Cyber Security: How to protect your business
Cyber Security has become a major concern for every small business over recent years.
In 2017 we saw a number of high profile incidents making national news headlines. Issues with ransomware, phishing and data breaches have become commonplace and small businesses need to address these to keep their customers and themselves safe.
Ransomware is a type of malware or virus which is capable of locking or encrypting all files on your computer, including servers, desktop PC’s and laptops. The cyber criminals will then demand payment of a sum of money in order to decrypt or release the data. These type of attacks have become more common across small businesses in Northern Ireland and are a very real threat to the local business community.
Ransomware typically makes its way on to a computer when a user clicks on a bogus email attachment or a link to an infected file or web site. Once the ransomware is installed it attempts to spread to any accessible ‘hosts’, such as PC’s or servers on the same network. There have been a number of high profile attacks in 2017, including a major attack on NHS systems in May which resulted in many hospitals and GP surgeries having to temporarily revert to paper systems. Always be cautious of links within emails or opening email attachments you were not expecting.
Phishing attacks come in a number of different forms and usually involve trying to trick the email recipient into providing information on false pretences. Emails will typically purport to come from a trusted source, such as a colleague, a supplier or other business partner. The vast majority of phishing attacks are easily recognised, however they can be very sophisticated using specific knowledge of you or your business.
Any email asking you to change bank details or make payments should be verified first. Acting on bogus emails can have devastating consequences for small businesses. If you are suspicious of the authenticity of an important email check by speaking to them in person or by phone but make sure you contact them using contact details you know are correct and not the details included in the email.
Other data breaches
The unauthorised exposure of sensitive data is an area that small businesses increasingly need to be aware of. Data breaches can significantly impact your business by causing reputational damage or even direct financial loss. With the new General Data Protection Regulation (GDPR) applying from 25th of May 2018 businesses need to ensure they have good processes in place to comply with the regulation.
There are many causes of data breaches, many of which can be easily prevented or mitigated against. The most common causes are:
- Weak or stolen account details – usernames and passwords
- Unpatched software – a common tactic of cyber criminals is to exploit known weaknesses in unpatched/outdated software
- Malware – malware is installed via clicking on bogus attachments or web links and can compromise your system with data being extracted without your knowledge
- Unauthorised physical access – restricting access to systems including servers is a crucial element of a cyber security strategy
- Lost or stolen Media – laptops, mobile phones, disk drives can be easily lost or stolen, leading to potential data breach
- User error – accidental exposure of data via email or other means
Cyber Essentials is a UK government backed, industry supported scheme to help organisations protect themselves from common cyber-attacks.
The government has worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls for organisations to use.
Cyber Essentials provides a framework for businesses to be assessed against and awards certification to those companies who are judged to be complying with the standard.
The scheme outlines a recommended set of controls under five headings, against which businesses will be assessed.
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
There are two versions of the scheme, Cyber Essentials and Cyber Essentials plus and the basic process for each option are given below: