Prevention is the Best Defence
Cyber Crime is a major problem for business and is one of the fastest growing areas of crime in the world. The ‘WannaCry’ attack in 2017 is estimated to have cost the NHS over £93 Million. We all have a duty to help protect the NHS and its systems from attack. The following are some hints and tips, many of which have been provided by the South of England Regional Organised Crime Unit.
Short passwords of eight digits or less can be hacked in less than twenty minutes using software available on the dark web. A password should be at least thirteen digits long, ideally three random words, using a mixture of upper and lower case, using some symbols and numbers in the place of some letters. This would take over six-months to hack.
It is recommended that passwords should not be changed regularly as this encourages the use of short or easily remembered passwords. Passwords should only be changed if the user is alerted to a potential breach.
It is essential that a user uses a unique password for their email account, not shared with any other applications. This will ensure that if an application password is hacked, the user can reset the password easily. However, if an application password is hacked which is the same as the email password, the hacker can reset both passwords and lock the user out.
Social media awareness
Fraudsters will use social media to build a profile of an individual, especially those working in key positions in an organisation. They may ‘friend’ request the individual to try and gain greater access to personal information.
To reduce the risk, do not add ‘friends’ that you do not know. Avoid putting any information relating to your work on social media. Do not answer those social media posts about your favourite band, first holiday etc. as these answers are often security password reset questions. Avoid clicking on Facebook quizzes, to find out ‘what kind of kitchen utensil you are’ or ‘what your Viking name might be’, as, in doing so, you give that app access to your personal data on Facebook and will probably provide a lot more when answering the quiz questions. Finally, regularly review and update your security settings and make sure you use the highest privacy options available.
CEO and Mandate Fraud
CEO and Mandate Fraud continue to pose a huge risk with fraudsters frequently targeting Finance and Procurement teams impersonating directors or suppliers. Sometimes a private email account is set up in the name of the director being impersonated, or the director’s account may have been hacked.
An alternative is where the Payroll Department is contacted by someone impersonating an employee, requesting that bank details for salary payments are amended.
These teams should remain vigilant against such attempts as emails are easily spoofed or hacked. They should never undertake a financial transaction on the basis of an email. All suspicious contacts should be checked with the apparent sender on an independently verified number.
Check your own email account
The website www.haveibeenpwned.com will let you know whether your email account has ever been associated with any kind of compromise or data breach.
Always follow best practice
Your organisation’s information governance rules are there for a purpose, ensure you follow them. Here is a quick list of best practice to be followed:
- Always lock your computer when you are away from your keyboard, even for a short time.
- Never share your password with anyone.
- Don’t plug non-NHS hardware (phones, memory sticks etc.) into your computer.
- Don’t leave laptops or NHS phones in your car. If it is unavoidable then lock them in the boot.
- Don’t use public Wi-Fi – as soon as you connect, your passwords could be collected by a criminal using dark web software.
- Keep your computer and phone software upgrades up to date.