CYBER RISKS ARE BUSINESS RISKS

Every organisation has to make difficult decisions around how much time and money to spend protecting their technology and services; one of the main goals of risk management is to inform and improve these decisions. People have had to deal with dangers throughout history, but it’s only relatively recently that they’ve been able do so in a way that systematically anticipates and aspires to control risk.

Someone should have ownership of the risks arising from your digital world. These should feature on your risk register.

Think about how much you rely on your business-critical data, such as customer details, quotes, orders and payment details. Now imagine how long you would be able to operate without them.

All businesses, regardless of size, should take regular backups of their important data, and make sure that these backups are recent and can be restored. By doing this, you’re ensuring your business can still function following the impact of flood, fire, physical damage or theft. Furthermore, if you have backups of your data that you can quickly recover, you can’t be blackmailed by ransomware attacks.

We know that backing up is not a very interesting thing to do (and there will always be more important tasks that you feel should take priority), but the majority of network or cloud storage solutions now allow you to make backups automatically. Using automated backups not only saves time, but also ensures that you have the latest version of your files should you need them.

Malicious software (also known as ‘Malware’) is software or web content that can harm your organisation. The most well-known form of malware is viruses, which are self-copying programs that infect legitimate software.

A vast amount of malware can be avoided or prevented through simple steps. It is important to add the staff element by educating them about phishing, as a lot of malware arrives by staff clicking on the wrong things.

Another frequent and (in most cases) easily solvable cause of malware successfully infected systems is out of date software. Updating and patching hardware (the technology) and software is a crucial step, often overlooked. Small organisations can usually allow automatic updates on most systems (where available) without too much trouble. Larger organisations need a change management process to ensure updates do not stop functionality and productivity.

All firms need a roadmap for hardware AND software. End of Life for specific software is published WELL in advance, yet we continue to see people using Windows XP (died in 2014), Windows 7 and Windows Server 2008 R2 (both die in January 2020) with resulting malware infections from known vulnerabilities. Windows is far from the only problem – you need a register of ALL software and hardware you use with a record of the update process chosen and expected End of Life. Upgrade well in advance so there are no surprises.

Mobile technology is now an essential part of modern business, with more of our data being stored on tablets and smartphones. What’s more, these devices are now as powerful as traditional computers, and because they often leave the safety of the office (and home), they need even more protection than ‘desktop’ equipment.

There are 5 key steps:

1. Switch on Password protection
2. Make sure lost or stolen devices can be tracked, locked or wiped
3. Keep your device up to date
4. Keep your apps up to date
5. Don’t connect to unknown Wi-Fi Hotspots

Passwords… a persistent problem! Everyone hates them. We all have too many of them. Yet they represent the keys to the kingdom!

Your laptops, computers, tablets and smartphones will contain a lot of your own business-critical data, the personal information of your customers, and also details of the online accounts that you access. It is essential that this data is available to you, but not available to unauthorised users.

Passwords – when implemented correctly – are a free, easy and effective way to prevent unauthorised users accessing your devices. Layered with Two-Factor Authentication (2FA) you make a massive increase to your cyber security.

Importantly – help your staff make good password decisions

• Encourage good personal Cyber Security – they will then bring this into work
• Get them to read our guidance on creating STRONG PASSPHRASES
• Make sure your password policies allow them to create Strong Passphrases as per our guidance
• Stop making them change passwords for the sake of it – this only makes them use rubbish passwords with a number or letter changing each time. Even Microsoft has come round to this and removed the requirement
• Use a Password Manager & 2FA solution

Phishing remains the NUMBER ONE SOURCE of data breaches and the most common route for malware to make it into your company.

In a typical phishing attack, scammers send fake emails to thousands of people, asking for sensitive information (such as bank details), or containing links to bad websites. They might try to trick you into sending money, steal your details to sell on, or they may have political or ideological motives for accessing your organisation’s information.

Phishing emails are getting harder to spot, and some will still get past even the most observant users. Our seeming inability to keep ourselves private online means that the criminals can find out a lot of information about us and about our organisations which they can use to craft targeted phishing attacks – so called SPEAR PHISHING. Legitimate websites such as Hunter.io (which aims to improve marketing leads) have real intentions but can be abused by cyber criminals to build a picture of your organisation.