Cyber crime: an issue for the boardroom
Think you’re not a target? Think again.
Last year’s Government survey on cyber security breaches found that almost half of cyber attacks were against SMEs. If your business is not taking it seriously, you may not be protecting yourself. Hackers may need very little effort or time to access your system; with their software constantly looking for vulnerabilities, it can take just a second to put ransomware on.
So what are the risks, and how can you mitigate them?
These are the questions we put to the senior business leaders at our recent cyber security roundtable event, which we co-hosted with High Growth Knowledge Company, Bluefin Insurance and Milsted Langdon. The participants grouped the risks into the following categories:
Cyber-attacks can be incredibly expensive. Ransomware can bring organisations to their knees with just one click of an email link. The ransom itself might not be expensive, but the disruption can be huge.
The long-term losses from reputational damage could far outstrip the initial financial cost of an attack. When your websites, sensitive personal data or confidential transaction details are compromised, the damage may mean losing customers.
All companies are required to keep clients’ information confidential, but the new General Data Protection Regulation coming in May 2018 will bring even tighter regulations and even bigger fines.
Risk mitigation: 8 great places to start
1. Take it seriously
Many businesses are still viewing cyber security solely as an IT or an HR issue. It’s not. Cyber security is a business risk like any other; it needs to be addressed at the highest decision-making level, the Board.
2. Don’t do nothing
With so much media-induced fear, businesses sometimes behave like rabbits in the headlights. Accept that it will happen – it's a question of when, not if. Then start to focus on securing your people, processes and technology.
3. Get the basics right
Be meticulous about firewalls, correctly configured internet gateways, changing passwords when people leave, and up-to-date security patches and malware protection. Put robust processes and policies in place: which emails should people not open? How should employees work on trains? What information can they share on social media? The list goes on.
4. Train for less pain
Ultimately, staying 'cyber secure' is about people and minimising human error with education right across the board, including senior executives. And it's not enough to simply train staff; training must then be followed by knowledge testing and further training and re-testing.
5. Think negative
Even the most robust training and technology can't guarantee protection, so you need to be prepared for the worst: how will you handle orders, manage network-free business, and tell your clients?
6. Share your failures
The natural tendency is not to disclose that you've been exposed to a threat. And yet honesty is a crucial part of the solution. Businesses sharing and learning from each other's experiences is a way to close down some of the vulnerabilities.
7. Insure against it
Insurance can give peace of mind. The beauty of having insurance is getting expert help from the start; insurers don't just pay for it, but send the experts in. They can help fix the problem, deal with the public relations fallout, and tell you whether or not to pay the fine.
8. Start with the Government’s Cyber Essentials
Like many businesses, the Government has been slow to fight cyber crime with the requisite resources.
It has recently launched Cyber Essentials, a set of simple steps to help businesses protect themselves – with accreditation you can show to clients. It's by no means the solution for all issues, but 75% of the breaches that occur are preventable. Cyber Essentials looks at the basics to address that 75%.
So what do we learn from this?
No one is completely safe. Cyber crime is a threat that's here to stay and SMEs need to take it seriously. But it's not all doom and gloom. Applying basic principles will help to avoid a lot of preventable attacks. And you can at least be equipped for what you can't prevent.
But it all starts in the boardroom.