So, you are running your company and trying your best to grow the business in a challenging economic environment. Your main concerns are cash flow, funding for growth and improving sales. Of course you keep your eye on business developments and you keep hearing the words ‘Cyber ‘, ‘Cyber Attacks’ and ‘Cyber Security’. While you have a basic understanding of what they mean they don’t really affect you, after all cyber attacks are about state sponsored terrorism aren’t they? Your company is an SME and no one is really interested in a business of your size, so it doesn’t really affect you, does it?
Cyber security – what’s the problem?
Regrettably that is not the case and it most definitely does affect you, simply because cyber attacks are carried out by a variety of people for a variety of reasons. The most likely people to affect you are cyber criminals. These groups are not targeting you as such, after all it is business – it’s not personal! However their business is about getting money from your company and others like yours, so it does become personal when you become the target. The attacks aim to steal information that can be used to make money from you, whether that is your company IP data, your company or personal financial details or sensitive information that can be sold to other cyber criminals to exploit.
Cyber crime is on the increase
There are a number of surveys and statistics that will show that cyber crime is on the increase. The latest figures from the Cabinet Office talk about 83% of small businesses reporting a cyber Security breach in the past year and put the cost of such breaches as between £450,000 to £850,000 for large businesses and £35,000 to £65,000 for smaller ones. Either way the odds of being attacked are going up and the costs of recovery are going up. This is not a security issue – it is a business issue and it needs managing like any other risk to your business. Cyber security is not about leaving it to a security manager or the IT, it is bigger than that, and as something that can affect your business bottom line it needs attention from the company’s highest levels of management.
What can you do about it?
Most risks cannot be reduced to zero and cyber security risks are the same, the aim is to get the right amount of security to protect the important information that YOU care about in your business. Don’t forget, this is not only about your information; it is about your staff’s (their personal data) and your client’s information that you hold on trust for them. Imagine the result for your business if their businesses were attacked because of your lack of care!
A number of government and other organisations provide best practice cyber security advice and support to UK businesses through a number of initiatives. It is assessed that the most prevalent cyber attacks can be mitigated to a significant extent by a business that implements a small number of basic controls . The department for Business Innovation and Skills (BIS) is developing a Basic Cyber Hygiene profile that will provide an initial focus for organisations and companies across the UK to start to protect themselves against cyber attack. The types of security controls that are recommended for all organisations to implement at the most basic level include:
- Firewalls and gateways to protect connections to the Internet;
- The secure configuration of computers and network devices;
- The control of access to computers and devices (often managed through user accounts);
- Protection against malicious code;
- Maintaining up to date software on computers and network devices.
BIS and CESG are currently working with industry to develop a method of testing to see if businesses have these basic measures in place and it is likely that businesses will be increasingly asked to demonstrate that they have taken at least the initial steps to protect themselves and any information entrusted to them by clients. Having evidence that your business has implemented some basic measures to reduce your cyber risk is also increasing likely to become a commercial discriminator.
It could be you!
You need to recognise that your business could be targeted by cyber criminals. You need to have at least the basic cyber security controls for your business. You may not defeat the cyber criminals but you can make yourself a harder target.
It is a bit like being an antelope grazing on the plains – you don’t need to outrun the lion that is hunting you to survive, you need to out run the other antelopes!!!!
Article by Dave James , MD of Ascentor.
Other posts you might like:
- Ascentor selected as first licensed assessors for IASME – the new cyber security standard for SMEs
- Once upon a time – an Information Risk Management bedtime story