Cyber-attacks are on the rise, and unfortunately the lack of awareness in smaller businesses, and the ‘it won’t happen to me mindset,’ means that they have become an increasingly attractive target for cybercriminals. Given their size, it’s unusual to find an SME that has access to a dedicated specialist IT team, equipped with the skills and experience necessary to deal with complex data breaches, meaning they are especially vulnerable. The consequences from this lack of preparation can be catastrophic, with reputations at risk as well as potential legal damage.
Changes to technology have meant that data is now more valuable. We can use consumer data to fuel complex metrics and analytics, enabling us to know more about our consumers. The more we know about our consumers the more we are able to tailor promotions to them, increase sales and profitability, and subsequently drive the price of data upwards.
Despite the many benefits of using data properly, the changes in the way we work means that in some cases our data could be more vulnerable than before. Businesses have started to move away from outdated legacy systems and towards cloud services, allowing greater flexibility to employees, and offering a more efficient way of storing data. However, many firms are turning to public clouds, which unlike their private counterparts, are often riddled with vulnerabilities and security challenges.
There are dedicated products available to help businesses protect themselves from attacks such as Disaster Recovery as a Service Products (DRaaS), which protect the cloud by mitigating potential disastrous consequences of a security breach. Demand for these solutions is gaining momentum as firms begin to implement adequate controls and it is expected that DRaaS solutions will account for 90% of disaster recovery operations by 2020.
But what else can businesses do to help prevent and minimise damage, should they become the victim of a cyber-attack?
A successful data breach strategy begins with awareness. Employees need to be aware of the value of data, the increasing reality for all firms of cyber-attacks, and the unfortunate consequences that can come as a result. Firms must go beyond the obligatory requirements such as ISO and create a culture that understands the importance of information security.
Whilst this may seem obvious, there are examples where lack of employee awareness has had unfortunate consequences. The recent Equifax hack saw 143 million US customers have their personal information stolen between mid-May and July and is one of the worst attacks of its kind. This month it was also announced that 700,000 UK customers may also be at risk from the hack. However, following these attacks, further mistakes were made.
Post-hack, Equifax created a website for customers affected by the data breach which offered information and advice. However, website phishers easily replicated the new site, copying its look and feel and offering wrong information to customers. Not only did this dupe Equifax customers, but it also fooled their employees. Employees posted and promoted the link to the fake website on social media, directing thousands of customers towards the page.
This highlights the need for employees to be aware of the wide-ranging forms that hacks can take, from data breaches to phishing and everything else in between. The cyber landscape is constantly changing, and employees need to be up to speed with the latest happenings, knowing what to look out for and how best to deal with these situations. The Equifax example shows that cyber-attacks are not just one attempt to sabotage a firm, but can come in waves that unless adequately prepared for, can be catastrophic.
The regulatory landscape is in constant flux. High profile regulation GDPR comes into play next year, which outlines a new set of rules on how businesses store and use data regarding all EU citizens. Firms that don’t comply could be facing fines of up to £17 million or 4% of annual turnover, whichever is higher. Additionally, firms have only 72 hours to report a cyber-attack to both the regulator and consumers.
When preparing for regulation, it’s important for organisations to bring it back to basics, security gaps often come to light as firms get to grips with a new requirement. To ensure full compliance firms should take a 5-step approach; assess, implement, educate, maintain, certify.
Begin by assessing the current situation. What regulation do you currently comply with and what changes are involved in the new regulation? Undertake a risk assessment and analyse the gap between your IT system and new governance – what do you need to do to fully comply.
Once you have assessed the situation you need to establish a governance framework and implement IT systems to ensure that you have the infrastructure to cope with regulatory requirements. Raise awareness of new systems by offering awareness training to all staff, highlighting the capabilities of new systems and all governance rules.
Whilst data security is everyone’s responsibility, to ensure constant compliance it’s recommended that businesses give someone the role of maintaining information security, in some cases this could take the form of appointing an Information Security Manager who can monitor regulation and ensure ongoing compliance. Once compliant, organisations can then look to certify themselves against regulations such as ISO27001.
Speed is key when dealing with a data breach, reducing data recovery time to a minimum is essential for businesses to maintain access to information and stop potential hacks.
Currently, statistics show that on average someone is in your system 40 days before they are detected. It goes without saying that the longer someone is in your system the more damage they can cause, and therefore firms need to be quick to realise that they are under threat. To overcome this, all employees need to be aware of what to look out for when detecting a cyber-attack.
Often it’s the case that employees don’t know what ‘normal’ looks like and therefore should an abnormality occur, they may not notice. To ensure effective risk management, employees need to have an awareness of how systems should appear, and the type of changes to look out for. Thus increasing the chances of spotting them quicker.
The backbone of security
The changing approach of hackers means that businesses need to continually revisit their strategies to ensure they have the best approach in place to deal with security breaches, incorporating new trends and ensuring their technology is sophisticated enough to deal with increasing demand. This can be hard for a small business with small budgets and even for large corporations who have vast amounts of data and complicated systems.
Fortunately, security solutions and providers can help businesses prevent future attacks by examining network traffic for known attack patterns, analysing trends and monitoring the methods of attack. With the right partnerships, firms are guaranteed constant compliance and with the partners acting as the ‘backbone’ of security needs, preventing and ensuring minimal damage should a company become a victim of a data breach.