Without your ducks in a row, you're a sitting duck

[Reading time: 4 minutes]

It can be overwhelming to think about all the online methods that a criminal could use to get their hands on your firm’s money.

As a logical starting point, focus on the two most common forms of attack for most firms.

One relies on dishonesty from start-to-finish. The other relies on honesty.

The dishonest criminal

The dishonest criminal will pretend to be someone else.

They may pretend to be a senior executive putting pressure on an employee to make an urgent payment.

Or they may pretend to be a supplier seeking payment of an overdue invoice, or asking for their payment details to be changed so future payments go to their bank account.

You won’t know you have been dealing with a criminal until they’ve got your money.

The honest criminal

The ‘honest’ criminal will only pretend to be someone else for a short period before revealing their true intent.

When everything is ready, they will tell you that they’ve taken all of your files hostage and you’ll never get them back unless you pay them a ransom.

You will be in no doubt that you’re dealing with a criminal.

But you may still have no choice but to give them your money.

How do you deal with these crooks?

You need to manage this like any other risk.

1 – Look at the ways that the risk could materialise in your firm

2 – Identify steps you can take now to reduce the likelihood of the risk materialising, and

3 – Consider the steps you will take to reduce its impact if it does materialise

Where do you start?

Start with some basics.

Think about your three lines of defence:

People, Policies & Procedures, and Technology

Defending against the dishonest criminal:

Q1 – What is the crime and how does it usually occur?

This criminal is attempting a Payment Redirection / CEO Fraud.

For the fraud to succeed, they need to communicate with your staff. They usually do this by email or by phone.

They pretend to be someone senior within the firm, or they pretend to be a supplier.

Q2 – How can you reduce the likelihood?

a) People:

– Give targeted training on a regular basis to staff who can make payments or who can access the firm’s bank accounts. They need to be reminded about how they could be targeted by these criminals and the common things to watch out for.

b) Policy & Procedures:

– Have clear Standard Operating Procedures for paying invoices. The procedures may differ depending on the value of the payment. At a minimum, high value payments should be reviewed and approved by a senior member of staff. There must be no exceptions in the process for senior executives – Everyone must follow the process.

– Have clear Standard Operating Procedures for setting up or changing payment details. The procedures should involve 2 members of staff and include a confirmation call with the payee using contact details that the firm already has on file. Once again, there can be no exceptions allowed – Everyone must follow the process.

– Have a clear procedure that staff must follow if they think they are being targeted by this type of criminal. It will ensure they get the support and guidance needed to fend off the attempted fraud.

c) Technology:

Discuss a few things with your IT provider:

– If you are very risk averse, restrict your firm’s email system so email accounts can’t be accessed from non-company devices.

– Request that they enable two factor authentication on the email system and educate staff on how to use this added layer of security.

– Configure appropriate SPF and DMARC records so it is harder for someone to send emails from outside of the firm that look like like they came from inside the firm. If this is beyond their capability, ask them about setting up rules in the email system to prepend ‘[External Email]’ or something equally obvious to the subject line of emails that come from outside the organisation.

Q3 – How can you reduce the impact?

You need to be ready for the attack.

– Write down your response plan for this type of incident – Who needs to be called (e.g. your bank, the Gardai, your insurers, your board members) and what will each person do?

Defending against the honest criminal:

Q1 – What is the crime and how does it usually occur?

This criminal is attempting a ransomware attack.

They may require the involvement of your staff to get started. If so, they are likely to communicate with your staff by email.

These emails may look like they’re coming from a trusted colleague or friend, and they may contain some juicy gossip. One of the emails will contain a link or attachment.

The magic happens if the staff member opens the link or attachment. Code will download to this person’s PC and it may very quickly encrypt all files that are visible in Windows Explorer on that PC (including all files on network drives).

This encryption will make all of these files unusable until the correct decryption password is used. The criminal will only give you the password when you pay their ransom. (Even then, the password may not work).

Q2 – How can you reduce the likelihood?

Refer to my points earlier, plus:

a) People:

– Train all staff on a frequent basis so they are aware of how they will be targeted by these criminals. This will reduce the likelihood of someone clicking on a dodgy link or attachment, and increase the likelihood that they will report suspicious activity so the firm can take steps to minimise the impact.

b) Policies & Procedures:

– Acceptable use policy: Clearly state what is deemed to be acceptable use of the firm’s IT equipment by staff, and the consequences of not complying with this policy. Staff need to know that it is not permitted to access whatever they like online.

c) Technology:

– Security: Ensure there is something between your staff and the outside world that is trying to block dodgy emails and websites.

– Administrative Privileges: Ensure none of your staff have local administrator privileges on their PC. It is far easier for ransomware to spread if the user has administrator privileges.

Q3 – How do you reduce the impact?

You need to be ready for the attack.

– Backup policy: Have a clear process for backing up your important files on a frequent basis.

– Backup Technology: Ensure at least three copies of the files exist, stored on at least two different types of media, with at least one of the three disconnected from the firm’s computer network between each backup.

– Backup Testing: Ensure your backups are tested frequently to confirm they work. Otherwise, they’re as useful as a chocolate teapot.

– As before, you need to have a response plan for this type of incident. Write down who needs to be called (e.g. your bank, the Gardai, your insurers, your board members) and what each person needs to do. Work with your IT provider to document how the infection will be identified and isolated, and how files will be restored.

– Bonus: Be clear on how long it will take to restore from a backup (also known as the Recovery Time Objective) and how recent the restored files will be (also known as the Recovery Point Objective). If you’re not happy with the RTO’s or RPO’s, you will need to invest some time and money to improve them.

There are many more things you should be doing to manage these risks. But at a minimum, get these basics in place.

It’s easy to get distracted by newspaper reports about state agencies and Russian gangs hacking phones using zero-day exploits.

But you’re worrying about the wrong people – Any lazy criminal will be able to get your money if you’re not doing these basics.

So, how does this relate to my picture of cute yellow ducks?

1- You need to have your ducks in a row with these basic defences.

2- You’re just a sitting duck without these defences.