The next high-risk area for businesses when it comes to cybersecurity might not be the threat of losing thousands to malicious hackers or dangerous malware, but instead the ongoing dangers of online shopping at work.
While it might sound ridiculous, cyber insurance firm Edmund has warned small businesses about the risks of business owners or their employees’ online shopping at work, claiming the practice can lead to increased exposure to cyberattacks.
Though we all might say we don’t do it, online shopping at work is increasingly commonplace in Australian businesses. A study from last year showed that one in two Aussies have shopped online during work hours, leading to an estimated $31 billion in lost productivity annually.
Richard Smith, co-founder and director of Edmund, said in a statement many employees may shop online at work due to it being easier, or in some cases, safer than doing it at home. However, a harmless purchase from Amazon could unintentionally lead to many more problems.
“What employees don’t know is that they could be compromising their employer’s security, especially if their employer is a small to medium-sized enterprise (SME),” Smith said.
This is due to many employees using their work emails to login to various websites, with those websites, in turn, being compromised in data breaches. Edmund says that LinkedIn, Yahoo, Adobe Systems, eBay, Uber and recently Twitter and Under Armour are just some of the sites compromised in data breaches.
Those email and password combinations, often sold on the ‘dark web’, can then be used to access company systems, or engage in social engineering – a form of cyberattack where attackers pretend to be members of the organisation to dupe workers into sending funds to fraudulent bank accounts. The Australian government estimated 12.5 million Australian email addresses were published online last year.
“With an e-mail address and password cybercriminals may be able to quickly work out how to gain access to your business network. At the very least, they are well equipped to launch phishing and/or social engineering campaigns against you,” Smith said.
“Any of these may result in significant cost to your business.”
Business owners concerned about their email and passwords being available online can check if they have been included in a data breach via haveibeenpwned.com.
Social engineering campaigns, also known as “Business Email Compromise” (BEC), have been known to wreak havoc on SMEs, with hundreds of cases being reported to the Australian Criminal Intelligence Commission (ACIC) over the past few years.
In August last year, Australia and New Zealand managing director of cybersecurity firm Proofpoint, Tim Bentley, told SmartCompany SME owners should be vigilant when it comes to suspicious emails, as the amounts hackers try to nab can near ruin a business.
“BEC attacks mean huge sums which can undermine a smaller company and significantly rock a larger one. The attackers go for as much as they can, and even tech-savvy companies such as Facebook and Google have been taken for more than $100 million over the last two years,” he said at the time.
“I would take anyone who can pay a bill and put them through some basic training on this. It’s very easy to pretend to be someone else over email.”
“If they’re in any doubt, they should make a phone call or get a second opinion from someone else in the office. Make sure they call via a trusted and saved phone number, not through a number provided on the email address.”