The internet has revolutionised the way companies do business, but, it also brings its risks.
The amount of cyber-attacks on UK organisations is unfortunately on the rise, with a 2015 Government report stating that 69% of large organisations and 38% of small businesses were attacked by an unauthorised outside in the last year. The average cost of an attack to a large organisation was estimated as being between £1.46m – £3.14m; whilst the average cost to a small business was between £75k – £311k.
Given that the financial implications of a cyber-attack can seriously harm, or even end, a business, here are some expert tips to help you get started with your cyber-security plan.
1. Be proactive
Don’t be the business left picking up the pieces following a cyber-attack due to adopting the attitude of it’ll never happen to me. As with any business continuity plan, you need to prepare in advance in order to minimise any damage and protect your organisation’s finances, customers confidence and brand reputation.
2. Think beyond technology
Whilst technology measures, such as firewalls and security software, are needed it’s important that your organisation manages information security aligned to the ISO 27001 international information security standard. It’s also worth considering appointing a dedicated information security manager to create and then coordinate the roll-out of any policies and processes.
3. Raise security awareness
Many organisations are guilty of neglecting the need to raise staff awareness of cybersecurity, even though employees are often unwittingly major threats to their business. It’s important to train staff to think about, take ownership of, and report any information security threats.
4. Get buy-in from the top
In a worst-case scenario, the first conversation you will have with company stakeholders about cybersecurity will be after an attack, when it’s too late. To help justify information security investment, document the estimated financial impact of IT downtime to your business. If that doesn’t work, it might be worth showing them some recent news stories about high-profile hacks.
5. Build more than one firewall
To make it harder for cybercriminals to reach your system, you should build dual layers of firewalls. This will help protect your core back-end IT services which are not immediately customer facing, separating them from internet-facing IT services in a demilitarised zone (DMZ). It’s also worth considering two different providers to ensure you don’t suffer from the same security vulnerabilities.
6. Control the use of company equipment
Make sure you have solutions in place that allow your IT team to lockdown staff equipment, monitor their use of the internet, and control what they can download and install. By investing in a mobile device management (MDM) solution, you will be able to enforce policies and remotely wipe devices containing confidential information through the cloud, helping minimise the risk of a security threat.
7. Create a BYOD policy
Whilst allowing staff to use their personal devices in the office might improve morale, it can also leave you vulnerable to a cyber-attack if you haven’t got a bring-your-own-device (BYOD) policy in place. Educate staff so they know their responsibilities and know what types of corporate data they can access. It’s good practice to ask staff to install antivirus software, too.
8. Manage IT supplier security
If third party suppliers have access to your sensitive information, such as customer data and commercial plans, how do you know that they will protect it as diligently as you do? The fact is you don’t unless you work closely with your supply chain. To prevent any risk of a breach of confidentiality, consider creating/revising contracts in order to manage information risk.
9. Regularly audit your IT estate
As technology continues to develop and new software arrives on the market at an unprecedented rate, it’s important to regularly review your strategy to make sure it’s up-to-date and your security methods still work. Review all your servers, desktops and equipment to identify anything where contracted support has ceased or is nearing the end of support.
10. Think strategically
Are your firewalls, threat detection and anti-virus measures aligned with one another and with information security processes? Finally, make sure your information security personnel monitor cybersecurity industry trends so that they can try to pre-empt for threats in advance.