We have all seen the many recent news items with high profile and large business related Cyber Security attacks but when talking with clients of all sizes and across all sectors, they all share a concern for the threat at varying levels. When talking further with these clients, they generally feel confused as to what they can do to protect themselves but commonly feel that ‘IT have it covered’ so they are protected and as a result do not need to do anything about managing this risk.
The following is from the report ‘Cyber Security Breaches Survey 2016’ based on research commissioned by the Department for Culture, Media and Sport, as part of the National Cyber Security Programme and highlights the scale of the problem facing businesses today:
A quarter (24%) of all businesses detected one or more cyber security breaches in the last 12 months. This is substantially higher among medium firms (51%) and large firms (65%). Large firms are also more frequently targeted, with 25 per cent of those that experienced breaches having been breached at least once a month. Across all size bands, by far and away the most common types of breaches experienced are viruses, spyware or malware (68%) and breaches involving impersonation of the organisation (32%).
Among the businesses that detected breaches, the estimated average cost of all breaches over the last 12 months is £3,480. This is much higher for large firms, at £36,500. The estimated average cost of the single most disruptive breach from the last 12 months is £2,620 across all businesses and £32,300 for large businesses.
There are many reports and online articles that offer support and guidance on how to install software and hardware or to make use of professional services that can mitigate the Cyber Security risks that businesses face. I will try not to continue the same messaging within this article but hopefully provide some advice as to what businesses can and should do from an independent view point.
I find that my smaller clients and those operating within certain industry sectors have a different view on Cyber Security risks from my larger clients in that they feel that they are not at risk of being attacked as their data is of little value or interest to the hackers. Whilst this statement may be partly true, current trends in Cyber attacks show that smaller businesses are being targeted harder as they generally have less sophisticated security systems, do not effectively manage their IT and will pay ransom demands to regain access to their data. I have sat through many Cyber Security presentations from vendors (hardware and software), solution providers, police, education, ethical hackers, GCHQ and insurance providers with each raising some very good take away items based on solid facts. I have had the pleasure of supporting clients at some of these presentations and the conversation afterwards always comes down to one thing ‘what do I do now?’ as they are usually rather confused after having been bombarded with facts and sometimes specific solutions but also some ambiguity. These clients are not sure how to address the issues that struck home with them in respect to their business but they all realised that they need to address the risk, so where can you start?
Security is not a product, it is a process requiring the implementation of multiple layers of defence that offers protection. The simple fact is that no computer system can be made fully secure as a determined hacker will always be able to get in, all that a business needs to do is make the process harder for them and they will probably move onto easier targets. Whilst multiple layers of Cyber defence products can be installed to protect the data, by far the biggest weakness in the computer system is the user as they respond to phishing emails, phone calls and handover a load of personal information into the public domain to make us the easier target. In addition to this personal attack, users fail to implement management processes that keep the computer systems updated with updates or turn off security features as they get in the way when they are working. The trick is getting the balance right so the security is appropriate and not becoming invasive to our daily computer use and reviewing the processes regularly to ensure that they are not compromised.
Most images of a hacker is someone sitting in the dark room and probably hiding under a hoodie but this is very different from what is happening today. Most attacks are carried out by fully automated computer systems targeting systems that have known weaknesses due to a lack of updating. Many of these hacker computer systems are professionally run businesses with some operating a 24×7 helpdesk, within service level agreements and with money back guarantees. There are still the traditional hackers who pride themselves in breaching security at high profile businesses through targeted attacks and criminals who will target large business in this way. Many attacks today are being carried out by organised criminals who seek to create funds through extortion through targeting as many computers as possible with the least amount of effort, Cryptolocker programs are a prime example of this.
So what can you do at a simple level to protect your business from hackers:
- Educate users about using pass phrases instead of passwords that employ length over complexity. Pass phrases are easier for us to remember and take hackers longer to break. Users should also not use the same password on more than one account just in case it is compromised and then potentially gain access to all the services where it has been used.
