How often does your board or management team talk about cyber security?
Yes, we all talk about the attacks on Tesco and TalkTalk or the latest outpourings of “wiki-leaks”. But rarely in my experience do SME Boards give this topic the time and respect it requires. If hacking is happening to big corporates, then it is certainly going to happen to you.
Attacks these days often take the form of crypto-malware attached to an email, such as an invoice or file document. Virus protection products should screen them out but given the attack intensity, even the best filters can be caught out.
An innocent looking email invoice from a contractor which regularly installed air conditioner units in its outlets cost Target, the USA retailer, $162m! This 2013 cyber attack led to the theft of millions of customers’ credit card details.
The invoice was from a “trusted” regular supplier and so to the accounts payable team everything looked “normal”. They “opened” the invoice attachment, processed the payment and in so doing, let the malware into their systems…..
Ok, so your business does not “sell” to consumers and you think your customer data is secure; but is it encrypted? And what training do you give your employees on cyber threats?
Just consider how much data you regularly exchange with your supply chain partners. How secure is that data? What is to stop a hacker gaining access to your systems and sending out a few rogue parts orders, changing details of a specification or re-scheduling delivery of vital inputs?
Business websites and servers are “attacked” two billion times a month. There are more than 200 major cyber attacks a month which due to their scope, scale and targeting require the investigative support of the GCHQ and Metropolitan Police Cyber crime units. This is not a cottage industry; this is hacking on an industrial scale. How prepared is your business?
Cyber hackers will go after the weakest link and that link can be anywhere in the supply chain. Your only protection will be having a robust policy, a regular audit and to ensure everyone in your organisation is cyber savvy.
Government is sufficiently concerned to be spending £1.9bn (National Cyber Security Strategy) over the next five years. That is serious money and should serve as a wake up call to every business owner.
Cyber security basics:
- make someone on your board or senior management team responsible for cyber security (ideally this should be someone other than your IT leader)
- conduct a review, make cyber security a regular board meeting topic and develop policies and procedures in line with current threat trends
- identify your key data, consider how it is protected and who has access to it
- educate all your employees on cyber security threats and prevention
- conduct regular employee refresher training as you would with HSE, quality, environmental and business conduct regulations
- develop a response plan so everyone knows what to do when an attack is detected
- consider developing a dashboard so everyone knows how well your business is protected
- work to obtain cyber essentials certification before your supply chain and customers demand it
Cyber security compliance in the connected work we all inhabit is possibly the most important task facing management teams today.
The reputational damage from a successful attack will almost certainly be more costly to your business than any investment you make to ensure you are protected.
For more information visit The Cyber Highway to get help and advice on cyber security compliance.