Financial ramifications of a successful breach are significant –over $1 million on average, according to a study from Ponemon. As such, it’s critical that all businesses are prepared for the moment when their operations are attacked.
But what does that mean? For smaller businesses, the thought of having to increase investment in cyber security measures can be a daunting one. By their very nature, small businesses have limited access to the required resources in comparison to larger organisations, as a study from Symantec showed. It revealed that despite typically facing the same threats as bigger organisations, SMEs lack the same level of expertise and other security resources.
Fortunately, when it comes to cyber security, improving a business’ ability to counter threats is as much about behaviour and culture as it is about the latest technology. While keeping systems and software up to date is critical, so is ensuring that everyone in the organisation understands the role they have to play in keeping the business secure.
Whether it’s good password management, data backups or keeping on top of software licenses, the basics are all the things every company should be doing by default. It should be straight-forward – from ensuring employees regularly update their passwords to having a process in place for updating and replacing software assets (54 percent of CIOs around the world cite cybersecurity risks as the number one reason to avoid unlicensed software). Doing the basics which are the bread-and-butter of cybersecurity right immediately improves cyber resilience as the risks of human error (often cited as the weak link in cyber security strategies) are minimised.
As technology evolves, so do the threats. Everyone, from chairman of the board to the newest intern, has a responsibility to protect the business, yet it’s clear not enough is being done to make them aware of this. Ninety-five per cent of cyber security breaches are due to human error, and social-engineering threats (such as phishing) which prey on personal proclivities, remain at the top of most common attacks. Businesses need to be investing more in educating all members of the organisation on how to act in a secure manner – you can find free training from government organisations.
As with many aspects of business, it can be hard to be objective when considering your approach to security. Your mission-critical applications are completely secure, you’ve limited access where necessary and your systems are up to date – but have you inadvertently left a gap somewhere else? Think of it another way – have you deadlocked the front door but let the downstairs toilet window open? Cyber criminals will look for the path of least resistance – that marketing application may be redundant now that the campaign has finished, but if it’s connected to your business in anyway and not included in your security strategy, you could well be leaving yourself exposed.
Investing in something that is not a direct revenue driver can be hard to stomach for some, but the consequences of not doing so could bring a business of any size to its knees. Being prepared for the worst will ensure that when a cyber attack occurs (and it is a when, not an if), a plan is in place to deflect or at the very least mitigate the impact.
Major global organisations have Chief Information Security Offices, dedicated budgets running to the hundreds of millions and teams working solely on their information security – resources SMEs can only dream of. That doesn’t mean they can’t have someone responsible for cyber security. In fact, it’s imperative they do. While everyone needs to be aware of their own responsibilities, having someone that understands what regulatory, legislative and governance protocols the business needs to follow ensures that the security strategy protects the business from further ramifications of a large-scale data breach.
With huge breaches now happening on a regular basis, public awareness of the need for cyber security and organisations’ responsibility is at an all time high. Add to this the introduction of legislation aimed at protecting individuals’ data, such as GDPR, and being secure is now part of day-to-day business for many, whether they make money off it or not. By viewing it as such, and not as a necessary evil, organisations will be able to embed strong security into the day-to-day operations of the business, in turn improving cyber resilience across the board.
Cybersecurity is a national issue, and many governments offer free training and guidance, as well as lists of registered, reputable security experts. In the UK, the National Cyber Security Centre has a huge online resource for small businesses, including a self-assessment tool that helps organisations check the most critical IT security controls of their infrastructure and the opportunity to become certified in cyber security. This will reassure your customers that you take cyber security seriously, and will help you understand your own strengths and weaknesses.
As companies go digital, so too will they increase the risk of a cyber-attack. Modern business means that not going digital is unthinkable – it also means that being resilient to cyber threats is critical. It requires work and, in some instances, a significant shift in culture and behaviour, but to ignore it is to court disaster.
It is only through embedding security principles into the very fabric of the business that organisations can reap the benefits of digitalisation safe in the knowledge that they have managed the risk of breaches as best they can.