Poor cyber security may harm your company’s reputation, lose you customers and result in huge fines.
The sheer volume of cyber attacks is dramatically increasing. According to recent figures, 46pc of companies suffered a cyber attack or breach on their computer systems last year.
In 2015, this figure was just 24pc, according to official figures from the Department for Culture, Media and Sport.
It’s apparent from these numbers that every company has to take cyber security extremely seriously and do everything it can to prevent attacks and the loss of data.
In particular, when the General Data Protection Regulation (GDPR) becomes law in May 2018, there’s a strong financial reason to ensure protection is up-to-scratch: any company that suffers a data breach can be fined up to €20m (£17.7m) or 4pc of worldwide turnover, whichever is greatest.
Even without such financial penalties, companies that suffer significant data losses can suffer in the eyes of their customers, causing a loss of business. But every business can take simple steps to protect its day-to-date business processes, reducing the threat of attack and preserving company data.
In many cases, your employees can be the weakest link. According to Ponemon Institute’s Data Breach Resolution survey, 55pc of businesses suffered a data breach or security incident in 2016 due to malicious or negligent employees.
It’s clear that employees should be properly versed on cyber security, including simple points such as not divulging passwords or login details.
General awareness of email phishing threats and safe internet usage should be drilled into every employee; and all employees should be made aware of the importance of reporting all potential breaches or lapses in security.
Then, employees should be taught to use their business devices and systems appropriately. It goes without saying that every device should be protected using up-to-date and reliable security software, to block attacks; but you should also make VPNs (virtual private networks) mandatory for users on mobile devices.
Using VPN software, you can ensure that your users always have a secure connection, no matter whether they’re at home or using a free Wi-Fi hotspot.
Each employee and third-party partner should have access only to the minimum amount of data that is required to do their job. That way, if they’re responsible for a breach, you’ve automatically limited the damage. Regularly review levels of access, restricting any areas of over-sharing.
Even once access levels have been considered, you should take measures to encrypt all your business data, whether it’s stored in a database, on a laptop, or on a mobile phone. That way, if data is stolen, it is unreadable to the cyber criminals.
Two-factor authentication adds a secondary level of protection to logins and, in some cases, transactions. Using this technology, users are required to enter a password and one-time code, which can be generated by an app, physical device or sent via SMS. Should a user’s password be stolen, the thieves can’t log into your systems.
Should any employee leave your company, you also need to have a robust policy that deals with this. Former employees should have all access to your company cut off immediately, and all logins should be disabled.
Any device that can leave your company should have remote tracking and wipe enabled. Should a device get stolen, your business can track its location and, should the threat be deemed high enough, remotely wipe all sensitive data.
As the recent NHS ransomware attack showed, it’s relatively easy for a business to get hit and lose important documents. You should never pay the ransom, as there’s no guarantee your files will be unlocked.
You should take measures to encrypt all your business data, whether it’s stored in a database, on a laptop, or a mobile phone
Instead, a robust back-up mechanism will let you restore any data in the event of an attack (or device loss, for that matter) once you’ve cleaned the infection.
And finally, know the art of a good password. Passwords should be long and consist of uppercase and lowercase letters, as well as numbers and symbols. However, there’s a danger that employees can get confused with hard-to-remember passwords and resort to writing them down on a bit of paper.
Helping users come up with simple techniques can help; users could use a passphrase, using capital letters for each word and replacing the first possible letter with a number. For example, “MyD0gLovesSausages!” is secure, but easy to remember.
Alternatively, a password manager, such as LastPass can remember secure passwords for your users automatically.