With more and more UK businesses falling victim to cyberattacks each year, it’s no secret that many firms still have a lot to do when it comes to cybersecurity. The problem is that an attack of this nature can create total chaos for businesses of all sizes, so when these incidents do occur, it’s vital that firms respond very quickly and with as little disruption as possible.
Oxford Economics has reported that companies’ share prices fall by an average of 1.8 percent following a cyberattack. As a result, it’s essential that firms have the plans and resources they need to battle cybercrime effectively – and also to recover from an attack very quickly.
In this regard, improving technology is actually the last piece of the cybersecurity puzzle - the real work comes in undertaking risk assessments and understanding what the potential risks to a firm’s assets are. Regardless of how or when a cybersecurity strategy has been implemented, it is therefore imperative that the senior management within an firm takes responsibility for its security.
Of course, management will not be able to protect the business on its own. In order to keep these cyber threats at bay – and show that the company is ready to deal with the consequences if its defences are in fact breached – firms will need to have relevant safeguards are in place, ensure that their employees are well trained, and commit to reviewing their cybersecurity plans on a regular basis.
Prevention is vital
When it comes to designing a robust security strategy, businesses are now facing pressure from multiple angles. Not only are there increasing regulatory burdens to contend with, but from a technical aspect, firms are also under continual pressure to modernise their systems to ensure that their data is kept highly secure, yet instantly available for review and processing.
A good starting point for firms looking to make improvements in this area would be the ISO 27OO1 standard. ISO 27001 is a recognised industry benchmark for managing IT security, which helps firms to manage their IT security by reviewing, assigning controls and monitoring a number of key processes. Implementing this standard is a great first step towards determining what controls could be used to prevent cyberattacks and also to improve a firm’s information security more generally.
Businesses should also consider creating an Information Classification Policy (ICP) to ensure that any sensitive information is handled appropriately from the outset. Using this model, firms can assign a risk level to any sensitive information so that they can clearly set-out the methods and appropriate resources for handling this data, as well as any encryption, storage or transition requirements.
It’s also crucial that firms regularly update their business software, especially if they hold large amounts of data. Working with outdated applications can leave gaps for cybercriminals to attack, as they won’t be as secure as some of the newer versions available to businesses. The same is true for anti-virus software and firewalls. These security essentials may have been around for a while now, but there is a reason for that; they still play an important role in keeping firm’s safe from an attack.
Tools like these can go some way towards boosting security, but they are still not enough; employees will also need to be educated on how to spot, block and report suspicious activity to prevent cyber criminals from accessing an organisation’s network. Employees should be taught to be on the alert for any suspicious activity at all times. Hosting regular seminars and workshops to raise awareness of internal threats is also vital, as employees must be able to recognise any red flags and understand exactly how and when to inform senior management about a possible breach, whether it is internal or external.
Decreasing the damage
Even with the best will in the world, cybercrime will continue to impact businesses across the globe. As such, preventing a security breach is only half the story: businesses also need to consider how they will recover in the event of a cyberattack.
Cybersecurity and business continuity are actually two sides of the same coin; by working in tandem, these strategies can help to mitigate both the cost and impact of data breaches, as a strong business continuity plan will enable firms to take immediate action if their IT system has been compromised. When creating a business continuity plan, businesses should therefore consider three key elements: resilience, recovery and response.
To guarantee resilience in the face of an attack, firms will first need to ensure that their critical business functions will be largely unaffected by such an intrusion. Arrangements also need to be put in place to recover data and restore less critical business functions as quickly as possible. Lastly and most importantly, firms will need to ensure that their employees are ready and able to cope effectively with an unexpected attack.
All businesses need to have a robust cybersecurity plan in place to prevent attacks and protect their data and systems, but it’s also important to have a strategy in place to respond to a breach. Failing to take these precautions can have an enormous impact on the business, not only financially, but also in terms of its reputation. As such, businesses not only need to create strategies that will help thwart an attack, but also be prepared to deal with the fall-out in case the worst should happen.
Robert Rutherford, CEO of the business and technical consultancy QuoStar
Image Credit: Alexskopje / Shutterstock