Is my organisation secure? A pivotal question that all leaders consider in the interest of their company. The natural reaction is immediately to think of physical security-sufficient alarms and cctv systems in place; any valuables held on site kept in a locked safe; video entry phone systems installed protecting the interests of your employees. What about the risks that often go unidentified until a major incident occurs? Could your team be jeopardising your organisation internally without realising?
I’m talking of course about the dangers of a cyber-attack. Whereby every business is aware that this is a potential threat, the approach is, it is “highly unlikely to occur” therefore investment into this area is not considered a priority. Alternatively, you may have initially had your IT systems monitored and received a certification several years ago and they have been running smoothly since, so why bother?
Let’s look at the statistics for a moment-according to Cyber Security Report 2018 by Gov.UK
- Virtually all UK businesses (98%) and charities (93%) represented in the survey rely on some form of digital communication or services, such as staff email addresses, websites, online banking and the ability for customers to shop online. Charities face further risk with online donations
- Over four in ten businesses (43%) and two in ten charities (19%) have experienced cyber security breaches or attacks in the last 12 months. This rises to seven in ten (72%) among large businesses and a similar proportion (73%) among the largest charities
- Under three in ten businesses (27%), and two in ten charities (21%) have a formal cyber security policy or policies.
Cyber criminals are getting wise to newer technologies emerging and are currently on the FBI’s most wanted list and it estimated that by 2020 the average cost of a data breach will exceed $150 million1. At its most basic level, the goal of a cyberattack is to steal and exploit sensitive customer, employee and financial data ultimately toying with some of an organisation’s most crucial components.
Now I’m not suggesting you should close all forms of digital communication or suspect all your employees of malicious behaviour. The first stage of protecting your organisation is awareness of the different potential threats to your IT system and to then delve deeper into ways to prevent such an unprecedented attack.
It should be noted that being cyber aware and taking precautions goes further than creating strong passwords. Naturally you do not want to be one of the million users who fall into the yearly published top worst passwords2, but it is important to remember that preventative methods include regular employee training and software/system updates. Ongoing cybersecurity training is beneficial to the business as a whole and not just the IT department. This is because even with the greatest people and technology in place, the weakest link in your organisation, when it comes to security, is often your own employees. Look around your desk. How many Post-it Notes do you see, printed emails or company records? Now, of those, how many have account numbers, passwords, or other confidential data written on them? If it’s only one, that’s one too many. Your office may seem like the last place for a data breach to happen, but cyberthieves do their dastardly deeds in the physical world as well as online. Like I said earlier, you can’t go around suspecting your company’s greatest assets as potential criminals, but due diligence goes a long way in saving your organisation from attack. With remote working revolutionising the way companies operate- understanding how online scamming i.e. phishing works, deploying mobile device management and installing anti-virus, all fall into the category of wat you can do internally to protect yourselves. When employees feel empowered through training, to act with confidence and are fully aware of any risks, they’ll be less likely to make the human errors that could cause a devastating breach.
This will also free up your IT department, so they are able to deal with more complex tasks and more serious potential breaches.
The simplest ways of prevention are often the most effective. Companies struggle with outdated technology or pay a fortune in attempts to keep it running at the same pace as your organisation is evolving. No one can forget the Wannacry ransomware attack that took place in May 2017 affecting NHS among other major companies around the globe. Organisations that had not installed Microsoft's security update from April 2017 were affected by the attack. Although it was not directly aimed at the NHS, it highlighted vulnerabilities within the NHS and a need to improve discipline and accountability around cyber security at senior leadership and Board level. Companies such as Microsoft and Apple spend time developing and releasing software updates for a reason; they ae constantly fixing potential security holes, which if ignored could cost you both financially and reputationally.
The truth of the matter is, no organisation can be completely immune from an attack and there is no room for complacency. You wouldn’t leave your car unlocked just because it didn’t get stolen the first time you left it in a car park, so why take the risk that could potentially lead to an irremediable event. Priorities and choices are in the hands of the organisation-be sure to make the right one.