We continue to see both large and small businesses succumbing to data breaches and cyber threat issues; most notably in recent weeks, Equifax and Deloitte. Equifax have potentially exposed the data of hundreds of millions of their customers, whilst a number of Deloitte’s high-profile clients have had their accounts accessed by hackers. Whatever the scale or impact of any cyber-attack, there’s no doubt the consequences are always severe, diminishing consumer trust and company reputation, perhaps irreparably. As a cyber security professional, it’s easy for me to get frustrated and blame businesses for not getting their house in order. After all, it’s often the basics not being in place that allow a breach to occur.
For example, the Deloitte breach supposedly occurred because an administrator’s account required only a single password and did not have a two-step verification process. Something so basic has put vast amounts of confidential data at risk. However, we have to cut businesses a bit of slack. When people are focussed on their day jobs, it can be easy to miss things. We all make silly mistakes, but there are a number of simple steps we can take to help prevent an error turning into a disaster.
Know what you need to protect
Many SMEs we speak to don’t even think they need to invest in cyber security – what have they got that a cybercriminal would want? You might not have the millions in ransom money or the bank details of hundreds of millions of individuals, but you do have data. If your business can leverage this data to make a profit, then so can malicious hackers.
Figures suggest that 60% of SMEs which are hit with a cyber-attack go out of business within 6 months. That’s a terrifying thought for any business owner. You need to be aware of what data your business stores, where it is, how it is protected, and if you even need it. Are you storing personal details that aren’t even relevant anymore? Get rid of them securely before someone else gets their hands on them.
Get Cyber Essentials accredited
Cyber Essentials is a Government scheme designed to help businesses protect themselves against cyber-attacks; mandatory for any organisation in the UK Government supply chain, but hugely beneficial for any other business. The process is designed to be simple. You complete a self-assessment questionnaire to see how your business measures up against the five security controls the Government lists; secure configuration, boundary firewalls and Internet gateways, access control and administrative privilege management, patch management, and malware protection.
Your business will achieve either a pass or a fail after completing the self-assessment questionnaire. Achieved a pass? Now all you need is independent assurance that you actually do have the protections you say you do correctly in place. A certifying body, such as Falanx Cyber Defence, will review and provide the assurance needed to achieve the Cyber Essentials accreditation badge.
If you fail then don’t be put off. Follow the advice on the Cyber Essentials site to help you put the correct measures in place, or enlist the help of a certifying body who can provide you with the right guidance, support and advice to remediate any issues stopping you from achieving a pass.
Ensure your team are cyber aware
People are the weakest link in the cyber security chain. You can put in all the correct measures and invest in state-of-the-art tech, but it can all come crumbling down if one person makes a careless mistake. Can your team recognise a phishing email? Do they know the risks of leaving data lying around? Do they manage their passwords properly? If not, they should.
Investing in even some basic security awareness training for your team is a no-brainer. With the GDPR incoming, making sure everyone in your business is involved keeping it safe is essential. Failure to comply with GDPR regulations could result in fines of 4% of global turnover or €20 million. Compare that to the cost of investing in security awareness training and it’s pretty insignificant, right?
Don’t try and do everything yourself
You didn’t start your own business to become a cyber security expert… unless like me, cyber security is your business! So, if you’re not an expert, don’t try to be. Get help where you need to. At Falanx, we talk a lot about the ‘insource-outsource cycle’. This is an issue that occurs when businesses lack the resources and knowledge to find a cyber security solution that works best for them. They therefore opt for whatever’s easiest in the short term and don’t think about the bigger picture, meaning they are regularly shifting between employing an in-house cybersecurity professional and an external third-party supplier. Obviously, this is expensive, it’s time-consuming, and it can be impossible to work out who is responsible for what.
Of course, for some business, in-house always works, and for others, an external supplier will always be the best option. But for many, a multi-faceted approach is the way forward. A combination of in-house cyber security skills and an external Security Operations Centre is the most comprehensive solution for any business, and is something we wanted to create with our Managed Detection and Response platform, MidGARD – in a MicroSOC format for SMEs. Do any of your team really want to be monitoring your business’s security 24/7? Exactly. Get someone else to do the 5-9, while you focus on the 9-5.
If cyber security isn’t at the forefront of your business strategy, it needs to be. If malicious hackers can take down the likes of Deloitte and Equifax, think of the damage that could be done to your business.
Jay Abbott, Managing Director of Falanx Cyber Defence
Image Credit: ESB Professional / Shutterstock