Malvertising the critical new data security issue for SMEs

28th June 2018

Spoofing, Vishing and Phishing are probably well-known terms for organisations knowledgeable in data security but a new threat of Malvertising has recently been identified by HMRC

HMRC’s July Agent Update warns about the new risk from Malvertising and exploiting security vulnerabilities in web browsers.

Web browsers and associated software are now hot targets for criminals who seek to get the browser to mistakenly run the attacker’s code. It’s a catch up game for users and the criminals seek to exploit the ‘delay’ between the patch to fix the loophole being issued by software developers, and the user uploading and applying the fix.

Malvertising – the facts

Criminals use ‘exploit kits’ on websites which contain code that will attack vulnerabilities within organisations.

Most people are painfully aware of receiving emails or social messages with links or social messages with links that end up infecting and bringing down systems.

The criminals just need you  to visit their site and once there they are able to gain entry and install or run their malicious software.

How do I protect my organisation from Malvertising?

Larger companies usually have an IT team or support that would issue and apply critical software updates to protect their organisation but SME’s might not have that structure in place. However, to protect data an important part of keeping your IT systems secure, is to systematically apply any updates as soon as possible to keep your SME safe from this method of attack.

The November 2017 2017 Annual Fraud Indicator report, backed by the Portsmouth Centre for Counter Fraud studies and Experian, suggests that the private sector loses an estimated £140billion to fraud.

Spoofing, Vishing and Phishing – The facts

Spoofing – A type of scam where an intruder attempts to gain unauthorized access to a user’s system or information by pretending to be the user.

Vishing – Vishing is where a fraudster makes a telephone call posing as a bank representative to persuade the victim to hand over financial information.

Phishing – fraudsters seeking to obtain sensitive information such as passwords, usernames, bank details or other financial information by electronic means (including emails, pop ups or fake websites) from seemingly trustworthy sources.

What can be done to combat payroll fraud?

Payroll fraud continues to be high across all businesses, with criminals increasingly using sophisticated methods to fool your people into making a mistake.

1) Let everyone know what’s expected
Have clear guidelines, coaching and training on the impact of fraud in your organisation.

2) Bring fraud into the open and discuss it openly from the top down. Ask your employees to be vigilant, and let you know of any weaknesses in your systems – you may not have thought of all possible failures in your systems. Make sure your team update their personal laptops, PCs and other devices as soon as software and security updates are issued.

3) Take away the risk
Use an outsourced provider for your payroll and build your internal audit procedures and practices around that, ensuring anything handled internally carries dual signatories or ongoing audit checks. If you can grab extra time to spot fraud through outsourcing then you should take it.

4) Thoroughly check who you’re employing – both internally and externally
Comprehensive employee screening should be the norm internally. Ensure any outsourced payroll provider has ISO 27001 and Payroll Assurance Scheme accreditation so that you can be sure security is at the top of the agenda.

5) Know your team
Always be on the lookout for anomalies – e.g. employees with the same address, and thoroughly check employee expenses.

6) Never leave just one person in charge
It’s hard, especially in smaller charities, to have more than one person in charge of payroll, but it’s risky. If you cannot do that in your organisation then consider rotating roles on a regular basis or get someone independent to sign off payments.

7) Stay on top of leavers
Make sure your procedures when someone leaves are watertight. The Government and NCVO provide useful advice on fraud prevention, and a reputable payroll provider will give you the secure service you need to maintain your hard fought reputation.

And of course if you outsource your payroll or use external  payroll software make sure your supplier has all the necessary data security safeguards in place to protect your valuable employee data. With GDPR now in place across all businesses in the UK and across Europe, safeguarding your data has never been more important.