[BreachExchange] Easy ways to protect your business from cyber attacks
Inga Goddijn
inga at riskbasedsecurity.com
Wed Jan 11 16:52:00 EST 2017
http://www.telegraph.co.uk/connect/small-business/tech/easy-ways-to-protect-your-business-from-cyber-attacks/
Unlike larger companies, small businesses often operate without dedicated
IT professionals, and rarely regard themselves as attractive targets for
cyber attacks. But this very attitude, and the knock-on effect of being
left undefended, is precisely what may make them tempting to hackers.
Duncan Sutcliffe, director of Sutcliffe Insurance Brokers
<http://www.sutcliffeinsurance.co.uk/> didn’t know where to start when it
came to protecting his firm. “Like many SMEs, we have no in-house IT
expertise and were faced with a vast array of confusing and sometimes
contradictory advice," he says, "We didn’t know where to start. We found
cyber security so out of our comfort zone that it was tempting to just
ignore the issue."
Mr Sutcliffe is not alone in trying to put off the issue. According to
the Experian
data breach preparedness study
<http://www.experian.co.uk/assets/identity-and-fraud/smes-under-threat.pdf>,
51pc of UK SMEs do not see cyber security as a priority.
Guarding against spam and phishing emails is key to mitigating the risk of
ransomware attacks Vince Warrington, Protective Intelligence
But the consequences of an attack can be severe. An assault on a business's
IT systems, infrastructure or devices could mean the difference between
staying afloat or going under, especially if reputational damage results in
losing trade, or it faces legal consequences.
With 38pc of UK SMEs having
<http://www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-digital.pdf>
experienced
an attack in the past year, ignoring the issue is no longer an option.
Guard against email spam
A major threat
<http://www.telegraph.co.uk/connect/small-business/business-solutions/how-to-improve-your-cybersecurity/>
to
SMEs are ransomware attacks – malicious software that locks a device, such
as a computer, tablet or smartphone, and then demands a ransom to unlock
it. “Guarding against spam and phishing emails
<http://www.telegraph.co.uk/connect/small-business/business-solutions/what-is-email-security-and-how-can-SMEs-get-it-right/>
is
key to mitigating the risk of these attacks, and to achieve this, you need
to use a blend of technical and educational solutions,” explains Vince
Warrington, founder of information security company, Protective Intelligence
<http://www.protectiveintelligence.co.uk/>.
Ransomware is reliant on an end user activating it, usually by opening an
infected email attachment, so educating staff who can expect attachments on
a daily basis, such as finance and HR teams, is vital. They should be
encouraged to have a healthy scepticism by questioning who or where emails
come from.
On the technological side of things, a disaster recovery plan should be in
place, outlining what to do in the event of an attack. “There’s nothing
quite so devastating for your business as finding out that you’ve become a
victim of ransomware, only to discover that your backups are so old – or
non-existent – that you can no longer operate,” he says.
Having effective backups of data on an external hard drive or cloud-based
service – or both, ideally – are useful, but shouldn't be your only line of
defence.
Have a strong response plan
For some, taking an active leadership role is an important way to protect
yourself from an attack. Matt Middleton-Leal, the regional director of UK
and Ireland at security software company, CyberArk
<https://www.cyberark.com/>, says that in the absence of IT specialists,
it’s up to SME leaders to determine an effective cause of action in the
event of an attack, and educate staff to prepare for them.
Ensuring that security is a priority begins during staff inductionRyan
McGrath, Echo
The main way business leaders can do this is through preparation. “This
means having a strong cyber security response plan that clearly defines
roles and responsibilities, and outlines how data can be recovered quickly
in the wake of an attack,” he says.
By regularly testing these plans through live drills, and updating them as
needed, this will help prevent company paralysis when an incident occurs.
Further assistance for SMEs can be found in the UK Government’s 10 Steps to
Cybersecurity
<https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility/10-steps-summary>
.
Taking a proactive approach to cyber security means that small businesses
will be able to make better and faster decisions in crisis mode, build
trust from customers, and be in the best position for long-term growth,
explains Mr Middleton-Leal.
Educate your staff on their responsibility
Data is far too important to be interfered with, especially when it’s
extremely sensitive. The health tech industry is held to a higher standard
than others when it comes to protecting patient data, so they have to
invest heavily in security, says Ryan McGrath, development operations and
security lead at free prescription management app, Echo
<https://www.echo.co.uk/>.
“Our main challenge in 2017 is maintaining a culture of security while
meeting operational requirements. This means ensuring that security is at
the heart of everything we do,” he explains.
A critical part of that is employee education. “Ensuring that security is a
priority
<http://www.telegraph.co.uk/connect/small-business/tech/pc-world/basic-sme-tech-guide/>
begins
during staff induction," says Mr McGrat. "People are reminded of their
responsibility under the data protection act, and we share personal
experiences – as patients and employees – from previous companies. We also
talk about major data breaches in the press."
Reinforcing employment contracts is done by reminding staff of their
responsibility to the company's patient charter
<https://www.echo.co.uk/blog/echo-patient-charter>. This is done by
ensuring two-factor authentication as much as possible across devices and
minimising access to data. “For example, our chief executive can't access
Echo patient information. All requests for data must be justified and
approved on a time-bound basis,” he adds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170111/6949a546/attachment.html>
More information about the BreachExchange
mailing list