WHY YOU NEED TO MITIGATE CYBER RISKS
All businesses, from single person operations to large multinationals, increasingly rely on technology in various forms. Technology will likely underpin key revenue generation sources (such as production or retail) and much of an organisation’s day-to-day running will be totally dependent on computer systems. As businesses and their assets become ever more tech-driven, criminals and other attackers are adapting and cyber attacks are increasing in volume and effectiveness.
A breach’s impact varies depending on the attacker’s goals. The attacker may be trying to commit fraud or steal money. Some seek intellectual property, others to cripple the organisation and charge a ransom to return the systems to working order. Many breaches carry indirect costs such as fines (up to 4% of global turnover under GDPR) and the reputational impact of a breach can be devastating.
Whilst organisations may assume that the technology they use (whether internally hosted or cloud) is secure, the reality is that attackers will exploit any weaknesses they find in configuration or usage. Managing this risk is difficult and many businesses lack board members with the necessary mix of technical understanding and authority to lead and challenge the organisation appropriately on cyber risks. Even organisations that do see cybersecurity as a strategic risk can find it hard to recruit suitably experienced security practitioners.
Despite the challenges, understanding and managing cyber risks is crucial for businesses of all size. It is also important that the effort invested in cyber security is proportionate to the assets the business has and the threats those assets face. This guide aims to be a first step for organisations wanting to manage their cyber security risks and provides threat centric advice for businesses of all sizes.
Cyber security is not the concern of governments and large businesses alone.
A 2017 study showed that over 61% of data breaches took place in companies with fewer than 100 employees.
These events can have a rapid and lasting effect, especially for smaller businesses that may not have the capacity to survive significant business interruption. The impact of cyber attack can take a number of forms – intellectual property on which an innovative small business depends can be stolen. Critical data might be encrypted or destroyed. Administrative IT systems could be made useless. Businesses could be the victims of fraud.
Or they may have sensitive personal data relating to customers stolen and misused. Destruction of data, theft of customer information, and financial compromise can cause significant loss of profit and reputation.
However, there are some simple steps you can take to ensure your business can withstand an attempted attack, and recover from it quickly should one get through. In fact, the Australian Government has assessed that over 85% of the attacks they investigated could have been prevented if just four technical controls were in place.
You have a small, productive company of fewer than 100 people. You know security is important, but with so many hats to wear and so few staff, you need quick and easy wins to guard against cyber compromise.
The Challenge: Limited dedicated resource
Starting a security program in a small company can be difficult. Many organisations may not have a person focusing on IT full time (or will have 1-2 staff at most). Those enterprises will only have a very limited amount of resource to focus on security. However, even though the company size is small, the business will still face a variety of threats.
The Approach: Security is everyone’s job
When resources are limited, it’s more important than ever that security is part of everyone’s job. Appoint a security champion to educate the team. This champion can improve their knowledge of security through basic training or certification, promote the security agenda, and advise on easy improvements to help keep the business safe. Promoting a culture where people take ownership for security is important. Even just having a way of sharing stories or concerns can help.
Equally key is minimising the security effort needed. Having modern operating systems that auto update and are more secure by default is important, as is considering cloud services that handle the security for you, to help reduce the effort needed. The UK’s National Cyber Security Centre recently issued some excellent guidance for small businesses.
Your company employs up to 1000 people and has a small IT team. You’d like to develop a more formal security program so the business can be as secure as it needs to be, but you need to ensure spending is in line with risk.
The Challenge: Limited time, lots of compliance
Medium-sized businesses are likely to have a full-time IT team. However, resource for security is often still limited and may end up being focused on recovering from incidents or compliance with client requirements.
For a medium-sized business the “attack surface” – the range of services and assets that an attacker can target – is often larger than it would be for a smaller organisation. Medium-sized businesses are likely, for example, to be running company services and web applications that may have been deployed on a company intranet or the public internet. While many of these services are essential to support business growth, they will offer more opportunities for an attacker.
Moreover, the attractiveness of an organisation as a target is likely to increase with the company’s size and reach (particularly if it services clients in key sectors, such as defence or financial services).
The Approach: Bring it to the board
In a medium sized organisation, IT should have specific security responsibilities and reporting requirements.
The security team must work proactively with the business around it. If a security team has not been formed, appointing one or two individuals in IT to conduct a health-check and drive initiatives will ensure that high-priority issues get the right attention. Security and cyber risk should be a board level issue.
You’ve covered the basics and – if you haven’t already – you’re in the process of establishing a formal security role or small team. What comes next in building this team and planning the projects they’ll support?
The Challenge: Security as mature as
As security becomes a more mature component of a business, a small team tends to support ongoing security developments. Often, management has agreed security is a priority, but isn’t sure how to make sure security serves the business in the right ways.
The challenge becomes more complex as employees and premises expand. Clients are increasingly asking for evidence of security efforts. More services and applications are supported within the business, driving the need for a team to investigate and advise the business on the security of new solutions and increasing the number of potential attack paths.
The Approach: Something more formal
Security needs to become more formalised and bring together technical aspects with personnel and physical security.
Once basic security procedures have been implemented, projects of highest impact can be identified via formal reviews and risk management processes. These projects improve existing controls, provide awareness of new threats, and allow secure adoption of new technology in the business.
Simple tools, built-in security features and new guides for small businesses mean staying secure is no longer the domain of large businesses alone.
With these tools, every minute invested in securing the business can help prevent a potentially significant loss of data, money and reputation.
Businesses of all sizes are increasingly targeted by a type of scam email known as “whaling” or “CEO fraud”, with sometimes over £100m taken.
In whaling, messages are sent to financial staff and imitate an important team member (CEO, CFO).
They typically contain the following:
> Request for funds: “Invoice”, “Wire to”, “Tax requirement”
> Urgency: “Urgent”, “Right now”, “ASAP”, “By end of business”
> Unable to confirm in person: “In meeting, can’t talk”, “Not at desk”
These attacks do not target computers and are hard to prevent through technical controls, instead requiring strong user awareness and business process controls to counter them.
FOR MORE INFORMATION VISIT:
Here’s a downloadable version of our cyber security for small and medium businesses document