Designing a cyber defence strategy for your firm
Alastair Murray presents measures to avoid incidents cyber-criminals can exploit
Firms large and small are struggling to know how to manage their cyber security and what’s best to protect themselves from phishing and ransomware attacks. Some are doing well through strict compliance with GDPR, but some are unwilling to grapple with the number one cause of cyber crime; human error.
As office technology becomes the driving force behind firms of all sizes, the need to protect it from cyber attack grows. The thought of a data loss incident, phishing fraud or ransomware is unthinkable, each with the potential to do untold damage to customer relations and levy heavy fines.
While phishing remains the number one threat to firms, some of the biggest frauds succeeded with no more than a simple email instruction, without any attachments or embedded links. All a cyber-criminal needs to do is write a convincing email it seems. Cyber security breaches are never the result of something that could not have been prevented.
Data security
While small firms imagine they are under the radar of cyber criminals, they are not. It is because so many small and medium enterprises (SMEs) think this way that cyber criminals are finding them such easy targets. Now is the time for all organisations and particularly SMEs to look at the many simple ways they can improve their security to ensure they comply with data protection regulations.
Data security should not be seen as a chore, but as a clear demonstration your firm is taking its data security responsibilities seriously, giving you a competitive edge over your more hesitant rivals.
To survive any of these incidents takes commercial strength and managerial vigilance to deal with the IT issues, the legal obligations and customer relations consequences. Not only will this kind of approach help solve the problem more quickly, it also demonstrates the firm has taken the necessary steps to defend itself and therefore more likely to recover from the possible actions by regulators and customers.
Designing a cyber defence strategy for your firm requires more than just IT. IT is certainly important, yet cyber-criminals avoid most of the security hard and software traps set for them and go for the humans, who continue to be the weakest link. This lack of appreciation of the threats is a dangerous security gap cyber criminals are successfully exploiting everyday; it needs to be plugged and quickly.
Defending your firm against all the usual threats requires a smart mix of IT hard and software, management commitment, staff training, Cyber Essentials type system controls and insurance. A defence package like this makes your firm a far more difficult target for the cyber criminal to break into.
Cyber Essentials
The government has done a lot to create a large chunk of this with its own Cyber Essentials Certification Scheme. It is supported by industry and offers every business a simple and highly effective cyber security template. There is a self-assessment version and the Cyber Essentials Plus option, where you are independently audited.
Most firms know they need to take control of their cyber security, but don’t know where to start. A new Readiness Tool developed by Information Assurance for Small and Medium Enterprises (IASME) is the first step in the journey towards becoming Cyber Essentials certified. It is designed to support and educate, shedding light on some of the technical terms and acronyms to create a tailored pathway for firms to follow. Over 100,000 firms have now been Cyber Essentials certified.
Research has shown when these Cyber Essentials techniques are applied, up to 80 per cent of cyber-attack threats are blocked. These tactics techniques and procedures (TTP) need not cost anything, requiring instead a set of administrative standards for office security, governing staff behaviour when online, cyber security policies for financial controls, password management, IT gateway configurations and the much talked about need for regular operating system patching.
Alongside the Cyber Essentials Accreditation comes cyber security awareness training. While classroom style training exists, the latest cyber security training, particularly for regulated industries, is now online and continuous. Managed by the HR department or compliance, employees are set training that matches their risk level. A receptionist may be low risk, but someone in accounts would be high risk. Each would use a training platform tailored to their risk status, that is user friendly, intuitive, offering an affordable way to access highly effective cyber awareness training conveniently in the office, on the job, using continuous learning programmes.
In addition to cyber security training, a data security programme could examine and identify your data sources and how to protect them. At the same time your data and cyber policies will lay-down standards for how management and staff use office technology and their responsibility for identifying and reporting unusual activity. It is a simple way to lay-down the dos and don’ts when on the web and dealing with emails.
Even with the best security software IT budgets permit, Cyber Essentials Certification and cyber security awareness training, office networks are being penetrated. One click of a rogue email by an employee could infect one or more workstation, allow hackers in, cause a data breach or even a cyber ransom demand.
Risks and insurance
Most firms have smoke and fire alarms throughout their offices and hold regular fire drills, but they still insure the business against fire. The same should apply to your cyber risks, so even when you have taken all the steps to keep the business safe from a cyber-attack, you still need to insure against it.
GDPR requires an organisation to report a cyber breach where personal data has been compromised, within 72 hours. There are heavy fines and penalties for not reporting, so who are you going to call when this happens; your solicitors, your accountants, the police – who?
A cyber risks or commercial crime insurance policy is the answer. It gives you access to a 24/7 helpline to call when you suspect a cyber-attack. This will help with deciding whether personal data has actually been lost, stolen or otherwise compromised and whether to report it or not; help with contacting the firm’s clients where and when required; access to forensics; help with data restoration; help with legal expenses and help dealing with and managing possible fines and penalties.
This is the single most important reason for having a cyber risks insurance policy. The features and functions of most cyber risk insurance policies offer these core covers and give you the crucial lifeline when you suspect or have had a cyber breach incident.
What you least expect, sometimes happens!
Alastair Murray is director at The Bureau the-bureau.co.uk
