Did you know that 75% of all UK businesses have suffered from at least one cyber attack in the past 12 months? It’s a shocking statistic and one that puts the severity of the cyber security issue into perspective. Online criminals pose a persistent threat, and the sobering truth is that for that 25 % lucky enough not to have experienced an attack, it’s only a matter of time before they do.
We hear about cyber attacks and the impact they cause on an almost daily basis. Just earlier this month, the payday loan firm Wonga suffered a serious data breach as a result of a cyber attack which saw the confidential data of around 245,000 customers compromised. According to experts, it was one of the most significant data breaches in the UK that involved financial information.
Although it may seem like businesses are helpless to suffering from cyber attacks at any given moment, there are measures that can be taken to minimise the impact of any incident from both operational and financial perspectives.
Firstly, businesses must accept that the role of IT is changing, and cyber security needs to be the responsibility of the entire organisation, driven from the top down. This isn’t just to do with allocating additional budget, either; it involves looking at cyber security from a proactive point of view, which not only includes employee awareness but educating users in data ownership and their responsibilities in respect to that data.
Secondly, businesses should devise a cyber security strategy which allows them to prepare and effectively deal with a cyber attack and consequently mitigate any risks. Historically, most cyber attacks are caused by simple human error, whether it’s unknowingly clicking on a malicious link, providing information to a counterfeit website or using unapproved software, and so user awareness (making sure all staff are knowledgeable about the different types of attack and how to spot them) should be one of the primary focuses in any cyber security strategy. Beyond that, the specifics of a cyber security strategy will very likely differ from one organisation to the next, depending on the size and nature of the business and the various assets it holds.Cyber Essential is a government-backed scheme that addresses around 80% of cyber threatsClick To Tweet
Regardless of the plans and policies businesses already have in place, they can always benefit from using an industry-recognised framework when assessing their own state of ‘cyber readiness’. Cyber Essentials and Cyber Essentials Plus (audited) are a simple but effective way of doing this. Cyber Essential is a government-backed scheme that addresses around 80% of common cyber threats, radically improving the security defences of any business.
By becoming Cyber Essentials and Cyber Essentials Plus certified, businesses are demonstrating to suppliers, partners and customers that they’re taking cyber threats seriously and have prepared themselves accordingly. Plus, with 80% of threats already addressed through these frameworks, businesses are perfectly positioned to tackle the remaining 20% with the advice and expertise of an IT or cloud service provider.
As well as Cyber Essentials, businesses might want to consider attaining the ISO27001 certification. For small businesses within a supply chain of a larger company that expects them to be aligned to ISO27001, it may not be cost effective to actually complete the ISO27001 certification. For these businesses, there is an alternative cost-effective information security certification they can obtain. It’s called the IASME Governance standard. This standard was developed over several years during a Technology Strategy Board funded project and offers an affordable alternative to ISO27001 — the international standard that many larger companies aspire to achieve. To successfully achieve the IASME Governance standard, businesses must undergo an assessment against all of the ISO27001 Operational Control categories as well as a Cyber Essentials assessment.
Plus, as of March 1, 2017, the IASME Governance standard also includes a separate assessment that takes into account the imminent introduction of the General Data Protection Regulation (GDPR). This regulation is designed to standardise the procedures that must be carried out to protect against cyber attacks and is something that all businesses must adhere to from May 2018 onwards. As part of the GDPR, any business that fails to comply will be hit with significant fines — up to €10 million or 2% of annual global turnover — while those that suffer from a data breach will face an even worse punishment with potential fines of €20 million or 4% of annual global turnover, whichever is greater.
By successfully completing the IASME Governance standard scheme, businesses of all sizes can ensure that they are meeting every requirement outlined in the GDPR, and can operate confidently without living in fear of being fined.
There’s no doubting the irreparable damage that can be suffered at the hands of cyber criminals, but it is also well within the power of businesses to protect themselves sufficiently through cyber security strategies and best-practice frameworks.