Following Talk Talk’s data breach last year, George Thompson, CISO at TalkTalk, offers advice on how to protect your company against cyber attacks.
British businesses lost over £1bn to cybercrime between March 2015 and March 2016, according to police data compiled by Get Safe Online.
Small businesses and startups often believe they are safer online and less vulnerable, due to their relative size. However, this is not the case, and this mentality can prevent SMEs from engaging with cybersecurity in a productive way.
It is easy to think of cybersecurity as being a yes or no answer to the ‘are we secure’ question, but with a constantly evolving threat, this is a limiting approach. If a business asks ‘are we secure?’ they are asking the wrong question – because no one can guarantee that they are completely safe online.
Instead, SMEs should be looking at what risks they are taking by doing, or not doing, something. Only by evaluating – and understanding – the risks that they face, can SMEs develop processes and contingency plans that will help keep them secure.
It is also crucial that everyone in the business understands what the cybersecurity processes are, so that the company can be prepared in the event of a breach. Whilst businesses may not be able to build an online wall that stops every hacker in their tracks, there are simple, straightforward steps businesses of all sizes can take to improve their protection online.
Use ‘Bring Your Own Device’ (BYOD) safely
There is a growing trend for companies to implement BYOD policies; i.e. allowing employees to bring their own equipment such as laptops or mobile phones to use at work.
This can be especially beneficial for SMEs, as it often eliminates an additional business expense. However, this can leave systems vulnerable, as passwords and sensitive information are not protected by the company’s security framework.
Instead, they are left up to each employee’s personal security habits. To protect your company’s data, you must make sure that all systems being accessed are encrypted and that there are rules in place as to what can be accessed across devices.
Educating employees on best security practices and keeping their own devices secure is of critical importance if BYOD is to be implemented with minimum risk.
Be loyal to one cloud service
You may find that each employee has a different preference when it comes to the cloud services they use.
This can bring about a situation where confidential information is spread across multiple cloud storage solutions.
In isolation, this is not an issue, but as each cloud service has different security settings, if employees often share documents to work collaboratively, it is easy for these to be left open to the public.
This presents a high risk to your business, as confidential information could accidentally be made widely available.
Deciding on one cloud service that you believe will work best across the business, making that choice known, and working with employees to store all company documents within your preferred secure environment, helps reduce the chance of a data breach.
Look beyond the firewall
It is important to understand that simply having a secure firewall does not mean that all of your systems are protected.
Security breaches can come about from something as simple as guessing an obvious password. If it can happen to Mark Zuckerberg, it can happen to you!
Therefore, encourage your employees to choose passwords that are complex and strong, but also memorable enough that they are not tempted to record them somewhere insecure.
Also reconsider the use of external devices such as USB keys, as they are often not encrypted.
Choose encrypted external devices and have a clear policy for what information can be taken out of the office, and for what purpose, as lost USB sticks and other mislaid devices also pose a very real security risk.
Educate and allocate
The topic of cybersecurity might not be a field of expertise owned by anyone in your office, but it is important that every member of your team is educated on the basics.
Policies should be put in place and the team should regularly role play and practice what would happen if the business underwent a security breach.
In terms of responsibilities in the event of a breach, make everyone’s roles known in the office so employees know who to address specific issues with.
Educate your employees on the importance of speed in the event of a security breach. A recent survey found that 30% of employees would wait over the weekend if they saw a threat on a Friday evening – encouraging a fast response is crucial when limiting the damage of a cyber-attack.
Small does not mean safe
Hackers will attack any business that is vulnerable – whether they have five employees or 5,000 –so it is important to take the necessary steps to ensure your business is as safe and secure as it can be. Make this point known with your employees to ensure they do not save any confidential documents outside of your system on personal cloud service accounts and devices.
Whether you feel like your business is completely clueless or totally clued up around cyber threats and the risks they may carry, everyone is still vulnerable to attacks in one way or another – from phishing emails, to full blown data hacks and breaches.
Even if you work for a technology company you still may not necessarily know everything, and for those who believe that they know nothing about how to protect themselves from a cyber attack there is an increasing amount of help and support available to help bring them up to speed. It is important to train your team – in terms that they can all understand – on the various protocols that your business puts in place.
There are a number of measures that businesses can put in place to improve their safety online. Taking these necessary steps, once achieved, will allow your team operation to run much more smoothly should your company come under attack.
These changes can also provide an opportunity for employees to learn about the importance of cyber security and why everyone needs to take on such an important role in the event of a breach.