With the recent global NotPetya attack and May’s WannaCry ransomware attack on the NHS serving as stark reminders of the impact a cyber-attack can have on an organisation, cybersecurity should be at the forefront of business leaders’ mind. However, many are still woefully unprepared when it comes to protecting their businesses and their customers’ data online. This lack of preparedness stems largely from a general misunderstanding about which cybersecurity measures are most effective, and how best to implement them.
While it’s easy to think that only large-scale corporations such as the NHS and WPP are cyber-targets, this ideology is lulling business leaders into a false sense of security. In this digital age, where businesses are increasingly driven by a reliability on mobile technology and internet access, every company - large or small - is a target. SMEs can no longer afford to turn a blind to cybersecurity.
Understand the risks
The first phase of creating an effective holistic cybersecurity strategy is understanding the risks that a cyber-attack poses, particularly with the implementation of the General Data Protection Act (GDPR) fast approaching. The new EU regulation stipulates that businesses have just 72 hours to report a breach of personal data, or face fines of up to €20,000,000, or 4% of global turnover – a figure which would cripple most, if not all SMEs.
Aside from the financial implications that can occur following a cyber-attack such as WannaCry or NotPetya, the potential reputational damage associated with compromising customers personal data can also be devastating for start-ups who are still making their mark on their sector. While some business leaders may see implementing a concrete, holistic, cybersecurity strategy as overcautious, those who don’t will ultimately be leaving a door open for hackers.
Separate IT and Cybersecurity
In most small businesses, overworked IT departments generally assume responsibility for managing cybersecurity. This worrying practice not only increases the burden of work on small teams with little to no cybersecurity experience, increasing margin for error, but also leaves IT professionals to audit and assess their own systems. Put simply, this practice is similar to entrusting an accountant with the responsibility of auditing their own accounts, and isn’t suitable.
Business leaders need to implement firm governance structures which create clear divisions between the IT teams responsible for creating and maintaining on-premise and cloud infrastructures and the cybersecurity team responsible for assessing and resolving vulnerabilities. The GDPR’s stipulation that companies which process the personal data of EU citizens on a large scale must appoint a Data Protection Officer (DPO) further demonstrates the importance of establishing governance structures in today’s multifaceted digital landscape.
Implement 24/7 monitoring
One of the main pitfalls of basic cybersecurity measures such as firewalls, is that they don’t provide a rounded overview of network security in real-time. This means that companies can often be left in the dark about the strength of their infrastructure and remain largely unaware of the number of malicious attacks launched against their systems every single day. In fact, according to Verizon, 66% of cyberattacks go unnoticed by business for months on end.
While keeping costs to a minimum is undoubtedly a priority for most SMEs, business leaders need to invest in technology which gives them an overview of their systems 24 hours a day, 7 days a week and provides continuous surveillance of all network traffic. Without this measure in place business can remain completely unaware of breaches, left unable to respond to attacks immediately and minimise the damage that is associated with the loss of personal data or the inability to accesses crucial systems.
Leverage specialist hardware and teams
Many small businesses simply won’t have the resources to hire an entire in-house cybersecurity team, so for many organisations leveraging an external team of experts is the most effective and cost-efficient way to ensure they have a cybersecurity strategy in place. While the additional cost may put some SMEs off, engaging with a firm that can provide expert advice, services and feedback on all aspects of cybersecurity, and help you create a zero-day attack plan, is crucial.
It’s also important to consider remote devices, such as laptops and mobile phones, which have access to servers and secure or private data. Mobile security breaches can occur in number of different ways, from downloading malware-infected apps to logging on to a hackers’ unprotected wi-fi network. With these threats in mind it is vital that as a business leader you consider the level of encryption that different handsets offer – 256-bit AES serves as a good benchmark for mobile devices, anything less and business leaders run a greater risk their mobile hardware being compromised.
Train staff in how to protect against cyber-attacks
According to a report published by the UK’s Information Commissioner’s Office in 2015, human error accounts for almost two thirds of cybersecurity incidents, which is why training staff in how to detect and protect against cyber-attacks is fundamental to an effective cyber strategy. Educating staff on how to recognise phishing emails, particularly on a mobile device where formatting may make them less apparent, will significantly reduce the threat of phishing attacks.
Business leaders can also reduce the likely hood of a cyber-attack by ensuring that employees regularly change their passwords, and use different passwords across their various devices and accounts. It’s also critical that they ensure that measures are taken to encrypt hardware, connected devices and protect network infrastructures.
Not all businesses need a dedicated team of in-house cybersecurity experts, or military standard encryption for mobile devices, but a zero-day response plan, well defined governance structure, and an expert cybersecurity partner are fundamental to protecting your business from cyber-attacks. While many business leaders may think their business is too small to warrant creating a proactive cyber strategy, SMEs are some of the most vulnerable targets – with the most to lose. In today’s increasingly complex digital landscape leaders can no longer afford to overlook cybersecurity issues, and those who act now stand the best chance of protecting their business, and by extension their customers’ data.
Darren Gillan, UK MD, Macate
Image Credit: Wright Studio / Shutterstock