CYBER SECURITY: IS YOUR BUSINESS PREPARED?
Cyber security is becoming a dominant theme of 2017 with all technology at risk of being undermined by data theft, fraud and other cyber threats.
Only days into the year the BBC ran a feature asking,‘ Could a bank go under following a major theft in 2017?’ setting the tone for the increased threat as professional criminals become more sophisticated in their approach.
February saw the opening of the UK’ s National Cyber Security Centre( NCSC), demonstrating the importance of protecting our country’ s critical national infrastructure and economic well-being, as well as individuals. The Business Exchange recently held a Cyber Roundtable in partnership with Thrings solicitors, Lockton insurance and CIS IT at Desk Cowork in Swindon.
15 business leaders from across Wiltshire attended the discussion which looked at common cyber threats to business and what firms can do to help protect their company and its assets.
The Panel
Hot topics of discussion:
Alastair Govier Commercial Partner Thrings Specialising in cyber, Alastair works across the South West and the UK, advising and supporting businesses on issues such as risk management, data issues and disputes.
Ian Saxelby Assistant Vice President Lockton Companies LLP Ian works for international insurance firm Lockton insurance. One of their specialisms is cyber security and Ian works with clients across the South West corridor advising them on risk and protection.
Richard Marsh CEO CIS Richard heads up the firm which is committed to providing security solutions that maintain ultra-secure standards for business.
The damage a cyber-attack can cause a business
• Financial loss
• Reputational damage
• Fines through data loss
• Disruption of business continuity With fraudsters becoming more sophisticated in their approach, small businesses need to be aware of the risks and implications of an attack. There are multiple ways in which your business could be at risk, these include:
• Ransomware( A type of malicious software designed
• to encrypt and deny access to your data, until a sum of money is paid)
• Malware( Software that is specifically designed to disrupt, damage or gain authorised access to a computer system)
• Email spoofing( The forgery of an email header so that the message appears to have originated from somewhere other than the actual source.)
• Phishing( The fraudulent practice of sending emails purporting to be from reputable sources in order to induce individuals to reveal personal information, such as passwords and credit card numbers, or click on malicious links to attachments)
• Evil twin( A fraudulent Wi-Fi access point that appears to be legitimate, set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam)
Ransomware & Malware – The threat Anyone with an internet connection is vulnerable to an attack. These attacks are happening every day against your network, but you won’ t know they are occurring. It’ s a case of are you protected or not?
“ Smaller companies don’ t think they’ re a target, they think why would they target me? I’ m only a small firm with 25 employees. It’ s not people the other end, it’ s bots. They scan for everything they can within seconds and as soon as they find a way that’ s it.”
“ We’ ve seen in the last few months, two or three companies attacked by ransomware that encrypts anything useful on a server and leaves you with a note file on how to pay the ransom.
“ In a particularly malicious case, a client was left with a note saying,‘ We’ ve taken your Sage file and we’ re going to share it with your competitors’.” Richard Marsh
“ I’ ve seen a small accountant set down for three days with ransomware, demanding a number of bitcoins( crypto currency) in return for release of their data. Small businesses are incredibly wrong, if they don’ t see that they can become a target. Any firm that has a URL is open to a threat.” Ian Saxelby
Email spoofing and phishing Thousands of spoofed emails are received every day that look like they come from a legitimate sender. They might be requesting you to pay an invoice or to fill out a form, but each have the same agenda, to steal something from you, be it your data, or enable access to your system.
“ We had a case where a finance director received an email from the MD asking him to pay an invoice. At the start of the email it said,“ hope you’ re having a good day.” The FD had spoken to the MD in the morning and smelled a rat. With this he checked and the email was a fake. By being vigilant the firm saved thousands of pounds.” Alastair Govier
“ Educating staff on clicking and downloading documents from unsolicited emails is key.” Richard Marsh
People Training staff on cyber threats should be a top priority for any business. Advising them on what to look out for and best practice.
“ Employees are the biggest weakness in any business with regard to security. If you spend £ 100,000 installing a firewall, great. But what stops a member of staff from clicking on a link on a website and that’ s it, they’ re in.
“ CIS perform many checks to secure your business. One way is calling up and pretending to be IT support. We ask people to go to a website for example and fill in some details. Another check is we’ ll randomly leave USB sticks in receptions, car parks etc. The number of USBs that are picked up and put in a computer straight away is ridiculous. As soon as a person’ s involved, that’ s it. There are huge risks.” Richard Marsh
“ The cleaner finding a Post-it note with a password on it, stuck to a screen is a classic.” Alastair Govier
Evil Twin Being aware that fraudulent Wi-Fi points are out there is key. If you are working with sensitive data or financial information and must use a public Wi-Fi hotspot, take action to ensure you’ re connecting to the legitimate access point.
“ Remotely accessing data, there’ s always a risk. Our advice would be to password encrypt your data, so that if it does fall into the wrong hands, it can’ t be opened easily.” Richard Marsh
Protecting your business Conducting a risk assessment is the first step to take when creating a cyber security plan. Look at what really matters to you, what are the risk areas? What’ s business critical? And what support can you get from subject matter experts?
Creating a response plan is important too, detailing what to do if something happens. How will you communicate with customers and suppliers if a data breach occurs?
“ There are regulatory and legal implications surrounding any data breach. Businesses can get fined up to £ 500,000 if found in breach of the Data Protection Act, but the fines are increasing up to 4 % of your global revenue or a maximum of 20 billion Euros.
“ A director’ s personal liability is also called into question for breach of duty. You’ re not safe no matter the size of your business and you are more likely to be exposed if handling personal data. It primarily comes down to what protections you’ ve put in place.” Alastair Govier
“ Traditional professional indemnity insurance doesn’ t cover cyber threat. As this is a new market, underwriters want to gain market share, so cyber policies are relatively cheap at the moment.” Ian Saxelby
Reputation The YouGov polls commissioned by the ICO to mark European Data Protection Day, showed that 20 % of people would definitely stop using a company’ s services after hearing news of a data breach, while 57 % would consider stopping.
With this in mind, why would you not invest in ensuring your company is properly protected? After all, prevention is better and far cheaper than cure.
If you have a question for one of our experts following this article, please email: press @ tbeswindonandwilts. co. uk
12 THE BUSINESS EXCHANGE 2017