Cyber security is in the headlines again thanks to Ubers’ recent data breach, but Uber certainly won’t be the last. Data security is one of the biggest risks to businesses. Yet there is still the mindset amongst many that data breaches happen to big companies or a belief that they won’t happen to you.
Nearly 50% of all UK businesses suffered a data leak or cyber attack in the past 12 months (Cyber Security Breaches Survey 2017). They just didn’t make the headlines.
Whilst 64% of CIO’s (Chief information officers) expect spend on cybersecurity to increase over the next few years, fewer than 34% saw it as a business priority (2016 global Deloitte CIO survey). And whilst 74% of UK businesses say that cyber security is a high priority for their senior management (Cyber Security Breaches Survey 2017), a sizable proportion of UK businesses still do not have basic protections or formalised approaches to cyber security.
So, why would a hacker be interested in your business? Well, it’s likely you have less knowledge and resource to prevent attacks so for cyber criminals you’re an easy target. It’s like leaving your keys in the car, and the car running while you step out to buy a coffee.
The good news is the majority of successful cyber attacks could be prevented with a few simple activities.
1. Educate yourself and your teams.
Vulnerability to attacks is certainly increased by human error and a lack of awareness among employees. Cyber attacks are becoming more and more sophisticated and emails, links and attachments look genuine making it easy to be fooled. So, make sure you train staff to look out for suspicious communications, show them examples of what these communications look like and have a clear procedure for escalation if anyone suspects an attack. Running simulation exercises can also help increase awareness.
2. Store customer data in an encrypted database
Only 37% of UK businesses have segregated wireless networks, or any rules around the encryption of personal data. Many operating systems already come with tools for encryption. If you ever have to transmit data, such as through email, make sure that it’s encrypted. And don’t transmit information over public Wifi networks.
3. Make sure you have the latest security software
Having the latest security software, web browser and operating systems are the best defences against viruses, malware and other online threats. These should be installed across servers, workstations and devices.
4. Have rigorous authentication measures
This is all about secure logins. The go to place is passwords but most people don’t know how to produce a secure password, and often use the same password in several different applications making the attacker’s task a lot easier. So, have strong passwords to access any database storing customer information and change these passwords frequently. There are also many alternatives to the traditional password, including tokens, smart cards, smart USB keys and even mobile phone SMS texts. You can also strengthen your helpdesk password reset process such as having call-back or PIN authentication.
5. Regular Assessments of risk
Vulnerability assessments allow you to see where you are at risk in your network and devices. The problem is that many companies only run these once in a while, every quarter or so, but cyber criminals are inventing new methods of attack on a daily basis. So, vulnerability assessments should be done more frequently, on a bi-weekly or weekly basis.
6. Have a Disaster Recovery Plan that includes Data Breaches
Make sure your DRP has a plan that covers data breaches. This should detail how your business will respond to a data breach and involve relevant parties, including information security, IT, legal and corporate communications. With the requirements differing for each different business, consider working alongside an external provider to create a bespoke plan suited to your needs.
If you are unfortunate enough to have a breach tell the ICO and customers. Here’s what the ICO website has to say and do check out their site as there are a lot of useful templates you can access. “Service providers are required to notify the ICO if a ‘personal data breach’ occurs. They must also notify customers if the breach is likely to adversely affect customers’ privacy, and keep a breach log.”
If you want to discuss any of the above issues then please contact us on 0333 3207 335