Feature

The cyber threat for growing businesses

13 September 2016 | By Oliver Franklin-Wallis

Firms can no longer afford to ignore the risk of cyber attacks, but what steps can they take to secure a competitive advantage?

If your business hasn’t been hacked already, it’s probably only a matter of time. 90 per cent of large UK companies reported a data breach in 2015, according to the government’s Security Breaches Survey, with 75 per cent of small and medium-sized businesses compromised.

From Sony to TalkTalk, JP Morgan to eBay, no brand is too big to avoid the threat. But neither are they too small, as the rise of small ransomware attacks – in which companies’ own files are encrypted and held hostage – are increasingly targeting small businesses.

And while the Department for Business, Innovation and Skills has put the average cost of cyber attacks for big businesses at £1.46m, up from £600,000 in 2014, it’s more than doubled to £310,800 for SMEs.

But it’s not all downside. According to a recent Cisco report, although 71 per cent of executives claim that cyber risks impeded innovation, 31 per cent saw the primary purpose of cybersecurity as enabling growth and 44 per cent considered it a source of competitive advantage – rather than as a cost of doing business.

Many smaller businesses are also being encouraged to adopt formal risk standards and processes by the larger businesses they supply – Cisco’s 2015 Security Capabilities Benchmark Study found the number had risen from 45 per cent to 65 per cent in just one year.

There's an advantage in thinking about security in terms of how it can help the business

In this context, Andrew Rogoyski vice president of cyber security services at CGI UK, says information security is no longer being seen as a “grudge buy” – getting it right can reassure customers, and protect your company’s reputation.

“There’s an advantage in thinking about security in terms of how it can help the business, especially if you want a secure supply chain and you want to attract great talent,” he adds.

Security, then, is a selling point. But, with the market for cyber security solutions exploding, and hacks increasing in frequency and complexity every week, it can be hard to navigate the right course of action. So Business Voice consulted the experts for their essential tips for keeping your company secure.

1. Security starts at the top

Cyber security isn’t the responsibility of an IT department tucked away in a basement office. With so much of business now conducted online – from engaging with customers to working and storing information in the cloud – security goes to the very top.

“In order for strategic decisions to be properly made, everyone needs to understand the problems and their associated risks,” says Scott Millis, chief technology officer at real-time security firm CyberadAPT. “The weak link is always going to be the uneducated layer – typically the board.”

They need to be able to tell the emperor he has no clothes

“It’s very clear that security is most successful if it has a seat at the C-Suite level,” agrees Rick Orloff, chief security officer (CSO) at Code42. A CSO should report directly to the chief executive, chief operating officer, or chief counsel. “They need to be able to tell the emperor he has no clothes.”

2.Identify your crown jewels

“The working assumption now is you can’t protect yourself from being penetrated,” says Steve Rumble, technology risk assurance lead at global accountancy firm BDO. “The scenario now is: how do you protect your crown jewels? Once you know where you’re vulnerable, you can make the key business decisions.”

“You need to understand what’s vital to your business,” says Rogoyski. For an e-commerce business that could be credit card information; for an engineering or defence contractor, that might be design information vulnerable to espionage or ransomware attacks.

Alongside current bids or sales prospects, it could also be more mundane elements, such as log-ins, or customer information that may fall under the Data Protection Act or Payment Card Industry (PCI) regulations, and incur legal penalties.

3. Every business decision is a security risk

Two uncomfortable facts underscore the importance of security in 2016. Firstly, hackers’ methods are becoming more sophisticated. Secondly, companies are increasingly exposed to more and more entry points, from their own mobile apps to the plethora of services now used day-to-day in many workplaces.

Attackers are looking for the weakest link

“If you start opening up mobile platforms and apps, you need to understand all the ways that increases your risk,” says Rumble.

The right strategy “depends on the type of adversaries you’re dealing with,” says Andy Pearch, head of information assurance at CORVID. “If you’re in finance, you may get the big cyber gangs coming after you.” Others may be vulnerable to state-sponsored attacks.

