How to protect your business against cybercrime

Cybercriminals can target any company, including yours. So make sure you do all you can to protect your company against cybercrime. That involves more than installing antivirus or malware software.

According to Statistics Netherlands (CBS), 1 in every 10 companies in the Netherlands falls prey to some form of cybercrime every year. Are your daily operations fully dependent on digital systems? Or is there a large percentage of physical work, that can continue even if the IT systems fail? You need to work on your company’s cybersecurity, even if you hardly use any IT systems and only access internet to check your email. Find out where your business is at risk.

Access

Set unique passwords and use two-step verification to protect access to your IT systems and social media accounts, such as WhatsApp and LinkedIn. Your accounts will be better protected against hacks and digital attacks. Do not focus on technical solutions alone but also on the responsible behaviour of yourself and your staff.

• Two-step verification provides extra security. In addition to your password or PIN, you demonstrate with a second step that you are allowed access to an account, for instance by confirming the request on your smartphone.
• Make sure your employees do not share their passwords with anybody else.
• Have your employees change their passwords regularly. You can easily automate this.
• Who has access to the different systems? Check that only the people who work with financial systems or security software have access to those relevant programs and systems.

Keep your software up-to-date

If there are updates for your (security) software, install them. Use automatic updates. These repair the vulnerabilities in older software versions.
Make sure employees cannot install software themselves. If they do, you will not know if the software is safe – provided you even know they have installed it.

• Always protect your company wi-fi network according to the WPA2 standard (in Dutch). This is an improved wifi security protocol.
• Invest in antivirus software for all devices that are connected to the internet. Computers, smartphones, tablets, and 'smart devices' (in Dutch), including TVs, locks, fridges, and many more (from smoke detectors to lamps). This will protect you from harmful viruses, also known as malware. Security software also warns you when you receive suspect emails, or visit an unsafe website.

Limit the risks

You can limit the risks of cybercrime by making good agreements on IT use.

• Discuss cybersecurity with your IT supplier and draw up a Service Level Agreement (SLA). The SLA documents which services, quality, maintenance, and risk limitation methods the IT supplier provides.
• Make your website extra secure by using SSL/TLS certificates. The certificate encrypts the connection between your website and the visitor’s internet browser. The URL of an SSL/TLS protected website starts with ‘https’. You can easily check the basic security of your website and email account with the free test at www.internet.nl.
• Be careful when you want to install an app. Is it free? How many users are there? Always try to find apps that have many (positive) user reviews.
• Consider taking out cyber insurance. Cyber insurance can be of real value, if the terms are reasonable and suit your business. The insurance company will not only help you financially, if an attack takes place and causes damage. They will also help you prevent cybercrime. After an incident, they can help you get up on your feet again quickly.

Secure storage

Make clear arrangements with your employees on storing digital information securely. Set up a contingency plan, so that if a cyber incident does occur, you know what steps to take.

• Make regular backups of your data, and store them on different systems. At least 1 version of the data should be stored outside your company, for instance online. In case of fire or burglary, you will still have access to the data.
• Customer data such as addresses and invoices are privacy-sensitive. Store these data encrypted, to prevent a data breach. Encryption means you use a secret code, so the data cannot be understood by anyone who does not know the code. To open the files, you need an access code.
• Has privacy-sensitive information been leaked? You must report this to the Dutch Data Protection Authority (in Dutch) within 72 hours. Even if you are not sure that the data has fallen into the wrong hands, you must report the leak.
• Are you a victim of cybercrime? Report it to the police. You can also hire a corporate investigation bureau to find the cause. Also report the crime to the Fraud Helpdesk. This foundation gives citizens and businesses information and tips on the practices cybercriminals are using at this moment.

Safe in the cloud

Corona has caused many of us to work from home more often, storing files in the cloud. Make sure you and your employees work safely, whether at home, at the office, or on the road.

• Your employees must be able to make use of the company network. Use two-step verification to secure safe access.
• Do not use public wi-fi networks. Make a mobile hotspot for your laptop, using your mobile phone’s 4G/5G connection, or work with a VPN connection via wifi.
• Companies that offer storage in the cloud inside the EU must comply with the GDPR guidelines, the General Data Protection Regulation. Check if your cloud service supplier has an ISAE3402 certificate (in Dutch) to show that they comply with the guidelines.

Weakest link

Are your IT systems technically sound, and have you and your staff made clear agreements on how to use them? Even then, you may become the victim of cybercrime. A colleague may be off-guard, or forget about one of the rules. Scammers capitalise on current affairs, exploit good faith, and try to force you to act quickly in an email, phone call or SMS. Criminals are also always on the lookout for the weakest link. The main tool for this is called social engineering, in other words: misleading people. Here are some examples of honest mistakes you or your employees might make:

• You install software that is unsafe, or use an unknown USB device that contains a virus.
• You click a link in an email that turns out to be a phishing email.
• You forget to lock your screen when you leave your desk.
• You receive a fake invoice (in Dutch) and pay without checking it.
• You act on a message or phone call from a criminal who pretends to be a CEO or manager, without questioning if the request is valid.

Stay alert

Make sure all employees are aware of the dangers.

• Do you doubt whether a message is really from the sender in the ‘From’ field? Contact them, for instance by phone. Criminals often pretend to be someone else, this is called business identity fraud. They also fake email addresses or phone numbers, which is called spoofing. This makes a fake message look even more like a real one.
• Your employees must be made aware of digital safety. Document who in your organisation has access to which information. Organisations that work with a lot of personal data have to appoint a Data Protection Officer (in Dutch).
• Holiday workers, temps, and interns must also receive instructions on how to deal with information and systems safely.
• Criminals use your social media accounts to find out things they can use when they approach you, for example if they want to pretend they are someone you know. So be aware of what you post about yourself and your company.

Practical tools

There are several practical tools you can use to protect your business against cybercrime. The basic cyber resilience scan (basisscan cyberweerbaarheid) of the Digital Trust Center (DTC) is a good starting point. It helps you reduce the risk of cybercrime in your business. The scan consists of questions about the security measures you have in place. Based on your replies, you will receive feedback on how to improve your security. DTC was founded by the Dutch Ministry for Economic Affairs and Climate Policy. Its aim is to help companies improve their digital security. Read more about DTC. 

Do you want to do more about your company's cybersecurity? Read: The 5 basic principles of running a secure digital business.

Online training

Scammers work in different ways. Certain elements are often seen in a criminal's tactics. In 2022, the Dutch banks launched a free online training (in Dutch) that alerts people to the most common forms of deception.

Hackhelpdesk

Have you been hacked or do you think you have been hacked? On Hackhelpdesk.nl (in Dutch) you can find a step-by-step plan and practical solutions to prevent further damage.