Retail and Wholesale
This article is part of our collection on Tech and Innovation
Cyber-security threats are continually evolving, so it’s important to keep your defences up to date. Experts share their top tips to make your business cyber-safe.
Last updated: 20 Sep 2019 6 min read
Government statistics show that almost half of UK firms were hit by a cyber breach or attack between 2017 and 2018, with medium-sized firms identifying six attacks a year and small firms one; these incidents cost the average SME up to £8,000 last year. So how can you be safe going forward?
“We need to stop thinking of cyber-crime as purely an IT problem,” says Edward Whittingham, founder of the Business Fraud Prevention Partnership. “We expect to see phishing emails becoming even more convincing and likely to dupe unsuspecting employees.” With this in mind, well-trained employees can form your first line of defence.
What to do: “Train employees to identify and prevent cyber-related incidents,” says Whittingham. “Complement your training with simulated phishing exercises.”
Karla Jobling, MD of cyber-security recruitment business BeecherMadden, says many security issues can be avoided with good-quality policies: “These should include who can access what systems, and having a process in place for when people leave or change jobs. There should also be policies on passwords and staff training on this.”
Remind staff not to leave portable devices unattended, and never open unfamiliar devices such as flash drives. “Malware can easily be spread through infected external hard drives, smartphones and flash drives,” says Thomas Chappelow, head of information security for cloud-computing services provider virtualDCS.
“Staff with tablet and smartphone access should be aware of risks posed by data stored on the devices,” says Harman Singh, co-founder of computer security service Defendza.
What to do: “Ensure the passcode feature is enabled as opposed to the four-digit PIN,” says Singh. “This will increase the difficulty for an attacker attempting to gain access in a stolen device scenario. Latest features such as biometrics-based authentication should be used where possible. Finally, ensure lost or stolen devices can be traced or wiped remotely.”
Have data backups in place so that if there’s an incident, you’re not left without business-critical data.
What to do: “Ensure backups are performed regularly and securely, to a separate drive, network or even location. Strict-access restrictions should be in place for the backup storage location,” says Singh.
General Data Protection Regulation places increased emphasis on protecting customer data. Companies could face hefty fines if they fail to comply.
What to do: “Be as clear as possible as to what your liabilities are, because you could find yourself in trouble if you use customers’ data without their opt-in permissions,” says Mark Skilton, professor of practice in information systems and management at Warwick Business School.
It’s important to know your data is secure, wherever you store it. “If you’re unable to build a trusting relationship with your provider, they’re probably not who you should be using,” says Stuart Mackintosh, CEO of OpusVL business-management software.
What to do: “When reviewing providers, establish whether they’re directly responsible for the equipment that runs the services or if they’re just a reseller; understanding your services supply chain is key,” says Mackintosh.
“Find out what you should expect if a data loss or systems outage event occurs. Can the provider give you all your data back in a useful format? Ask what the geographic location of your data or services is.
“Of equal importance is the business model of the provider – do they sell your data to cover the cost of providing the service? Pay attention to low-cost offers and special deals. If the provider is transparent, has a physical location and provides someone to talk to, you stand a good chance of being able to make an informed decision.”
“On average, it takes 191 days before a business realises that the personal data of its customers or employees has been lost or stolen”Amadeo Pellicce, founder, Warden.co
“It’s no longer a question of whether you’ll be breached but when,” says Amadeo Pellicce, founder of Warden.co, which uses Blockchain to detect and contain data breaches. “On average, it takes 191 days before a business realises the personal data of customers or employees has been lost or stolen.”
What to do: “Have a plan for when a breach occurs,” says Pellicce. “Ask yourself, ‘How do I assess the damage?’ ‘How do I report it to the data protection authorities?’”
“Remote work is important for most small businesses, yet this can be jeopardised if teams are not aware of how to stay cyber safe,” says Kirsten Bay, CEO of cyber-security solutions provider Cyber adAPT.
What to do: “Public charging points can harbour threats, so to stop data being accessed covertly, small businesses should encourage employees to carry three-pin socket charging cables,” says Bay. “These are safer than USB cables, as data cannot be transferred through them.
Also, be wary of open wifi networks. Only connect to a secure or known hotspot. Criminals can set up dangerous wifi networks with misleading names that suggest they are safe – for example, naming them after cafes or airports. Use a virtual private network, which will encrypt data and allow for anonymous or private browsing.”
“Cyber security is more difficult as networks are no longer made up of a limited number of desktop computers, routers and printers, and include everything from intelligent lighting to smart coffee machines,” says Bay. “Networks are now ‘edgeless’, with IT managers having little control over what or who connects to them.”
What to do: “Focus on detecting attacks that have made it inside the network,” says Bay. “By leveraging threat intelligence and monitoring network traffic, detection technology can alert IT managers of suspicious activity before a breach.”
These include social media, the Internet of Things and artificial intelligence – all of which can expose sensitive corporate or personal data, or open your company to attack from insiders.
What to do: “Conduct detailed security-risk assessments on these technologies, including how they integrate with existing systems,” says Jason Nurse, senior researcher, department of Computer Science, University of Oxford. This should consider corporately purchased devices and personal devices with access to corporate data.
“Most SMEs buy antivirus software and think that will do,” says Chris Wallis, founder of security monitoring platform Intruder. “That’s like getting a burglar alarm and not worrying whether you’ve left the back door unlocked. Criminals are becoming adept at bypassing antivirus software.”
What to do: “Invest in a service that finds these weaknesses and helps you fix them before you get hacked,” says Wallis.
Tech and Innovation, Cyber Security