Defending your business against a cyber attack.William Hadley
Almost half of UK businesses has suffered some sort of online attack in the last twelve months according to official government figures. It’s an increasing problem which business owners, whatever their size, need to address to defend against a cyber attack.
The WannaCry ransomware attack, which infected over 230,000 computers including many in the NHS, reached 150 different countries and is just the latest in a number of online assaults which could cripple an organisation within minutes. As businesses, big and small, become more reliant on technology to run the business, increase efficiency and manage finances our dependency has shifted from the people we employ to a box in the corner or a place in the cloud.
Criminal activity is not limited to a man in a mask climbing in through a badly secured window and making off with whatever he can carry in a bag marked “swag”. Today’s felon is as likely to wear a shirt and tie as he goes to an office carrying a briefcase. Their assault on your organisation will be done in broad daylight, it will be silent and will be potentially catastrophic.
How bad can it be? Well according to the government’s own survey, 1523 businesses in the UK disclosed the cost of an attack and on average a micro or small business will spend £1,380 recovering, a medium size company will have lost revenue or additional costs of £3,70 and a large business suffers to the tune of £19,600 each time someone takes a pop at their system.
It doesn’t stop there. You may be privy to sensitive information from or about your clients. In the twenty-first century information is money – or as good as. Consequently we have a responsibility to ensure the information hold is not compromised. A supplier may have a direct IT link to the system of their larger clients giving the criminal a back door into a bigger system. By copying identity information bogus requests for payment which look genuine are easily created.
Cyber defence is often put off until another day, “it’s not been a problem so far so why do I need to worry about it today”. This attitude of complacency is what the criminals are counting on. Their own systems have become more sophisticated so it is more cost effective to focus on smaller organisations or large numbers of low value targets. Ransomware or simply denial of access programs are used to extort payments before making your computer available to you again.
How can we make our systems more secure?
- Start from a position of wariness. Any electronic communication could be a fake so if anything doesn’t look right check it out before you open the email. You can do this by phoning the sender and asking if they have really send an email to you.
- If you receive new bank details to make payments to, you should always phone on a number you know, not the one on the email as it might not be the person you think on the other end, and confirm the change of details.
- Do not open an attachment unless you know it is genuine.
- Back up your data, it’s pretty obvious but surprising how many people don’t do it. Ransomeware is much less effective if you have good regular backups to go to.
- Regularly change your passwords. Another obvious point I know but you will be supprised how many people use the same password for everything or even use “password” as the password.
- Good physical security is as important as good online security. A computer can be removed from the premises so the hacker has all the time in the world to harvest its information.
- Have a plan for what you would do if effected by ransomware or a denial of service attack. Keep physical contact information for key staff members or service providers so you can at least find the number of your technical support organisation. Test and adapt your plan, then test it again.
- Insurance. Many insurance companies offer cyber insurance as an extension of an existing policy or as a standalone policy.
- If you get a system update or patch make sure it is installed. The WannaCry ransomware attach was only so effective because they systems had not been kept up to date. Its effect could have been significantly reduced.
It is not possible to tell if, or when, you will be targeted but most businesses, regardless of their size, and many individuals will fall victim to cyber-crime at one time or another. The best you can do is be prepared and ensure your system of backups and security mean that it will have the minimum disruptive effect.