In the main, small and medium-sized businesses (SMBs) understand what a cyber-attack could mean and take appropriate precautions. That said, 47% of SMBs suffered data breaches or cyber-attacks last year so don’t think ‘it will never happen to me’.
It’s important to bear in mind that cyber security updates are created incrementally, as emerging threats are understood and new technologies are established to combat them, so there is always going to be a risk. Regrettably, not only are cyber-attacks on the rise, but they are also becoming increasingly sophisticated so, even if you have a robust plan and advanced security measures in place, you are still likely to be targeted.
To safeguard your data and protect your business in this kind of climate there are six key areas that you should consider.
Software updates
All too often we hear of IT issues occurring because companies have been lax about applying software patches. Hackers will exploit vulnerabilities in system software and web applications to execute unauthorised code, enabling them to gain extra privileges or steal your information.
An unpatched vulnerability can be very serious: one such instance in the systems at Equifax in the USA led to a breach involving 143 million social security numbers, addresses, driver’s licence number and credit card numbers.
Make it a policy to update software regularly, including operating systems and applications. Put in place a programme to update software consistently and methodically because just one vulnerable system will leave your business open to attack.
Ensure that all systems are consistently updated and by this we mean servers, networks, firewalls, mobile phones, anti-virus, email and web filtering – all be updated and patched as soon as it is practical.
Regular back ups
Get into the habit of backing up data files and system files every day, including information on employee devices. Then, in the event of a cyber-attack, data can be restored and systems will be up and running again with minimal disruption to your business operations.
As part of your risk management activities identify which systems are critical. A sales organisation, for example, cannot afford for its contact database (CRM) to be compromised otherwise it wouldn’t be able to get in touch with customers or suppliers and may, potentially, lose the ability to ship orders. This is a critical system on which the business is heavily reliant so it should be backed up on a daily basis.
There should also be a clear plan, which is tested regularly, to restore this system if it should fail or be subject to a cyber-attack. Then, if the worst should happen, the restored systems will be no more than 24 hours old, whereas restoring data from a backup that is even one week old will result in massive disruption.
Train your team
Every business is unique and levels of IT competence will vary from employee to employee. The simple act of opening an email attachment can inadvertently download malicious software which uses encryption to hold data for ransom and can be extremely costly to resolve, it’s vital to integrate cyber security into all operational systems, processes and professional development programmes.
The starting point is to make everyone aware – with directors and senior staff taking the lead – about the risks of cyber threats and what it could mean for your business. Spell out the fact that if the business is not able to withstand an attack, it may not survive and everyone will be out of a job.
Create a Cyber Security Policy that sets out how your business will deal with cyber security issues and make it available, and easily accessible, to all staff. Then train all staff about data security best practices and how to recognise a cyber threat.
Communications
Implement a communication strategy so that employees are informed promptly if the company’s network has been hacked. People will be concerned about what is happening and whilst key information will be contained in your Cyber Security Policy, which should be central to your communication strategy, make sure employees know who to ask if they need more information and when they should seek advice.
Identify when you can issue updates and who will communicate these to your team. Keep updates informative but brief and let staff know that you are dealing with the problem in regular bulletins as these will serve to reassure them, even if there is no real news.
A robust emergency response plan is also key to keeping communications channels open while you respond to a cyber-attack.
Emergency response plan
The businesses that deal best with a cyber-attack are those that are well-prepared. It’s therefore important to devise an emergency response plan and make it available to all staff. In terms of incident management everyone needs to understand what will happen and who will take responsibility.
The plan should include contact details of key staff and their role along with details of IT suppliers and contractors so there is no delay in calling in expert support to help you resolve the problem if you need it
If systems are compromised by ransomware, for example, and are inaccessible, staff will not be able to operate as usual. The plan should set out how you intend to manage business continuity, including alternative work arrangements over the short term, and include essential steps is respect of systems and data recovery or fail-over.
Then, before an attack occurs, make sure you test your emergency response plan, refine it and test it again to make sure it is fit for purpose
System vulnerabilities
Like so many things these days, crime has moved online. Your business can fall prey to phishing and spear phishing attacks, malware, man-in-the-middle attacks, denial of service attacks and password attacks. And don’t underestimate malicious actions by disgruntled staff or former employees, who may decide to pass on sensitive information to competitors.
To minimise the impact of a cyber-attack work with your in-house IT staff and your external IT support team to identify any system vulnerabilities. Secure your network by employing industry-standard defences such as perimeter firewalls, email and web filtering and anti-virus protection and keep them up to date.
IT resilience is also enhanced by implementing policies that manage users and access to company information and systems, achieved via access controls that restrict applications, privileges and data.
A cyber-attack is potentially the most malicious threat your business can face. Even large, well-funded corporations can suffer a breach, but having a sound backup and recovery plan will minimise the impact on your business and reduce the risk of revenue loss, reputational damage and regulatory fines.