It’s hard to avoid hearing about the high profile cyber-attacks that have made the news in recent times. For example the WannaCry virus that hit the NHS, the data breaches suffered by Three or Talk Talk or the money stolen from Tesco Bank customers. However it can feel like these attacks are only going to affect the very biggest companies and SME’s may not be aware of the threat that cyber attacks actually pose to their businesses.
The Government’s 2017 Cyber Security Breach Survey found that 46% of small and medium sized businesses have been affected by a cyber security breach in the last 12 months. We’ve seen a dramatic increase in the number of clients who’ve been victims of cyber attacks, and in particular, ransomware attacks. Some have been unable to trade for days, or even weeks and have lost thousands of pounds as a result.
If you don’t think you have to worry about an attack, ask yourself the following question:
Is there any part of your business that isn’t reliant on digital systems?
Because in the event of a cyber attack, this could be the only part of your business that still functions.
The good news is there is now a wealth of free practical advice available for all businesses – the National Cyber Security Centre (www.ncsc.gov.uk) for instance has some simple steps you can take to protect yourself. Some of the key points include making sure systems are updated, using antivirus software and backing up important files. This last point can be especially important, as some clients have found out, to their detriment after an attack, it’s not necessarily safe to assume that your system provider will be backing everything up, or the data restoration will be successful.
Businesses with the most advanced technology are still at risk of a breach. So how do you protect your business from the human element?
Use strong passwords and ‘2FA’ (two factor authentication) as passwords alone are no longer enough. It is human nature to want a password that is easy to remember but the simpler it is, the quicker a hacker will be able to crack it.
Educate staff on phishing and social engineering. Employees can inadvertently help cyber criminals gain access to company data. Some common examples include
- Clicking on malicious email links. These links are often well disguised encouraging people to act urgently or with offers that are too good to be true. Common examples include speeding penalty notices or income tax rebates. Best practice is always; if the email doesn’t appear 100% genuine, don’t click on it.
- Downloading unauthorised software. Even if the software itself isn’t malicious it can contain bugs that allow cyber criminals access to your system.
- Plugging in unknown or insecure devices. The most commonly used is the USB storage stick, which can contain malicious code that will run automatically when plugged in.
Education is key, but it is recommended that desired behaviours are reinforced through company policy. Banning activities such as the use of storage sticks and downloading of software, is the best way to ensure protection.
And if, despite your best efforts, an attack breaches your systems, would you know what to do? For instance if you switched on your computer and there was no response except for a ransom demand, should you pay it? How would you get back up and running again, fast? If you found out someone had got into your systems and accessed the data, do you know what regulations you have to comply with?
Cyber insurance is available to offer expert advice and support in these kind of situations as well as helping you get your business back to the position it was in before the incident.
Typically a policy will protect your IT system and data by:
- Providing cover against hackers stealing data and demanding a ransom to release it or against viruses that paralyse systems.
- Providing practical support in the event of a data breach – including forensic investigations, notifying affected customers and access to PR advisors.
- Compensation for loss of income.
- Costs including fines if you are found non-compliant on data protection/privacy or if you are sued by customers or employees whose data has been breached.
- Costs to repair or restore data or programs following damage caused during a breach.
- Some policies also extend cover to theft of funds via electronic means.
If you would like to discuss anything raised in this article please contact Hugh J Boswell on 01603 626155.