CYBER SECURITY : IS YOUR BUSINESS PREPARED ?
Cyber security is becoming a dominant theme of 2017 with all technology at risk of being undermined by data theft , fraud and other cyber threats .
Only days into the year the BBC ran a feature asking , ‘ Could a bank go under following a major theft in 2017 ?’ setting the tone for the increased threat as professional criminals become more sophisticated in their approach .
February saw the opening of the UK ’ s National Cyber Security Centre ( NCSC ), demonstrating the importance of protecting our country ’ s critical national infrastructure and economic well-being , as well as individuals . The Business Exchange recently held a Cyber Roundtable in partnership with Thrings solicitors , Lockton insurance and CIS IT at Desk Cowork in Swindon .
15 business leaders from across Wiltshire attended the discussion which looked at common cyber threats to business and what firms can do to help protect their company and its assets .
The Panel
Hot topics of discussion :
Alastair Govier Commercial Partner Thrings Specialising in cyber , Alastair works across the South West and the UK , advising and supporting businesses on issues such as risk management , data issues and disputes .
Ian Saxelby Assistant Vice President Lockton Companies LLP Ian works for international insurance firm Lockton insurance . One of their specialisms is cyber security and Ian works with clients across the South West corridor advising them on risk and protection .
Richard Marsh CEO CIS Richard heads up the firm which is committed to providing security solutions that maintain ultra-secure standards for business .
The damage a cyber-attack can cause a business
• Financial loss
• Reputational damage
• Fines through data loss
• Disruption of business continuity With fraudsters becoming more sophisticated in their approach , small businesses need to be aware of the risks and implications of an attack . There are multiple ways in which your business could be at risk , these include :
• Ransomware ( A type of malicious software designed
• to encrypt and deny access to your data , until a sum of money is paid )
• Malware ( Software that is specifically designed to disrupt , damage or gain authorised access to a computer system )
• Email spoofing ( The forgery of an email header so that the message appears to have originated from somewhere other than the actual source .)
• Phishing ( The fraudulent practice of sending emails purporting to be from reputable sources in order to induce individuals to reveal personal information , such as passwords and credit card numbers , or click on malicious links to attachments )
• Evil twin ( A fraudulent Wi-Fi access point that appears to be legitimate , set up to eavesdrop on wireless communications . The evil twin is the wireless LAN equivalent of the phishing scam )
Ransomware & Malware – The threat Anyone with an internet connection is vulnerable to an attack . These attacks are happening every day against your network , but you won ’ t know they are occurring . It ’ s a case of are you protected or not ?
“ Smaller companies don ’ t think they ’ re a target , they think why would they target me ? I ’ m only a small firm with 25 employees . It ’ s not people the other end , it ’ s bots . They scan for everything they can within seconds and as soon as they find a way that ’ s it .”
“ We ’ ve seen in the last few months , two or three companies attacked by ransomware that encrypts anything useful on a server and leaves you with a note file on how to pay the ransom .
“ In a particularly malicious case , a client was left with a note saying , ‘ We ’ ve taken your Sage file and we ’ re going to share it with your competitors ’.” Richard Marsh
“ I ’ ve seen a small accountant set down for three days with ransomware , demanding a number of bitcoins ( crypto currency ) in return for release of their data . Small businesses are incredibly wrong , if they don ’ t see that they can become a target . Any firm that has a URL is open to a threat .” Ian Saxelby
Email spoofing and phishing Thousands of spoofed emails are received every day that look like they come from a legitimate sender . They might be requesting you to pay an invoice or to fill out a form , but each have the same agenda , to steal something from you , be it your data , or enable access to your system .
“ We had a case where a finance director received an email from the MD asking him to pay an invoice . At the start of the email it said , “ hope you ’ re having a good day .” The FD had spoken to the MD in the morning and smelled a rat . With this he checked and the email was a fake . By being vigilant the firm saved thousands of pounds .” Alastair Govier
“ Educating staff on clicking and downloading documents from unsolicited emails is key .” Richard Marsh
People Training staff on cyber threats should be a top priority for any business . Advising them on what to look out for and best practice .
“ Employees are the biggest weakness in any business with regard to security . If you spend £ 100,000 installing a firewall , great . But what stops a member of staff from clicking on a link on a website and that ’ s it , they ’ re in .
“ CIS perform many checks to secure your business . One way is calling up and pretending to be IT support . We ask people to go to a website for example and fill in some details . Another check is we ’ ll randomly leave USB sticks in receptions , car parks etc . The number of USBs that are picked up and put in a computer straight away is ridiculous . As soon as a person ’ s involved , that ’ s it . There are huge risks .” Richard Marsh
“ The cleaner finding a Post-it note with a password on it , stuck to a screen is a classic .” Alastair Govier
Evil Twin Being aware that fraudulent Wi-Fi points are out there is key . If you are working with sensitive data or financial information and must use a public Wi-Fi hotspot , take action to ensure you ’ re connecting to the legitimate access point .
“ Remotely accessing data , there ’ s always a risk . Our advice would be to password encrypt your data , so that if it does fall into the wrong hands , it can ’ t be opened easily .” Richard Marsh
Protecting your business Conducting a risk assessment is the first step to take when creating a cyber security plan . Look at what really matters to you , what are the risk areas ? What ’ s business critical ? And what support can you get from subject matter experts ?
Creating a response plan is important too , detailing what to do if something happens . How will you communicate with customers and suppliers if a data breach occurs ?
“ There are regulatory and legal implications surrounding any data breach . Businesses can get fined up to £ 500,000 if found in breach of the Data Protection Act , but the fines are increasing up to 4 % of your global revenue or a maximum of 20 billion Euros .
“ A director ’ s personal liability is also called into question for breach of duty . You ’ re not safe no matter the size of your business and you are more likely to be exposed if handling personal data . It primarily comes down to what protections you ’ ve put in place .” Alastair Govier
“ Traditional professional indemnity insurance doesn ’ t cover cyber threat . As this is a new market , underwriters want to gain market share , so cyber policies are relatively cheap at the moment .” Ian Saxelby
Reputation The YouGov polls commissioned by the ICO to mark European Data Protection Day , showed that 20 % of people would definitely stop using a company ’ s services after hearing news of a data breach , while 57 % would consider stopping .
With this in mind , why would you not invest in ensuring your company is properly protected ? After all , prevention is better and far cheaper than cure .
If you have a question for one of our experts following this article , please email : press @ tbeswindonandwilts . co . uk
12 THE BUSINESS EXCHANGE 2017