Cyber-security company Malwarebytes researched more than 1000 businesses in US, UK, France, Germany, Australia and Singapore, and found that UK businesses are the worst at dealing with ransomware with almost 20% believing they had no chance of preventing a malware attack.
In April 2017, the UK’s Department for Culture, Media and Sport, published the Cyber Security Breaches Survey 2017. It revealed that only 37% of businesses had segregated wireless networks, or any rules around the encryption of personal data and a mere third (33%) had a formal policy that covers cyber security risks. Just 32% documented such risks in business continuity plans, internal audits or risk registers and only 29% have made specific board members responsible for cyber security.
Scary stuff and it’s not going to go away given how lucrative cyber theft can be with an estimated loss of £1,570 to an “average” business and around £20,000 loss to larger companies – not something to be ignored especially in the current difficult UK economic climate.
Not only this but imagine the risk to businesses’ reputation if its system is hacked and its client database is stolen, especially when new and more stringent protections are due next May when EU’s General Data Protection Regulation (GDPR) comes into force.
The elements of a robust cyber security set-up
According to the April Government survey the most common types of breaches are related to staff receiving fraudulent emails (in 72% of cases where firms identified a breach or attack). The next most common related to viruses, spyware and malware (33%), people impersonating the organisation in emails or online (27%) and ransomware (17%).
So, the potential weak spots are therefore people, technology vulnerabilities and processes.
People: lack of communication between teams and lack of training can make a business vulnerable. Reduce risk by making sure everyone is cyber security aware, can identify suspicious communications and regularly updated on the latest scams. Every employee should know how to check the email address of a sender to confirm it is really the same person as named in the sender box. Employers should limit employee access to only those parts of the system and databases relevant to their work and install secure authentication procedures before they can access sensitive data. Ideally data should be encrypted, particularly if using cloud-based storage.
Technology vulnerabilities: remember the recent WannaCry ransomware attack that decimated UK hospitals still using the Windows XP system? Keeping systems up to date and rigorously installing patches as soon as possible is a must. Open-access Wi-Fi is also foolish, even though many hospitality businesses offer access as a service to customers. If you do, make sure it is password protected and change the passwords regularly. Also ensure servers are protected by a firewall, usually one in a dedicated computer that doesn’t have any data stored in it so that sniffer ware can’t see data in the computer and can’t access the protected servers.
Processes: security contracted out to third party providers, such as website hosts, can introduce a dangerous complacency, in assuming that security is being taken care of. Make sure you check regularly that updates are carried out promptly and if the company offers remote 24-hour monitoring and backup it is worth paying for.
While it may not be possible to make a business 100% cyber-secure, there is a lot that can be done to minimise the risks.