Cyber security: three things to get right - Brought to you by NatWest

Thursday, 07 March 2019

Cybercrime is estimated to have cost British companies up to £1bn in the past 12 months. And small companies, often lacking the resources of larger companies, are considered easier targets. How can you protect your business in 2018?

 

Figures from the Office for National Statistics (ONS) revealed recently that computer ‘misuse’ against UK businesses increased by 63% in 2017, with malware and distributed denial of service (DDOS) attacks rising by 145%. High-profile victims included the NHS, but SMEs are also very much in the firing line. According to the Institute of Directors (IOD), 44% of SMEs have been hit by a cyber attack at least once in the past year, with the average cost to each business about £25,000.

 

So how can SMEs prevent these costly hits? We outline three key actions they can take.

 

1. Train your people

There are a wide range of methods that cyber criminals – be they state-supported actors, organised criminal gangs or bored teenagers in their bedrooms – can use to launch attacks on your business.

Ransomware, for instance, encrypts files on a computer and threatens to destroy them unless a payment is made. It was used to great effect in the WannaCry attack in May 2017, which affected businesses in at least 150 countries and the NHS in the UK.

 

Phishing is another popular scam where fraudsters send out emails to try and trick employees into giving away vital security details or click on attachments that then unleash a virus on the business’s computer network. A more sophisticated form of phishing is whaling, where the target is likely to be the head of the business or someone at executive level with access to highly sensitive and valuable information.

 

Then there is invoice fraud, where a criminal purporting to be a supplier or customer notifies the business of a change to their account details in order to intercept payments that should have been made to the genuine supplier or customer.

 

What these scams have in common is the fact that they target the vulnerability of your employees, and as such, the best defence is to arm staff with the tools and knowledge required to prevent attacks.

“Cyber criminals try to exploit an employee’s vulnerability,” says Peter Erceg, senior vice president of global cyber and technology at insurance broker Lockton. “They prey on our desire to help people, such as customers who want to change their payment or address details quickly. Or they believe employees will not be as careful with opening email attachments on their work computer as they would be at home,” he says. “They rely on unsuspecting or inattentive staff – and, indeed, human errors make up 95% of cyber-security incidents. Training and internal policies must be the first line of defence.”

However, Erceg says a quarter of businesses don’t always make new staff aware of their cyber-security policies when they join, with a similar number unaware of who to contact if they spot or experience an attempted breach.

 

“The training should follow basics such as showing staff short two-minute videos about what phishing is, how it works and informing them to think before they click,” he says. “In addition, staff need to think more carefully and cautiously about emails from customers or suppliers asking for details to be changed. They should always call the client to verify. You need to identify the weak points and ensure there are checks and balances in place.”

Christopher Hodson, senior director at cyber-security firm Zscaler, says SMEs need to foster a culture of security among staff. “Firms may show their staff an annual cyber-awareness video but it’s seen as more of a compliance exercise,” he says. “Instead, you need security embedded into every single activity and to create openness, so employees aren’t worried about notifying their managers that they sent an email with personal details to the wrong person. That will close the gap between an event and a response.”

 

Staff also need the right tools and techniques to reinforce this culture. “If you see a fire, you call 999, so if there’s a cyber event, you need to know what to do and who to speak to. We need to get to the place where there’s no difference between the two,” Hodson adds.

 

He also advises SMEs to remind their staff to take precautions when they’re working away from the office, such as using privacy screens if they’re using a work laptop on a train or in a cafe. “Security credentials and business details can be stolen this way,” he says.

 

2. Secure your network

There are a host of preventative measures you can take to ensure your network is robust enough to defend against a cyber attack. According to the government’s Cyber Essentials scheme, businesses should use a firewall to secure their internet connection and create a buffer zone between their IT network and external networks. If something unusual comes through the internet, it can then be safely assessed before joining the rest of the network. “Some SMEs believe it’s just large companies that are in the sights of the cyber criminals, but if you have an IP address you are a target,” says Erceg. “Doing nothing is not an option.”

 

Businesses should also check the settings of new software and devices and password protect them, ideally using two-factor authentication. Ensure that staff only have access to the software, online services or data that they need to perform their role.

 

Put in place antivirus software and make it a policy that mobile or tablet apps can only be downloaded from recognised stores such as Apple or Google Play. “You should look at multi-layered protection,” says Hodson. “Cyber criminals are more sophisticated now in their attacks.”

 

Businesses also need to have an organised approach to patching. This is where manufacturers and developers release regular updates, adding features and fixing any security weaknesses. Businesses should ensure these are automatically updated on to their systems. “With the NHS attack, they had a patch which hadn’t been deployed. You need to do the basics,” Erceg says. “Back up your data wherever it’s being stored. Understand all your risks.”

 

It’s also important that suppliers are just as determined to secure their own networks. A supplier that gets hacked could be the weak link in your line of defence.

 

3. Mitigating an attack

Even if you take all of the above preventative measures, there is still a risk that a cyber criminal will get through and compromise your finances, customer and supplier details and reputation.

But you can detect an attack before and even while it’s happening by looking for network activity such as repeated log-in attempts, suspicious files in your system, leakage of customer details or changes in the design, layout or content of your website.

 

“Monitor any increased levels of spam or phishing emails. If they jump from once a week to once a day, it could be a sign that you’re a target,” says Erceg. “Also, look out for customers changing bank details more regularly. It’s about noticing these changes in behaviour and it’s something you or a third party can do.”

 

If an attack occurs, it’s vital to recognise it, restore data and inform your clients, suppliers and the Information Commissioner’s Office as quickly as possible. Have a response team in place before the worst happens.