If you run a small to medium enterprise or not for profit organisation, you are at risk from cyber threats. We all are, but SMEs in particular are being hit and losing real money as a result of criminal activity that is deliberately setting out to cause harm.
With experience pitching cyber security products to banks and government departments, I have learned some valuable lessons at a strategic level that can be applied to the smallest of businesses. The first lesson for me was that technology is only part of the solution, but needs to be behind every aspect of business and security.
First, we must get our strategy right – what is important to protect, who are we protecting it from and how we are going to go about protecting it? Not even the banks and government can buy every security technology they are offered, and they must prioritise their spending to ensure the biggest threats are addressed first.
The biggest threats are still from people inside your business space, insider threats, or the guy sitting next to you on a plane reading your emails, your proposal or your pitch deck on the way to a presentation.
The next scale of threat may well be your staff opening something in their email they should not have, in a moment of distraction or low attention. Not a malicious act but a simple mistake. As we all deal with too many emails and too many websites and tools with passwords, it is relatively easy to be distracted into giving away access to data. Sure, not every email every time with every staff member, but it’s the one that gets through that counts.
The next level threat is the opportunistic attack where your network is breached by a systematic, automated search for vulnerabilities and some feature of your systems is exploited or breached.
The top level threat is when a targeted attack is launched on your business to penetrate your systems to find specific data or to manipulate your systems, as in the case of Facebook recently where 50 million accounts were harvested.
So, how do you combat these threats?
Strategy
The steps to getting your strategy right are to determine what it is you are protecting and the value of it. As an SME, you have a legal obligation to protect your client’s and staff personal information and your businesses IP and financial information. If your business uses IT systems to run the business, as most do these days, you also need to ensure continuity and disaster recovery of those systems.
A breach may not be as public an event as Facebook’s and definitely will not reduce your share value by $17 billion in a week, it may however cause you pain and expense in a number of ways. At worst, it may lead to the end of your business.
Determine where the need to protect is, determine where the need for continuity is and implement technology to fix that. Determine who has access either physical or over the network or internet and ensure suitable restrictions are put in place. Plan a budget to train your staff on suitable use of IT systems. Ensure you have access to the right advice and the right resources.
People
The success of all businesses is determined by the people involved – unfortunately, so is the failure. If you have people in or around your business it is wise to train them to be “Cyber Safe”. Recognising a threat in the form of a bad website or email message is a good step to take. Physical security of your servers by keeping them in a locked room is good, and restricting access to folders on the network drives is all the standard stuff to ensure your own people are not stealing your data, sharing it inappropriately or letting it get infected by a virus on their PC.
Today there is so much more we need to take into consideration, with people globally attempting to access your computer. Have you ever had that thought that one in a million people on the internet are probably trying to get at you one way or another? With four billion connected users, that’s 4,000 threats – you need to set up defences against these people every day. The fact that you are in Australia means you are one of the wealthier demographics and as such you and your business are targets.
So, when you are setting up for cyber security, think about how people might want to do wrong by you.
Products
When your strategy is right and your people are considered, you then want to ensure you use the best products to minimise the impact to your business. You cannot afford to use every technology out there for cyber security but you can choose safer options in every little decision. You need to select and deploy the best of antivirus solutions and spam filters, firewalls and web filters. You can also make use of two factor authentication so it is harder to access your networks remotely but not so hard your staff don’t bother.
Often it is the little differences, not the big decisions that make the biggest difference. For example, when you select a laptop for business use, you can buy a consumer grade product, or for a few dollars more you can by an HP laptop with a limited viewing angle option on its screen, so when you are in public the view of your laptop screen is limited to stop people reading off the screen. It is about buying secure printing devices, like those from HP, which do not cache your files in a way that lets intruders copy them. It is about the little things that stop people accessing your wireless networks because your patching is managed and up-to-date.
There are products for everything but it is about getting the right advice that then lets you use common sense to take the protection you can for the components you must. We do not need to turn it all off and start again but we do need to take security seriously. We must allow for planning and investment of time and money to be on top of cyber security.
When Your Defences are Breached, is Your Business Ready to Survive?
It’s a sunny morning and as you sit in traffic enjoying the sunshine on the way to work, you are thinking about your day ahead and the things you will do with it. Out of the blue, your IT department calls you to let you know the systems are down and it looks like you have been hacked.
Suddenly, you are not noticing the sun, the traffic has become a blur, and your mind races to try to figure out what you do next. How will you figure out what has happened to your systems? Do you have a secure backup to recover from? Who do you need to tell? What is the process now?
Do you take a deep breath, remind yourself that your business is prepared for this and instruct the IT manager to follow the plan, contacting key managers to play their role in the actions of clean up and communication? Or do you sit and wish you knew what the next best step is in the absence of a plan?
If your business has over $3 million in turnover, you now have mandatory reporting of any data breach that may have accessed personal information. If you are unsure of the nature of a breach and what data has been accessed, you have up to 30 days to determine the impact before reporting it.
On 16 March, ARN reported that there had been 30 breaches reported in just 3 weeks, and I am sure we can expect to hear about a lot more as data is being breached regularly. Often the organisation being breached does not even know it is happening.
What can you do to be ready for a data breach?
For starters, have your data backed up so that any corrupted machines can be wiped clean and restored.
Have control of your security systems so you can lock intruders out quickly
You should also be ready to follow the four recommended steps as per the OAIC web page:
Step 1: Contain the Data Breach to prevent further compromise of personal information
Step 2: Assess the data breach
Step 3: Notify individuals and the commissioner if necessary
Step 4: Review the incident and consider actions to prevent future breaches.
Recently, we saw $17 billion in value wiped off Facebook when their breach notification hit the press. They are still trying to figure out how the breach happened due to the complexity of the mess and the scale of the leak. To say they are bleeding money over it is an understatement.
What is the likely fall out to your business of a reported breach? Do you have the right communications strategy ready to go, just in case? Sure, it won’t be $17 billion you drop, but what if you lost a few of your best clients over it – would you survive?