- Educate users about safe Internet usage and how to recognise phishing activities and malformed links. These are the main and easiest routes into a secured network and the education piece needs to be repeated so users are updated on current trends.
- Apply updates to all your computer equipment regularly, this includes mobile phones, tablets, routers, switches, firewalls and websites as most people only think about their computers. Applying these updates promptly is an important factor in reducing the time period that the systems could be compromised as lot of breaches depend on a weak update management regime.
- Reduce the security risk by removing programs that are not needed and control what new programs are installed on your computers. By controlling the applications that are installed on the network you can reduce the potential security holes and also reduce the costs of purchasing and supporting applications to keep them updated. This is important for all the software that comes pre-installed on computers, remove it if it is not needed.
- Review security permissions on computer systems and remove any permissions that are not needed by removing administrator level access account permissions from users’ primary accounts to reduce the risks to the network by these users. If you have software that demands to be run as an administrator, change the software as the vendor does not take your data security seriously.
- Review the firewall rules at the edge of the network along with remote access policies as these are the hidden doors into your network so ensure that any unnecessary doors are closed when they are no longer required. These firewall rules need to be controlled and reviewed so that you are aware of the data that is coming into and out of your network.
- Create a Data Breach Response Plan so that you can respond in a structure way if the worst does happen as you had planned for it and have put in place resource to deal with an incident. You may wish to review your insurances and protection for Cyber incidents with your broker as this can be part of your toolkit to bring in specialist resources to handle the incident, if one happens.
You can demonstrate that your business is compliant with a basic cyber security standard by achieving Cyber Essentials which is a UK Government backed scheme. Cyber Essentials will ensure that you follow good basic security principles covering all the recommendations above and others that offer protection against 85% of the unsophisticated attacks that many businesses face today. Cyber Essentials is designed for businesses where adopting ISO 27001 would be too much or inappropriate. Being able to demonstrate that you take Cyber Security seriously can give you a competitive advantage with a number of supply chains looking for compliance to a standard with the UK MOD demanding Cyber Essentials for instance.
It is for good reason that many companies are not prepared to share details of their Cyber Attacks due to the reputation and commercial impact that it brings. When I talk with clients about protection and the justification for implementing security practices, I find that they need to understand the impact this could have in their normal business operations in addition to the cost of recovery. Consider the impact to your business if you came into work as usual on Monday morning to the following:
You confirm that you can’t access your files, your email is down and your main line of business applications can’t be accessed. This scenario is one that many businesses can reflect on having seen this or a similar situation within their own business. If you have a Data Breach Response Plan you will know how to progress and you can recover the business within the defined RTO and RPO if you have a properly managed backup strategy. The impact to your business will be the downtime to perform the recovery and the cost of recovery and these two will all be dependent upon how well you planned and reacted for the event. The scenario may produce downtime of hours subject to the level of corruption, the IT services available and your backup architecture based on the volume and type of data needing to be restored. In the worst case it could over a week of major business disruption as systems are recovered after the delay of deciding what has happened and how to recover, this is assuming that you can recover all data from backups. You may decide to act quickly and pay the ransom money. If you are lucky, you are provided with the key to unlock your data and, if you are really lucky, that key will give back 80% of your data and it may not be corrupt.
This scenario may not necessarily be caused by a targeted attack but by a user visiting a compromised website, using social media or clicking a link in an email but it is a case study based on a number of client stories and this could be your business. The immediate cost to the business is the loss of confidence and reputation of staff and customers, high recovery costs and loss of business. Future costs may include potential fines from the ICO, continued support costs as the recovery was poor and the damage to your reputation going forward. not to mention the associated trading losses.
So, how could this have been prevented, the risk reduced or recovery improved?:
- Limit user access permissions
- Install good anti virus software and keep it updated
- Apply updates to your systems
- Educate users on safe Internet usage
- Protect and monitor your Internet connection
- Have a good backup strategy
Regardless of the size and sector of your business, I hope that this article provides food for thought on Cyber Security and prompts you to think about what you should do to protect your business.