Lincolnshire is not traditionally known as a hotbed of international criminal conspiracy, yet in 2016, the rural county suffered two major crimes that hit the national news. First, a ransomware attack on the County Council crippled IT systems, with hackers reportedly demanding a ransom of £1 million. A few months later, North Lincolnshire NHS Trust was infected by a virus that disrupted electronic data operations, causing as many as 35 operations to be cancelled.
These attacks show how widely cyber criminals are casting their net, and highlight how no organisation is safe from the depredations of hackers and online extortionists. When everyone from national governments to bedroom-based script kiddies are exploiting gaps in our cyber defences, the urgent necessity of a comprehensive security strategy becomes clear.
But information security is not just a matter for the public sector and its suppliers: it should concern every business that cares about its data, its intellectual property and the threat of disruption from ransomware and other malware.
So far, more than 6,000 businesses have gained the Cyber Essentials certification which was designed for SME’s, and while the rate is increasing this still represents barely a tenth of one per cent of all UK firms. The danger for businesses is that they view Cyber Essentials as the domain of multinational enterprises; yet with one in four UK companies suffering some form of cyber attack in the last year, it’s obvious that every business needs to take practical steps to stay secure – even if securing Cyber Essentials certification isn’t a priority.
If companies implement the following checklist, they can make massive strides towards ensuring that they do not join the ranks of compromised organisations in 2017 and beyond.
Get everybody on board
Cybersecurity isn’t just a matter of antivirus and firewalls – ultimately, it requires people to understand the risks and to be responsible for following best practice. Everybody from board-level down to the most junior employee must be trained in cybersecurity awareness, the specific risks that they face (for example, from phishing), the consequences of a successful attack, and of their own particular responsibilities in negating these threats.
Test your defences
We read a great deal about banks undergoing “stress testing” to check whether they are fit to ride out future financial crises, and it’s a principle that should be adopted by any business that cares about their cybersecurity. Companies should therefore conduct attack simulations to model their ability to combat known threats. This should cover both network infrastructure, configurations and processes to determine their effectiveness against malware, phishing and other threats, and to spot vulnerabilities in their security estate.
Close co-operation with IT suppliers
It’s easy to think of IT as something that stays firmly in the background, but your cloud provider should be doing much more than just “keeping the lights on”. Businesses should have a close relationship with their IT suppliers; one where they can seek practical guidance on the latest threats and how to combat them, but also seek reassurance that the provider is fully up-to-date in its processes for fighting cyber crime.
Investigate cyber insurance
A successful cyber attack can have a devastating effect on an organisation, ranging from lost revenues to reputational damage. It’s imperative that your business investigates whether it is covered by its existing insurance (including existing contracts with IT suppliers). Cyber insurance now covers both first- and third-party protection, but remember that any policy will require that a business takes effective measures to prevent against avoidable threats.
While even the best-prepared organisations can fall victim to cybercrime such as hacking and industrial espionage, the average business is much more likely to be the target of opportunistic attacks. By putting robust security measures in place, encompassing people, processes, infrastructure and insurance, then businesses can give themselves the best chance of seeing off all but the most determined and targeted attacks, and so prevent themselves making the news for all the wrong reasons.