The UK government has committed to making the internet a more secure, positive and prosperous environment for businesses. This is good news. Cyber security breaches cost UK organisations £34.1 billion last year and everyone needs to take this threat seriously.
A new national cyber security strategy will focus minds and may even make the internet safer, but it can’t guarantee our safety. Businesses need to take responsibility for their own cyber security. Almost a quarter (22 per cent) of UK businesses discuss cyber security matters at board level now and it is a subject we talk about regularly with our clients. But while huge quantities of personal and financial information make large consumer facing organisations obvious targets, leaders of small and medium sized businesses frequently ask why hackers and other cyber criminals would be interested in them.
Beaming’s research shows that British bosses rank data theft as one of the biggest security threats they face. The list of infamous incidents of this kind grows longer each year. Malware, hacks and the actions (or inaction) of rogue employees have resulted in huge fines and reputational damage for those affected.
Fear of breaches is greatest amongst large companies and rightly so: 16 per cent of large UK companies suffered successful attacks last year. It is far from being an exclusive big business concern though, 12 per cent of medium sized firms and 4 per cent of small businesses also told us they were victims, with the average cost of managing the impact of each attack estimated at £16,264. Any firm with customers or financial information is a potential target, and smaller businesses, especially those operating in the supply chain of large organisations are particularly vulnerable.
Even though they may not be required to name an information handler by the Information Commissioner, any business with employees will hold payroll data and other sensitive information covered by the Data Protection Act. They have an obligation to protect any data they hold that they wouldn’t want to publish publicly on their websites.
Protecting your intellectual assets, customer details and financial information is vital for many reasons, not least because identity theft remains a significant threat for individuals and businesses. Fraudsters rely on the information they can harvest from unsuspecting organisations to perpetrate these kind of attacks at scale. Professional services find themselves particularly vulnerable here. Accountants hold huge amounts of financial information and solicitors are privy to sensitive personal or commercial information that could seriously embarrass their customers if it were to be compromised.
These organisations tend to be highly trusted by their customers and welcomed with open arms into their boardrooms. Data breaches seriously undermine the credibility of such companies and when you have people carrying devices and pieces of paper containing potentially sensitive information around the outside world the risk of disclosure grows exponentially.
Whether through complacency, manipulation or malicious intent, the weakest link in the cyber security chain is people. Employees were believed to be involved in around half of the breaches suffered by businesses last year. Warnings suggest social engineering is becoming an increasing concern. When it comes to information security, social engineering refers to the manipulation of people into divulging information or performing actions that puts company assets and confidential data at greater risk of theft and disclosure.
Professional services firms have found themselves particularly vulnerable to this kind of attack. In September the head of a fraud ring was sentenced to 11 years in prison for a £113m scam targeting law firms and other businesses. Action Fraud, the national fraud and cyber-crime reporting Centre, has warned solicitors and estate agents to be wary of fraudsters using social engineering techniques to trick victims out of money destined for house purchases.
Criminals now study companies and the networks they interact in to find a weak link in the supply chain. By understanding how small organisations operate and presents themselves, it is then relatively easy for criminals to perform personalised attacks against their bigger and more valuable customers and business partners.
Phishing attacks are becoming a significant threat here. 9 per cent of businesses we surveyed said that they had fallen victim to phishing attacks in the last year. They aren’t being taken in by classic requests for help transferring millions out of war torn locations, but by personalised emails purporting to come from key business partners and suppliers.
Protecting your business and its partners
Even if you run the very smallest of companies, there are many reasons why criminals would be interested in your data. Businesses must do everything they can to ensure their cyber security defences are up to date to reduce the risk of this information falling into the wrong hands and being used to harm your business, employees, customers and suppliers.
All businesses have a responsibility to protect their assets and ensure that their IT systems are not used for criminal activities. Being ignorant to the existence of botnets on your IT systems is no defence if they are used to perpetrate cyber-attacks on other businesses. Getting the technology piece right is one consideration. Spam filters, anti-virus software and firewalls must be maintained. Business fibre connections tend to have more sophisticated firewalls than older forms of connectivity, making these networks stronger and more secure.
Single broadband routers also need to have their firmware regularly updated to prevent breaches. People, however, remain the weakest link. Laptops are frequently left on trains or stolen from cars. Employees clicking on compromised links are a common cause of problems and ransomware is so sophisticated now that this can cause real issues very quickly. Education is important; all employees are responsible for data security, not just the IT department.
The best firms reduce the risk of information taken outside of the office being lost or stolen by hosting it securely in a data centre or the cloud and accessing it remotely using an encrypted internet connection while at their customers’ premises. Businesses also need to cultivate a culture in which fear of cyber-crime is significantly greater than the fear of owning up to potential mistakes that could compromise the company if not addressed quickly. We are seeing an arms race between businesses that rely on the internet and those who use it for malicious purposes.
Protecting yourself, your information and your partners requires sound information security policies and procedures, solid training and a commitment to ensuring you constantly live up to standards required to keep an increasingly sophisticated enemy at bay.
Sonia Blizzard, managing director, Beaming
Image source: Shutterstock/AlexLMX