Protecting your business against data theft remains a huge issue facing SMEs today.
Yet SMEs are still struggling to address this, so what needs to be considered?
The average cost of a cyber attack in the UK was around £3 million in 2017, according to the Ponemon Institute, down from a four year average of around £3.5 million.
However, data breaches are up 75 per cent in two years, according to a Kroll study, with most breaches being due to human error, such as sending an email to someone outside the organisation – not necessarily malicious.
Despite the increase cybersecurity spend, ‘a breach can happen even if the business’s own corporate network has the necessary level of protection — through supply chain attacks or breaches as a result of vulnerabilities in third-party legitimate software,’ says Maxim Frolov, VP of global sales at Kaspersky Lab
Carl Lockton, security expert at Lockton says, ‘The fall in the cyber crime cost to SMEs suggests that SMEs are investing more in cybersecurity prevention including staff training, establishing firewalls and securing virtual private networks.
‘However, these measures in isolation are not sufficient to protect against the growing scale of cyber crime which shows that SMEs remain vulnerable as both technology and cyber criminals become more sophisticated.’
So what exactly should SMEs be doing to manage their cyber risk?
Understand what is at risk
‘Supporting this should be a business continuity plan,’ says Moore. ‘By defining the procedures in the event of an attack, you may be able to keep parts of your business running and limit the damage.’
Further reading on cybersecurity
- Transparency and accountability in employment law
- Is Cluj Europe’s Silicon Valley?
- Why education is cyber security’s biggest hurdle
He adds, ‘You will also need to make sure that a security breach in one part of the business will not affect another and that your data is backed up in another location so that you can access it again. Thinking of the worst eventuality will help you to think about what are the assets that need protecting and what you need to put into place to safeguard them.’
‘(An analysis) might include using Penetration Testers who will mimic the actions of hackers to see if they can breach your network and provide you with a list of vulnerabilities,’ says Peter Groucutt, managing director of Databarracks.
Does your business need to comply with data protection legislation? If so, you will be required by law to protect this information or risk being fined in the event of a security breach, further increasing the cost of an attack to your business.
Post-GDPR, SMEs need to be more cautious about how these use customer data or else face the long arm of the law and resulting heavy fines.
Groucutt continues, ‘Good cyber security defences are not just limited to technology, you must also address the human factor. Phishing remains a significant threat so user awareness training is critical.’
Put in place the right security controls
Moore says a good starting point is that you will need to ensure that there is an enforceable IT security policy in place with guidelines around security updates, passwords, home working, social media and use of personal devices at work. This should cover use of the internet, email and telephones, but more importantly, the consequences for their misuse.
He continues, ‘Ensure that your networks are protected from both external and internal attacks by installing high-security firewalls. Anti-virus software that addresses your company’s specific needs should be implemented on all systems – off the shelf virus software will not meet many business’ IT security requirements.
“Encrypt all your data, particularly if there is a high use of personal devices and homeworking within your business and protect with robust passwords”
How to stay one step ahead
‘Methods used by anti-threat software developers mirror those adopted by hackers,’ says Moore. ‘It can be difficult to remain one step ahead but there are some basics controls that you should adopt. By running modern operating systems that are regularly updated you can take advantage of the protection of updated security features. Regular risk assessment will also help you to respond to changing security requirements and improve internal controls.’
Groucutt says that you need to have a business continuity and IT Disaster Recovery plan to bring the business back if your defensive measures fail.
He says, ‘It is advisable to review your backup and disaster recovery methods as some strands of ransomware are designed to lie dormant for a period of time before acting.
‘The reason for that delay is that businesses are more likely to pay the ransom if they don’t have a backup to revert to.’
Moore concludes, ‘Most importantly, put in place trusted consultants that you can turn to in the event of a security breach. Many SMEs will not have the expertise in-house so consider using specialists that can advise you not only on how to deal with a security breach and how to get back to business, but to help prevent this in the first place.’