How many times have you put off a task because it’s too complicated or you don’t know where to start?
For business owners, cyber security can often be quite daunting. Despite regular reminders that it should be a top priority for their business, it is pushed further and further down on the to-do list simply because they envisage a difficult time handling it and would rather focus on tasks that are within their comfort zone and provide quick wins.
The fear of the complexity of cyber security convinces many of us to ignore it, until of course you can’t. But waiting for a real cyber attack to affect your business is not an effective security strategy.
In this article, we’ll help you get your head around the basics of cyber security for your organisation, ditch the unnecessary jargon and offer actionable steps you can confidently take to make your business more secure.
What is cyber security anyway?
Simply put, cyber security is about protecting your networks, devices and data. Every year, as our business world becomes increasingly digitalised, cyber attacks, usually involving data theft for financial gain, have become more frequent and more sophisticated.
There are plenty of ways to protect your systems and data from these kinds of attacks but it’s important for businesses to stay on top of this, regularly monitoring their vulnerabilities and fixing them.
Of course, the way in which we use technology nowadays is pretty complex, making it harder to cover all the possible entry points for hackers and ensure they’re properly protected.
What are some of the most common cyber threats for businesses?
Just like breaking into a house, hackers can try lots of different methods of gaining unauthorised access - they might pick a lock, climb in through a window, or simply break down a flimsy door.
Cyber security is about identifying these methods and rendering them ineffective, or at least a lot harder to pull off. You might add extra locks to your door, barricade the windows, or install a security camera. There are a lot of similarities between the world of physical security and the world of cyber security.
For a number of years now, phishing has been the most common form of attack affecting businesses. These social engineering hacks were responsible for 83% of cyber incidents in 2022.
You probably get a lot of spam emails every day and it’s immediately obvious they’re spam - in fact a lot of the time, your email client will probably spot them for you and send it to your junk folder before you even have to look at it.
But cyber attackers have got clever and can make a phishing email so convincing, it would take a long hard look to spot anything suspicious. Messages can appear to be from someone you know and trust, even a colleague, but it is this trust that hackers depend on, because when we’re trusting, we’re most likely to make errors.
This is essentially a fancy name for software that harms your devices or network. You may have also heard associated terms like viruses, worms and trojans. It is often used in conjunction with other attacks like phishing, where a clicked link may release malware onto your systems to make devices inoperable or tamper with important data.
One of the most concerning forms of malware affecting companies right now is ransomware. As the name suggests, this kind of malware is used by attackers to take control of data and hold it for ransom. While it is strongly recommended that victims do not pay this ransom, many companies still do in a rush to get back what was stolen and resume operations. But often, these never see their data again despite paying the attackers.
These attacks usually involve a hacker lurking in the shadows waiting to intercept a user’s data, for example, if they were entering it into an application. An attacker may choose from various spoofing methods to trick the user into trusting a certain URL, network or server. The attacker can then harvest the user’s information and decrypt it.
You could think of the attacker as your postman, opening and reading your mail rather than it getting delivered through your mailbox.
Sound like a bit of a mouthful, doesn’t it? These attacks are intended to overwhelm your devices and network by flooding a server with traffic, making it harder for genuine users to access.
You may recall one of the largest DDoS attacks on record being reported in early 2020 when AWS, Amazon’s Cloud services provider, was flooded by 2.3 terabytes per second of web traffic. To put this into perspective, this is just under half of all daily traffic on BT’s UK network.
Often the attacks have motivations other than financial, for example, it may be a hacktivist (a person who gains unauthorized access to computer files or networks in order to further social or political ends) making a statement or an unhappy ex-employee wanting to cause havoc.)
There are plenty of other tools and techniques that hackers use to carry out their attacks and many can be used together as we’ve seen here.
But why care about these threats? To understand why cyber security is valuable, it’s important to fully appreciate the impact these cyber incidents can have on a business.
Common issues that surface as a result of a cyber attack include:
Damaged reputation: Damage to brand reputation which may affect interest from investors and cause you to lose your position against competing businesses.
Regulatory fines: Fines of up to 4% of annual turnover can be given if customer data is misused.
Legal trouble: Legal issues if confidential data and contracts are leaked, and correct steps are not taken following an incident.
Recovery costs: Increased costs involved when responding to a breach e.g.cyber security investigators, PR and legal support.
Insurance suffers: Increase in insurance premiums in the aftermath of a breach as your business will appear less secure.
Loss of client trust: Lost clients and business opportunities and lost revenue, especially if confidential contracts/data is leaked.
Affected employees: Potential loss of employees if contract details and salaries are leaked.
Business disruption: Disruption to business activities, causing operational downtime that could affect revenue.
Stolen property: Stolen intellectual property including product designs, company strategies and tech, often stored in the Cloud.
Drops in market value: Studies show breached businesses experience a temporary drop of around 3.5% in market value after an incident.
So, now you understand a little more about the kinds of threats your business is up against and the damage they can cause, let’s get on to the critical bit: introducing the right kinds of solutions to tackle these threats.
Building a cyber aware workforce
Your people are your greatest weapon in the cyber war. Since the majority of breaches occur due to human error, it makes sense that security efforts be targeted at limiting the probability of these errors being made.
Cyber awareness is not just a quick exercise, it needs to be ongoing, but it doesn’t have to be complicated. Regular cyber training sessions can help keep employees up to date with current threats and what they can do to protect themselves and their organisation.
It’s important to emphasise the role that your employees play in keeping the business secure and if they still need further reason to engage in cyber security best practices, their data is held by your business too and would therefore also be at risk if an incident occurred.
With phishing the number one threat vector, it’s also a good idea to test employees on occasion with fake phishing email campaigns, and monitor how people react. Many companies provide this service at a very low cost - here are our top recommendations in the UK.
