Cyber security: how safe is your business?

Posted on: May 27th, 2015

Maintaining cyber security is an issue for most businesses and the recent high profile attacks have been a reminder of the importance of keeping up to date on how you can best protect your business.   You may be familiar with the attacks on Sony Pictures and France’s TV5Monde television channel but these types of attacks can happen to anyone and there can be significant consequences if you don’t put in place the necessary protection measures. 

Earlier this year the Information Commissioner’s Office fined Staysure.co.uk Limited, a specialist online travel insurer, £175,000 after IT security failings let hackers access their customer records. The Staysure website was attacked exploiting the vulnerability of the website’s server.  The hackers injected a malicious webpage into the website which allowed hackers to remotely view and modify the website’s source code and access its database where it stored its customer data. At the time of the attack, the database contained approximately three million customer records. This data included names, dates of birth, email addresses, postal addresses, phone numbers, payment card numbers, card expiry dates, card CVV numbers, and answers to medical questionnaires. 

Staysure were fined as they failed to take appropriate technical measures against the unauthorised or unlawful processing, or accidental loss, of personal data by failing to have adequate policies and systems in place for checking, reviewing and applying available software security updates.

What is a cyber attack?

A cyber attack is an assault by a third party via a computer against another computer or computer system, which is intended to compromise the integrity, availability or confidentiality of that computer or computer system.

What do you need to consider?

Firstly you should identify the key assets in your business that need to be protected from a potential cyber attack. These could be for example customer databases, financial information, IT services (such as the ability to take payments via the company website), Intellectual Property (such as product designs or manufacturing processes), IT equipment and sensitive personal data.

Next you need to consider the impact that a cyber attack could have on the business:

Financial loss from:

  • theft of information, bank details or money
  • disruption to trading (especially if the business undertakes a lot of online transactions)
  • costs associated with cleaning up affected systems and getting them functioning again

Reputational damage

If your business has been or is the victim of a cyber attack it may suffer damage to its reputation. Customers may be less inclined to use a company which has had a cyber breach as they may be concerned about their data being stolen if entrusted to the company, or it may cause worry about the reliability of the company generally.  You should be quick to assure your customers, owners, employees and the general public that the incident was a one-off event and the situation is now under control. 

Regulatory sanctions

Your business could be fined if personal data is lost or compromised due to a cyber attack just like StaySure. Data protection laws require businesses to implement appropriate technological and organisational security measures against unauthorised or unlawful processing, accidental loss and destruction or damage of personal data.

How can you plan to protect against a cyber attack?

Security controls

A specialist consultant could assist in determining whether your existing processes provide adequate protection and will also have experience of how other similar businesses are responding to the threat of a cyber attack.

Contractual commitments

A cyber attack can cause severe disruption to a business and it is important to understand the impact the attack may have on its contracts as, under English law, contractual obligations cannot easily be avoided.

Educating employees

  • Produce a policy advising employees how the businesses systems should be used.
  • Give appropriate training to new joiner and regular refresher courses for existing employees.
  • Put reporting processes in place so employees have an anonymous way of raising concerns.

Business continuity planning

You should consider producing a plan detailing who to contact for support if the business is attacked or its online services are disrupted. The plan should set out the business’s recovery procedures and explain how it would continue operating, particularly if the business trades online.

Important business records (for example, sales information) should be backed up regularly and archived in a secure, off-site location that can be easily accessed after a cyber attack.

Compile hard copies of staff, supplier and customer contact lists. You should ensure that copies are retained off site   and kept secure, for use in the event of an attack.

Ongoing security management issues

  • Ensure that all IT systems and networks are continuously monitored.
  • Test, monitor and improve security controls on a regular basis, hackers are getting more sophisticated so continuous monitoring is vital.
  • Remove any software or equipment that is no longer used, ensuring that any sensitive information stored on it is deleted before it is disposed of.
  • Review and manage any change in user access, such as the creation of e-mail accounts when new employees arrive and the deletion of accounts when they leave.

TOP TIPS – Protecting your business from a cyber attack

1. Malware protection

Install anti-virus solutions on all systems and keep software and browsers up to date. Consider restricting access to inappropriate websites to reduce the risk of being exposed to malware (malicious software).

2. Network security

Increase protection of the business’s networks (including wireless networks) against external attacks through the use of firewalls, proxies and other measures.

3. Secure configuration

Maintain an inventory of all IT equipment and software. Identify a secure standard configuration for all existing and future equipment used by the business.

4. Managing user privileges

Restrict employee and third-party access to IT equipment, systems and information to the minimum required. Excessive user privileges, with too many employees having access to confidential information or systems that do not help them perform their job, should be avoided.

5. Home and mobile working

Home and mobile working increases a company’s cyber risk profile. A business should draft and implement a home and mobile working policy and train employees to adhere to it, especially if the business allows employees to use personal mobile devices (for example, laptops or tablets) for business use.

6. Removable media

Restrict the use of removable media (such as USB drives). Make sure any data stored on removable media is protected to avoid the data being lost and to help prevent malware from being installed on the company’s IT networks.