With 98 per cent of UK businesses now operating online it’s perhaps unsurprising that of the 32 per cent of businesses that did identify any breaches or attacks, the typical (median) number they recall facing has gone up from two attacks in 2017 to six in 2019 (source: DCMS 2019) This included computer viruses, hacking, theft of data and theft of financial information.
Breaches were identified most often in businesses holding personal data and those where staff use personal devices for work. At worst, a breach or attack could affect your cashflow, prevent you selling via your website, or cause significant damage to your reputation with customers.
It is possible to limit your exposure as a business to a cyber security breach – here’s some simple steps you need to take now to prevent your business falling victim this summer.
Ensure you have offline backup (a backup that is not directly connected to your network)
The average company works with all kinds of data, some of which is crucial for business continuity. It must therefore be backed up in such a way that it can be restored quickly and easily when disaster strikes.
This is essential to combat the most aggressive ransomware attacks, where a hacker locks up your files and holds them to ransom until you pay a fee. If your files are backed up, you don’t have to pay to get them back.
A good backup will also protect you against an employee accidentally deleting or overwriting files, natural disasters, fire, water damage, hardware failures and other data-erasing disasters, and should be regularly monitored.
Complete failure of the IT systems for just a few hours can mean the loss of significant revenue. Data backups in the cloud are likely to be the most flexible and convenient option, as the cloud provider is responsible for providing the latest hardware and software and for compliance with relevant standards.
Patch management
Software patches help fix those problems that exist and are noticed only after software has been released. Patches mostly concern security while there are some patches that concern the specific functionality of programs as well.
The NHS Wannacry ransomware attack in May 2017 could have been avoided if security patches had been applied to protect the Windows 7 systems common throughout the NHS (source: BBC).
It is possible to automate the patch management process (great for the summer holiday period) to ensure all the computers in your business remain up-to-date and to mitigate and prevent security risks.
New vulnerabilities are frequently found in common software programs you are using, such as Microsoft, therefore it’s critical you patch and update your systems frequently.
Have a manual process for verifying payment requests to defeat phishing fraud
An effective fraud prevention strategy uses several methods and having a clear process in place to ensure payment requests are legitimate is essential.
We have all received fake emails asking to ‘confirm your login to check your account for suspicious activity’ from eBay, Amazon or such, this is Phishing as they are casting a wide net to see who they catch unawares.
A more devious and targeted approach is called Spear Phishing – where the miscreant impersonates a senior memberof the team and asks for some form of quick payment to be processed, usually with an urgency about it and some consequence for not complying – we will lose the order/contract/tender if we do not make fast payment.
Ensure that you have robust processes in place to verify and corroborate all requests to change any supplier or payment details. Get in touch with the supplier (or internal colleague) directly, using contact details you know to be correct, to confirm that a request you have received is legitimate.
At a very basic level, always check the reply email address closely before sending is the same one that you believed the email came from by clicking reply and checking – do not take the email address to be valid until you have done this as the address that appears in the body of the email can be a fraudulent address.
All employees should be aware of these procedures and encouraged to challenge requests they think may be suspicious, particularly urgent sounding requests from senior employees.
Application whitelisting or Zero-Trust security
A zero-trust model essentially means organisations ensure that every new network device or user passes a trustworthy test before they are allowed access to the network, which inherently reduces the risk of a breach. Users cannot connect to anything since resources are invisible to unauthorized users. Applications that are not authorised cannot run inside your company network,only authorised applications can access your company data.
Many of today’s leading organisations are applying zero-trust models across all their users and devices to help strengthen their overall security.
A breach response plan
Determining how vulnerable your business is to falling victim of a data breach should be the first thing you research when devising a response plan. This will give you a clear picture of how much time, money and effort should be put into a cyber-attack response strategy.
Under the EU GDPR (General Data Protection Regulation), organisations must respond to a serious data breach within 72 hours of becoming aware of it. This places a significant burden on businesses both large and small.
The breach response and recovery plan should identify as many potential threats as possible and include easy-to-follow procedures. The longer your organisation is exposed to a vulnerability, the more damage which can be caused. As a result, spotting a data breach promptly can be the difference between a moderate disruption and a disaster.
Every data breach response plan needs to clarify what your business’s primary data assets are and classify them in order of importance. Make the classification system simple and easy to follow, comprising of High, Medium and Low assets.
Next you will need to consider who should respond to a breach and map out precisely who takes on which role if a breach of data occurs. Your data breach response plan should also include a communications strategy, which outlines how the likes of employees, customers or even the public would be notified in the event of a cyber-attack.
Part of your plan should also include at what point following a cyber-attack that external support, such as IT and security practices, be brought in.
User awareness training
The key weak spot of business networks are the employees using them. It’s extremely common for an employee to infect an entire network by opening and clicking a phishing e-mail (see above). If they don’t know how to spot infected emails or online scams they could compromise your entire network.
Don’t allow employees to download unauthorized software or files. One of the fastest ways cybercriminals access networks is by duping unsuspecting users to wilfully download malicious software by embedding it within downloadable files, games or other ‘innocent’ looking apps. This can largely be prevented with a good firewall and employee training and monitoring.