Knowing your risk exposure as you launch new products is essential.

“Attackers are looking for the weakest link within a company. They won’t use sophisticated malware if they can do it easily,” says Michael Marriott, a research analyst at security startup Digital Shadows. “Companies have to keep up to date with emerging threats, but also be aware of existing threats.”

4. Treat new partners as you would treat yourself

Cybersecurity threats can come from anywhere. But with so many companies connected, treat each new partner as a potential risk – particularly when integrating new technology solutions. From sales software to cloud storage – as seen in the recent Dropbox hack – third-party solutions can leave important data vulnerable.

“I come across companies that are always adopting the latest thing. You can get tied in knots by being too fashionable,” says Rogoyski. “Look for history and well-established brands. Service providers should have statements about how they’re approaching security.”

Look for companies with ISO 27001 and ISA or IASME certifications. Do you want to let employees use their own devices? What about social media? Have policies in place. “You have to take a proper risk assessment of the risks versus the benefits,” he adds.

5. Build a culture of preparedness

Sitting through dull corporate training exercises – interminable slideshows about password strength – may be dull, but a security culture is the most important line of defence. After all, the weakest part of an organisation’s structure is most often its people.

“Building in awareness and training for all employees can have a massive impact,” says Marriott. “[Employees] should be encouraged to report things even if there’s only a slight risk.”

Run tests. Reward the people doing it well

Train employees on the basics: be wary of attachments and links in emails; use a secure password manager; avoid unsecure websites. Beyond that, run regular practice scenarios.

“What you need to start thinking about is socially engineered attacks in a safe way,” says BDO’s Rumble. This will allow the company to experience the severity of a breach, and create a solid step-by-step action plan – identifying key processes, who needs to be informed, and ensuring constant (ideally real-time) back-ups.

“Run tests. Reward the people doing it well,” says Pearch. However, don’t be too harsh if employees fall short – the responsibility should fall on systems, not individuals. “User training is user blaming.”

6. Detection is as important as protection

In the past, cyber security was synonymous with defence – anti-virus software and firewalls. With many threats now a case of not if but when, detection is vital. But many attacks go undetected for months. According to Cisco, the industry averages 100 to 200 days to detect a breach. For some of the biggest corporate attacks, that rises to 281, says Orloff.

Modern security solutions use sophisticated techniques to detect breaches in real time, so companies can quickly move on to analysing the sophistication of the attacker.

“The critical part is knowing exactly what the impact to your business is going to be as the compromise occurs,” says Pearch.

7. Respond quickly

“It’s a war scenario: have a first hour plan, a first day, a first week,” says Rumble.

The type of breach will dictate the response – your business should have a strategy in place for every eventuality. A robust response will move swiftly from identification to damage limitation.

It's a war scenario: have a first hour plan, a first day, a first week

“The first thing is containment,” says Orloff. “You need to go into recovery.”

This can take an average of 10 weeks, according to Cisco, which can lead to a significant loss of productivity, but real-time backup solutions will limit downtime. If log-in details are stolen, that can have a knock-on effect as many people use their corporate identity for other services. Once the response is underway, the first important step is informing key stakeholders – which may be insurers, your customer base, or regulators.

8. Learn and adapt

In today’s security environment, undergoing an attack is nothing to be ashamed of. But not responding correctly? That can put your firm’s reputation – and finances – at further risk.

“One of the common things that happens when you get a breach is successive breaches, because you’re been exposed as vulnerable,” says Rogoyski. Updating the company’s security strategy and training methods regularly could be the difference between being a target and having a competitive edge – particularly as hackers are always developing new methods in response to new technologies. Ransomware, for example, is a response to the rise in cryptocurrencies.

“Usually when [attack] sophistication changes, it is an exponential change,” says Orloff. The utmost thing to remember: be prepared. This industry moves faster than anything else – nothing is riskier than getting left behind.

For more advice on cyber security, follow the CBI's Cyber Security Conference on Twitter @CBIBizVoice

Next post: A director's obligations

Previous post: Working forward