How to avoid becoming a victim of cyber crime

We bring an excerpt of our podcast with Thomas Wong, Improsec, where we talk about threats in relation to having your data compromised.
Support talking with headset

Content

This blog post is written based on an interview with Thomas Wong, Improsec, in the podcast Regnskabets Time, season 2 episode 4
The convenience store chain 7-eleven was hit by a possible hacker attack last week, which ended up closing all of its stores in Denmark.  We feel that it must be appropriate that we bring an excerpt of our podcast with Thomas Wong from Improsec, where we got to talk about the current threat concerning having one’s data compromised by cybercriminals.

Interviewer: We talked a bit before we sat down to record today, Thomas. You told me that many Danish companies do not have the necessary level of IT security. Can you try to elaborate a bit on that?

Thomas: Yes. What I mean is that the vast majority of companies would like to focus on IT security. But when it comes to getting it incorporated into the company’s culture, it often turns out to be far more difficult to dedicate resources to it than first expected. It can, for example, be in relation to getting these basic things done, such as risk assessments or a business continuity plan, which tells you what to do if things go wrong. The day things go wrong, the snowball you have pushed in front of you has just gotten much bigger. Most businesses will be compromised at one point or another, so it’s a matter of making sure the amount of damage is as small as possible. So it is important to be well prepared for an attack.

Interviewer: Today, quite a few companies use cloud-based IT solutions. What exactly do you have to pay attention to concerning the security of a cloud solution?

Thomas: That is a very broad question. But one of the most important things to be clear about is who is responsible and when. The supplier has a responsibility. But only until their service “stops”. When a SaaS solution delivers data into a company’s operating system or the like, it is, therefore, the company’s responsibility that it is stored securely and that the system is sufficiently updated.

Interviewer: As an employee or user of a cloud solution, what can you do yourself to increase the level of security?

Thomas: Quite simply: Choose a good password. Do not reuse passwords. And this also applies in cases where you use different usernames, email accounts or the like – don’t reuse passwords. Here I also believe that you should not change your passwords according to a pattern that is easily recognisable. Last but not least, work-related and private things must also be kept separate. If everyone did that, and stopped checking their private email from their work computer, there would be fewer attacks.

Interviewer: How do you discover that you are under attack?

Thomas: First it starts as an operational disruption – there are files that can no longer be accessed, programs that no longer work and then this is usually followed up with a message which states that you can get your things back if you pay for it. Usually worded in a very nice and polite way. After this, it is quite important to be open about things. An attack can last a long time, and it’s perfectly okay to be open about it. But what should happen next, is that the company should follow the aforementioned business continuity plans. Then you know what to do in all phases of the attack and the subsequent recovery phase. It will save an incredible amount of time and ultimately money.
Some of the companies that have been hit very hard are those that do not have plans ready in advance. In many cases, the public may not even hear that there has been an attack. Because the company has acted quickly, since there was a clear plan and strategy for what to do before, during and after the attack.

Interviewer: Should companies pay the attackers in order for them to stop?

Thomas: I would not recommend that to my clients. I say that from an ethical aspect. But having said that, I can come up with examples of where it would make sense for a company to pay off the attack. It could, for example, be in a case where the company simply will not be able to continue and where bankruptcy will be the natural consequence of the attack. Here it can be difficult to say that you have a choice. But if you choose to go down that path, I would also recommend that you work with some professionals who have experience in negotiating with cybercriminals.
However, if you want to avoid being in a situation where you even have to consider paying off an attack, then risk assessment, training, preparation, penetration tests, etc. are the way forward. It sounds very sad, but it may end up being the most important investment the company has ever made.

Related articles

Meet Visma Acubiz: Rebecca from Legal

In this post, we meet Rebecca, Legal & Compliance Specialist at Visma Acubiz. With a recently earned cand.merc.(jur.) from CBS, she has quickly made a name for herself in the company, where her detail-oriented approach and ability to collaborate across departments create value. We delve into her typical workday, memorable experiences, and what motivates her to perform at her best every day.

Acubiz and efacto Enter Strategic Partnership for Efficient Creditor Bookkeeping with Automated Digital Invoice Processing

Visma Acubiz and efacto have teamed up to make managing invoices easier and smarter for businesses. This new partnership brings together the best of automated expense handling and invoice technology.

New Bookkeeping Act: Discover the Benefits of an Approved Digital Accounting Program

The new bookkeeping act requires digital accounting, placing specific demands on the software you use. Choosing an approved digital accounting program ensures compliance, saves time and money, guarantees a backup of your records, and enhances the security of your financial data.

Your Accounting Must Be Digital: The New Bookkeeping Act

The bookkeeping act needed modernization to stay current, which led to the implementation of a new bookkeeping act on July 1, 2022. According to the new bookkeeping act, your accounting must be digital, which places specific requirements on the accounting software you use. If you manage your bookkeeping in Excel, it is very likely that you will not meet the new law’s digitalization requirements.

“Hveder” should still be enjoyed on a day off

On the last day of February this year, Store Bededag (Great Prayer Day) was abolished as a public holiday in 2024 by a majority in the Danish Parliament. However, at Visma Acubiz, we still believe that “Hveder” should be savored on a day off.