work email account to trick someone into transferring money to an account that is controlled by the criminal. The phishing emails are targeted at individuals, usually those who are likely to have the seniority to approve money transfers.
The criminal might try to impersonate someone else in the business and might even include text from an existing email thread to make the contact seem more legitimate.
What to do if you think you have lost money
NCSC advise that if you think you have lost money because of an attack like this, the most important thing is not to panic.
Actions you should take include contacting your bank, ensuring that you are using their official contact details, and reporting it as a crime to the police.
If you have an IT department, they may be able to help, and you should check to see if your account or anyone else’s email account has been compromised.
Reducing the likelihood of BEC
Suggestions include:
- Reduce your digital footprint: Information about senior staff on websites and on social media and networking sites can be used by criminals to make their phishing emails appear more convincing. Senior staff especially should check their social media privacy settings and think about what they post to reduce their digital footprint.
- Help staff be able to recognise a fraudulent request and give them the confidence to ask whether an email is genuine.
- Set up 2-step verification. This means even if a criminal knows your password, they won’t be able to access your accounts.
- Carefully control who can make high value payments and revoke this privilege as soon as someone doesn’t need it. Have verification procedures to confirm requests made by email.
- Check your email security using NCSC’s ‘Check Your Cyber Security’ tool – https://checkcybersecurity.service.ncsc.gov.uk/email-security-check
- Because of the level of sophistication that can be used, recognise that no amount of staff awareness and training can guarantee detecting all BEC attempts. Therefore, consider how you will handle an incident, ideally rehearsing it so that you know what to do and how to minimise a problem if it happens.
The full guidance can be found here: https://www.ncsc.gov.uk/guidance/business-email-compromise-defending-your-organisation
Is your use of AI compliant with health and safety?
The Health and Safety Executive (HSE) has published an article outlining its approach to regulating artificial intelligence (AI) in workplaces.
The article has some implications that businesses should consider, as follows:
Regulatory compliance
As with any other area of the business, businesses need to ensure that their use of AI in the workplace complies with health and safety regulations.
Risk assessment
Businesses that use AI technology must conduct thorough risk assessments for that technology to identify potential hazards and implement appropriate controls to mitigate the risks.
This means considering not only physical safety concerns but also cybersecurity threats.
HSE have said that they are actively involved in ongoing work to develop their regulatory approach in this area, so it pays businesses to stay informed about these developments.
See: https://www.hse.gov.uk/news/hse-ai.htm
How might the changes to company size thresholds affect your business?
From October 2024, company size thresholds are to increase by 50%. For each company, these new thresholds will begin to apply from the start of the next accounting period commencing on or after 1 October 2024. But what are the implications of these changes to your company?
The Companies Act 2006 makes requirements for what is included in the accounts that are filed at Companies House. These requirements are split into four categories or regimes based on the size of the company. These four sizes are described as micro-entity, small, medium-sized, and large.
A company generally falls into one of those four categories based on its turnover and Balance Sheet total. The larger the company, usually the more requirements there are as to what is included in the accounts.
The increase in the thresholds potentially means that many businesses will move down a category.
At first glance this is good news as it means reduced requirements for the accounts. However, there may be reasons why a company might decide not to take advantage of the change.
For instance, if a company is growing rapidly, stepping down a category may only be temporary. Because some reporting requirements rely on ongoing processes, it may be inconvenient to stop those processes only to have to start them a year or so down the line.
If you have any concerns about how the changes might affect your company, please feel free to contact us. We would be very happy to help advise you on the most suitable regime for your company.
Lessons to be learned from a data breach
The Information Commissioners Office (ICO) recently reported on a reprimand they issued to a housing association after personal information became accessible in an online customer portal.
Clyde Valley Housing Association in Lanarkshire launched a new portal in 2022. On the first day of its release a resident discovered they could access personal information about other residents. As a result, they called a customer service adviser to report the breach.
Unfortunately, the concerns were not escalated and so the personal information remained accessible for a further five days.
The housing association sent a mass email to promote the new portal. Following this, four more residents also made a report, and the new system was subsequently suspended.
It appears that there was a lack of testing before making the portal live, and concerningly staff were not sure what to do about escalating the breach once it was reported.
A case like this leaves lessons for all businesses to reflect on. While new digital systems can allow for large productivity gains, data security has to be a top priority. The reputational damage from a data breach can be significant.
Data protection training is vital for staff so that they know what to do. Reviewing training needs is a must. For instance, an occasional tabletop exercise might help you to see where training needs lie.