Barely a week goes by without news of a major cyber-attack being reported, and the stakes have never been higher it seems.
Data theft has become commonplace; the scale of ransom demands have risen steadily; and cumulatively the environment in which businesses must operate is becoming increasingly hostile.
The threat of a cyberattack has become the unavoidable cost of doing business today in the UK. Firms are being targeted with bogus phone calls and emails by scammers trying to steal money, confidential data or sensitive information.
As firms become increasingly reliant on technology and exploit the internet to grow, they are making themselves vulnerable to malicious cyber-attacks.
At the same time the use of mobile devices and cloud services in the workplace has exacerbated an already high threat level.
The cyber threat applies to firms of all sizes
Firms incorrectly feel that they aren't at risk, thinking that they are too small. But, you don't have to be a big organisation like the National Health Service (NHS) to experience a cyber-attack, as hackers target vulnerabilities in operating system in an automated and indiscriminate way.
Attackers know for example that SMBs (small to medium sized businesses) tend to invest less and have access to fewer resources to secure networks and maintain a robust IT infrastructure.
And the consequences of a cyber-attack can be devastating, disrupting your business, causing considerable financial and reputational pain, and possibly have a direct impact on your customers if their data has also been stolen.
And with the implementation in May 2018 of the GDPR there are potentially regulatory fines – as well as the remedial costs to your IT systems and infrastructure after a breach.
GDPR has obliged larger firms to report incidents because of the risk of very large fines, making them more aware of threats and the need to report incidents in a timely manner.
According to the 2019 Hiscox Cyber Readiness Report more than three out of five firms (61%) reported an attack in the last year – up from 45% the previous year and the frequency of attacks has also increased.
Hiscox a global specialist insurer, reports that the mean figure for losses associated with all cyber incidents among firms reporting attacks has risen from $229,000 last year to $369,000 – an increase of 61%, with medium and large firms bearing a disproportionate amount of the cost.
Nearly two-thirds of firms (65%) have experienced cyber-related issues in their supply chain in the past year.
While larger firms are still the most likely to suffer a cyber attack, the proportion of small firms (less than 50 employees) reporting one or more incidents is up from 33% to 47%. For medium sized firms with between 50 and 249 employees the proportion has leapt from 36% to 63%.
Being aware of the cyber threats is half the battle
According to Hiscox business email accounts being compromised is currently the main cause of cyber insurance claims, followed by ransomware. While the number of cyber incident reports has risen sharply with more than 60% of firms having reported one or more attacks - up from 45% in 2018.
Among firms that experienced cyber-attacks, the proportion reporting four or more incidents is up from 20% to 30%. Small and medium sized firms are much more likely to have suffered multiple attacks, and on average the proportion of small and medium firms that have had an attack has increased 59%. Bigger firms were more likely to have suffered repeat incidents. More than a fifth (21%) experienced five or more attacks in the year compared with an average of 16% for all respondents.
For companies in every size bracket the cost of incidents has increased significantly at the same time that there has been a sharp rise in the scale of ransom demands.
Security vs. Productivity
The typical security advice given is to make passwords as complex as possible for the multiple applications that we need to log into.
Add to this the fact that more and more of us are working remotely or have jobs where we are on the move - means that we sometimes put productivity before security.
From an employees perspective it is common to think that the priority is to get the job done, productivity over security.
Research suggests that when security mechanisms create extra work, as employees we favour short cuts, in order to complete the task on time, as the security risk is perceived as low in the office.
One of the most common forms of hacking is stealing your login credentials and taking over your identity to gain access to your business applications or personal information, so we do need to take precautions to protect our online activity and any devices that we are using.
Thieves are continually trying to capture and decrypt our online activities, steal identities and fool us into using fake websites. So, allowing your employees to bring their own devices to work can pose a cybersecurity threat.
More and more businesses are adopting bring your own device (BYOD) technology and policies, which is unsurprising given the benefits it offers, including allowing for more flexible work practices, greater productivity, and savings on IT hardware.
BYOD can also pose risks to a business’s cyber security
All it takes is one unsecure device to compromise a business’s entire network.
When employees bring their own devices to work, it means you have less control over how devices are used in the workplace, how secure they are and whether that device has up-to-date software and protection.
Businesses need to make sure if they are allowing BYOD that they provide a policy on how to use devices in the workplace and inform employees what actions they must take in mitigating any security risks.
A business won’t know who else has access to an employee’s device, such as their family members or friends, and there’s potentially a greater risk of an employee’s device being lost or stolen when they are away from the workplace.
Around two-thirds of charities allow employees to BYOD as many of the smaller charities work to limited administration budgets and may forgo the expenses of an office, allowing flexible working hours or encourage staff to work remotely to save on office overheads.
Allowing a policy of BYOD has made cybersecurity more difficult to manage. There is less opportunity or best practices employed to exert technical control on personal devices.
In addition, whereas the majority of businesses have some level of control on the security of their own devices and regularly back up data securely, most charities do not do these things as a matter of course.
How to protect against a breach
After an attack businesses normally invest in new security measures against future attacks, adding extra staff time to deal with the breach and staff being stopped from carrying out day-to-day work occupied with remedial activities.
Operating BYOD securely means businesses need to educate their staff about secure online behaviours to mitigate the risks of a malicious attack.
Cyber security behaviours that help to protect business and personal devices, advised by the National Cyber Security Centre (NCSC), include:
- Use a strong, unique password for your email account - and never use the same password for multiple applications.
- Advise staff on strong password hygiene.
- Always back-up your most important data.
- Safeguard your business’s most important data by backing it up to an external hard drive or a cloud-based storage system.
- If an employee’s device is infected by a virus or accessed by a hacker, your data may be damaged, deleted or held to ransom by ransomware, which means you won’t be able to access it.
- Secure your tablet or smartphone with a screen lock.
- Ensure to download the latest software and app updates on all devices used for work – whether it’s a work mobile or a home computer
- If there has been an incident react quickly and have in place a specific plan to adopt in this sit.
There is no doubt that BYOD has transformed the world of work, in many cases for the better, but there are risks.
Look after your phone as well
We worry a lot about how vulnerable our computers are, but your smartphones are potentially even more so.
If you think about it, you have them on you at all times, they’re almost always turned on and logged in, they typically have apps on them that give access to personal information, and we do have a habit of leaving them lying around.
It may be worthwhile opting to use FaceID or FingerprintID to access your phone, which is always much better than a password.
Your organisation could be being breached right now and you might not even be aware.
With the Worktools Tool Secure Plan we've put together a plan around cybersecurity to protect your business from cyber threats ranging from viruses to employee data theft. Let us help you look after your data, your reputation and legal compliance.Image source: www.freepik.com