Cybercrime is a real and serious threat to any organisation. Money, reputation, fraud and the functioning of your business could all be lost in a cyberattack.
Estimates suggest that in 2025, cybercrime will cost the global economy some $10.5 trillion – more than the entire value of the illegal drugs trade combined.
Unfortunately, the same trends that make data science possible, coupled with the increasing sophistication of cyber criminals and a poorly concerted global response to cybercrime means that cybersecurity is unlikely to drop down the Boardroom agenda any time soon.
Whilst we still maintain a strong focus on traditional measures of security in business (who would leave their office permanently unlocked?), we’re playing catchup in confronting the challenges posed by cybersecurity.
Indeed, in the United Kingdom, for several years now, you’re more likely to be the victim of a cybercrime than physical violence or robbery.
Understanding the threats
Feeling a little bit terrified? You should be. There are a lot of bad actors out there aiming to cause harm.
It’s almost implausible that you won’t be an intended victim of a cyber attack, either personally or corporately, in the next working year: just check your spam folder in your emails for evidence.
Below are the most common types of defence you should be employing to protect you.
Database, network and infrastructure security: your network and infrastructure will cover routers, firewalls, servers, storage systems, intrusion detection systems (IDS) and domain name systems (DNS). Each of these are vulnerable to attack. The US Cybersecurity & Infrastructure Security Agency (CISA) lists a number of wise defences, including: physically and virtually separating elements of the network to best protect sensitive information; operating a principle of “least privilege” so that users are only given access to the minimum, as opposed to the maximum, information they need; implementing good wireless security, such as strengthened passwords; and using firewalls (which can automatically filter out dangerous traffic). If you have physical servers on premises these must be securely guarded and protected. Ensure all database software management is up to date with any upgrades to protect from any known vulnerabilities.
Data security: first and foremost, you need to understand what data you have, where it lies and who has access to it. Your data security approach should involve using techniques to avoid unauthorised access, using encryption to scramble data, and carefully protecting encryption keys to allow access to data. Use of Virtual Private Networks (VPNs) can also help secure and encrypt data access once data is being used by users.
Identity management: users present a very high-risk point of failure for an organisation. Just like you need to understand where your data sits, you need to understand who has access to your organisation’s software and hardware. Once you have this information you must very clearly keep a log of access controls and ensure that only authorised users can access your systems and network. Again, the principle of “least privilege” should guide your access permissions.
Endpoint user and device security: many users in your organisation – particularly with the rise of remote working exacerbated by Covid-19 – will use a variety of devices (mobiles, laptops, personal computers etc) to access your organisation’s network. Ensure that these devices are only in the right hands and that each device is secured with strong passwords and two-factor authentication (such as entering a password and code received to a separate device).
Application security: ensuring applications are up-to-date with patches and upgrades so that most recently discovered vulnerabilities are covered and afforded protection.
Disaster recovery and business continuity planning: in the event of a catastrophe or disaster, ensure you have a clear plan to recover information and ensure your business operations can continue as far as possible. This may include separate backups of data, alternative devices, separate network connections and putting in place contingency workflows that can operate under different cybersecurity attack scenarios.
Standards and certification: international standards are available to guide best-practice cybersecurity. These vary from industry and geography, although the family of standards known as ISO/IEC 27000 are a good starting point. To gain certification, your organisation must put in place and clearly demonstrate compliance against the standards, which is then externally verified by a certifier.
Getting the basics in place
So, what are some core basics you need to do? First, make sure your organisational leadership is committed to cybersecurity. Chief Information Security Officers (CISO) or similar are becoming increasingly common in companies with the sole responsibility of cybersecurity across an enterprise. However, you don’t need a CISO to show leadership. Ensure someone on your Board – and ideally an executive and non-executive board member – is responsible for overall cybersecurity. In some territories, such as Europe and the UK, GDPR regulations require this by law.
Second, solidify your networking security by running a series of vulnerability tests. This is where a paid actor, acting on your behalf, tries a series of ways of attacking your network and identifies vulnerabilities which you can then mitigate. Third, ensure applications are up-to-date with the latest upgrades for cybersecurity. Web applications, as discussed, are particularly vulnerable, and make sure you understand where the points of risk lie with them. Fourth, implement staff training. This should involve everything from secure password management to understanding what to do in a disaster recovery scenario.
And finally, implement strong password management. Anecdotally – accurate data is hard to come by as many organisations are reluctant to share how often they have been attacked – poor password management is one of the most common methods of attack for cyber criminals. Ensure all staff use secure passwords alongside multi-factor authentication.
Dr Antonio Weiss is the author of The Practical Guide to Digital Transformation and a senior partner at The PSC, a public services digital transformation consultancy. This article has been exclusively adapted from Antonio’s book for BusinessCloud.