IXCG deals with a large number of malware, virus and cybersecurity incidents every year and, in 90% of cases, a lack of basic planning means that a minor outbreak becomes a major, and very expensive, incident. With prevention costing roughly 5-10% of the cost of an incident, why are so many businesses getting it so wrong?
The most common factors with incidents are that the affected organisations either believed that they wouldn’t be a target, or that someone else in the organisation was responsible for cyber security. With cybercrime on the rise and the Police advising that it is a matter of “when rather than if” that companies are going to be victims, what can be done to address this matter?
Understand the risks and responsibilities
In 2014 proceeds of cybercrime exceeded the proceeds of the global drugs industry for the first time and has increased every year since then. Cybercrime is no longer the preserve of maladjusted teenagers; it now fuels terrorism, funds organised crime and pays for overseas wars.
The sole legal responsibility for damages caused by cyber incidents lays with the business owner, partners or directors yet many are not aware of the steps which their organisation has put in place. This responsibility cannot be passed on to another party, so if you are in one of these roles, make sure you have a full understanding of the impact that an incident can have and have a plan to deal with it. If you are not directly responsible, but have responsibility for client data, try to highlight the issues to those who are.
Plan for the day that you will face an incident
Incidents have four major impacts on an organisation; they time that they prevent an organisation from working, the cost of returning to business as usual, the loss of reputation caused by the incident and financial fines due to breaches in regulation. With the GDPR imposing fines starting at €10 million by itself, it should be apparent that an incident can be the end of all but the largest businesses.
It is because of this that ensuring that you have a robust protection and reaction plan.
Do not assume you already have the protection you need
As the NHS discovered during their recent WannaCry outbreak, antivirus software and IT administrative staff are not a replacement for a multi-layered security system and dedicated IT security staff.
Antivirus is an important part of any protection strategy, but it only provides protection against a small percent of attacks. It should always be paired with network protection, network scanning, WiFi intrusion prevention, removeable media protection, encryption, monitoring and a robust data backup system.
Likewise, IT security staff are a very expensive and rare commodity. Although you may have IT administration and support staff or an agreement with an external supplier, they will be experts in a completely different field of computing meaning that relying on them to keep your systems secure is unrealistic.
Do not assume your data is safe
Many types of malware actively seek out and damage data which has been backed up or is stored in the cloud, rendering it useless. As this data is critical to a recovery and returning your organisation to normal operation, special attention must be taken to protect this data at all costs.
Make sure that you have offline backups (ones which cannot usually be accessed without special steps being taken) and you test them regularly to make sure that critical data is backed up and can be recovered. If you use a cloud provider, make sure you have your own backup plans to protect data stored on their systems as cloud providers do not usually provide sufficient protection.
Make sure that your backup procedures are fully integrated with your security procedures and are regularly tested.
Don’t overlook physical security
Physical tampering with equipment to access to it is a very common way for attackers to gain access to confidential data. This
could be by plugging equipment into the network, tampering with equipment such as keyboards or video leads or tricking staff members to install infected equipment such as USB thumb drives or mobile phones.
These attacks are particularly hard to guard against as it is very hard to identify hardware which has been tampered with. Ensure that you standardise on hardware, apply asset tags and take steps to prevent physical access to equipment in public facing areas. Using a dedicated device control software system, training your staff and ensuring that you have robust monitoring in place are also key to avoiding these threats.
Train your staff
Staff training is often overlooked by smaller organisations but it is a vital aspect of security. Hackers are experts in psychological techniques and tricking staff members into unwittingly giving them access to data or financial resources.
Training isn’t expensive, and it does take time, but it is well worth doing. Building a “culture of security” is a great way to ensure the long-term viability of your company and demonstrate to clients that you value their business and take their security seriously.
The cost of an incident is much higher than getting the systems and help you need to properly protect your data. Although this protection has a modest cost, some of the expenditure can be written off against Corporation Tax and it is still considerably less than being fined and is massively outweighed by the benefits to a business of an IT system.
However, IT security is a complex and constantly changing subject and needs to be taken seriously. As IT security staff are expensive and hard to come by, consider using a professional cyber security company to identify the gaps in your protection and install and monitor the defences you need.