You should also make sure employees are included in your incident response plan so you can minimise any damage. Do they know what to do if they come across something suspicious? The NCSC's 'Exercise in a Box' is a helpful online tool for your business to practice its response to a cyber attack.
What goes hand in hand with a cyber aware workforce? Strong passwords.
Many of us are guilty of picking a password that’s easy to remember - the last thing you want is to have your busy day interrupted because your memory fails you. But, what’s easy for us, is easy for the hackers.
Poor passwords are often responsible for a breach, so this is an easy, straightforward thing you can and should address with your employees. A simple password policy is a good way to document your expectations and security requirements when it comes to passwords and this can be shared with every employee during their onboarding process.
Some common password best practices to include in your policy are:
- The longer the better: most will require a strong password to be at least 8 characters long
- Avoid guessable words and phrases: as much as you want to, passwords should not include obvious personal information like your birth date or street name. You might also include a blacklist of common passwords that your employees should never use.
- Include special characters and numbers: varying the characters you use in passwords can make them much trickier to crack
- Never share or reuse passwords: If a hacker breaches one account or application, this allows them to access others easily too.
Another essential for good password health is using multi-factor authentication (MFA) wherever available. This involves an extra step, such as a code being sent to your phone, before you’re fully verified and given access. This is great for security as it creates an extra barrier for someone attempting to break into your employee’s accounts.
We’ve seen companies breached and fully go out of business because of something as simple as MFA not being switched on, so this is a must on your business’ cyber security checklist.
Managing access rights
If your employee can’t access sensitive data, it’ll make it hard for a bad actor to. When you’re examining your assets, it’s a good idea to identify key bits of data and assess the risk of this data getting breached. Your access privileges should then be in line with this.
Remember the saying "Two's a company, Three's a crowd"? If a user doesn’t need access to a certain bit of data, don’t allow it. Every person that can access data increases the risk of that data being breached. Users should only be able to access what they necessary for them to do their job sufficiently.
This rule is especially important when it comes to admin accounts. Admin privileges should be given out very rarely and these accounts should only be used infrequently for special activities like installing software. User accounts on the other hand will be for everyday business operations.
Backing up data
Your data is your most critical asset at your company and should be protected as such. Backups are a vital part of a cyber security strategy as without these, if you experience a breach, your data could be gone for good - and that’s A LOT harder to come back from.
Data copies should be stored away from the original so that if a hacker accesses the original data and encrypts it with malware, for example, they won’t be able to infect the backup as well. The NCSC recommends the Cloud as a good option for backups because this allows your data to be kept separately and restored quickly and efficiently when necessary.
It’s important to regularly check your backups and practice this restoration process so you know you’re prepared for an attack. This comes into your disaster recovery procedure, which every business should give some thought to. We’ll never be 100% protected against attacks so it’s important to know how you’ll react to an incident and ensure you don’t have to deal with excessive downtime.
Protect against malware
Of course, malware is utilised in lots of cyber attacks to interfere with data and harm your operations. Ransomware has been a particular concern in the last year or so, with around 40% of organisations affected globally. These attacks can be very harmful to businesses affecting devices, networks and entire servers.
Making sure you’ve got sufficient measures in place to protect your business against malware like this is a fundamental not to be ignored.
Malware can enter your systems in lots of ways. For example:
- Social Engineering: a tactic commonly used by hackers, phishing emails may contain links or attachments containing malware, which if clicked or downloaded can infest your systems
- USB Devices: If you or your employees find a USB lying around, the last thing you should do is plug it into a computer. A compromised USB will immediately wreak havoc on the device.
- Fake Applications: Applications designed by hackers may look trustworthy but in reality, they are harbouring malware ready to be downloaded onto your systems. This is why it is important to only use applications from trusted developers or that have been pre-approved by the business.
- Out of Date software: Software that is no longer supported by the developer is called 'end-of-life'. This means it will not receive important security updates and could be exposing vulnerabilities for hackers to exploit and infect your systems with malware.
- Hacked/Compromised Web Pages: Malware can use vulnerabilities in your web browser to infect your device. Alternatively, a website you visit may be malicious and encourage you to input details and download malware.
Again, many of these threats can be combatted with good cyber training, but it’s also important to install effective anti-virus software and firewalls to protect against harmful material.
Starting with Cyber Essentials
The UK Government’s cyber security standard, Cyber Essentials is designed specifically to help businesses focus on these basic security fundamentals, outlining 5 key areas:
- Boundary Firewalls and Internet Gateways (ensuring a 'buffer zone' between your device or network and the internet)
- Secure Configuration (secure settings for devices and software e.g. MFA)
- Access Control (managing access e.g. admin permissions)
- Malware Protection
- Patch Management (keeping devices up to date)
Aligning with the standard ensures your business has the essentials (pardon the pun) in place, protecting you against up to 80% of common cyber risks.
If you’re new to the world of cyber security and you find it all quite daunting, it can be a useful way to home in on what really matters and get to a good standard of security without breaking the bank.
Getting an official certification like this also demonstrates to customers, suppliers and partners that your organisation cares about security and data protection. It’s also increasingly getting recognised and required for tenders too.
To find out more about the Cyber Essentials scheme and certifying to the standard, head to our website or contact the team at firstname.lastname@example.org
Cyber-attacks and breaches are always going to affect businesses, it’s just a matter of how prepared and protected you are when they do. But hopefully, this article has shown you that cyber security doesn’t have to be a scary topic and a lot of the best security measures you can implement are incredibly simple but hugely effective.
As a business owner or director, it’s important to inspire a culture of cyber security among your employees as people will always be your first line of defence, so while you don’t need to be a security expert, understanding core concepts and current threats will put you in good stead to better protect your valuable assets and bring your organisation together as you push back against the cybercriminals.