Meet Dr Paul Stephens – Cyber Security Expert
Amshire quizzes Cyber Security expert Dr Paul Stephens, Director of Computing, Digital Forensics and Cyber Security at Canterbury Christ Church University. Below we discuss some of the topics relevant to smaller organisations and businesses.
We hear a lot about cyber attacks on large multinationals, but how much of a threat is cyber crime to the UK’s small and medium sized businesses?
It’s a much bigger problem than most people realise. According to the UK Government’s Information security breaches survey 2014 , 60% of small businesses had some form of security breach last year, with the average cost of these breaches doubling.
More than half of those surveyed believe there will be an increase in incidents in the future. Businesses reliant on IT systems must take Cyber attacks seriously.
Cyber crime isn’t going away. Which areas do you feel businesses should be most concerned about?
I think it is important to be aware of a range of threats and where they may come from. In contrast to the old stereotypical hacker who breached security for enjoyment, the reality these days is much more likely to be that attacks are perpetrated by organised groups of determined criminals looking to make money.
In addition to these hackers and cyber criminals, you may also need to be aware of competitors looking for economic advantage and ‘hacktivists’ whose motives to attack your company can be: –
Company employees (both current and former) can also cause problems, accidentally or maliciously.
What are some of the more common examples of cyber crime affecting small businesses?
Some of the most common effects of cyber crime are theft of financial details (yours and your customers), intellectual property (such as product designs) or other commercially sensitive data (such as negotiation positions) and customer details. Irretrievable loss or corruption of data is also a possibility.
Are businesses in certain sectors more exposed than others?
Possibly. This can depend on the kind of data your company keeps; however, if you keep any of the data outlined earlier then you are at risk. Some businesses have to comply with the Data Protection Act. There is increased risk and responsibility due to legislation for client databases.
There may also be a need to comply with the Payment Card Industry Security Standards Council if you allow customers to pay with credit and debit cards. In more creative or product-based industries then your intellectual property could be a big worry. If businesses are negotiating with other businesses then this information can also be extremely sensitive and attractive.
What impact are mobile devices having on cyber security?
An acceptable behaviour and use policy is essential for these devices. This should include what can and can’t be done. Access and use of sensitive data needs to be managed appropriately. The use of strong passwords, encrypting sensitive information and the network links to that information, automatic locking of the device used, and a clear delineation between personal and business data and app usage.
What are the key steps an organisation should take to combat cyber threats?
There are a number of great sources such as 10 Steps to Cyber Security prepared by a division of GCHQ and Small businesses: what you need to know about cyber security by the Department for Business, Innovation & Skills (BIS).
I particularly like the latter’s approach of ‘Planning’ followed by ‘Implementing’ and then ‘Reviewing’. The Planning phase involves identifying your critical assets along with the risks to these, management of these risks and the legal and compliance requirements.
This phase also stresses the importance of asking how you would continue to do business following an attack. The Implementing phase looks to ensure that: –
- the correct security measures are in place
- staff are well trained in good practice
- installing measures to recover from any attacks.
The Reviewing phase looks to systematically review these implemented measures.
However, it is advisable to enlist the help of IT experts such as your managed service provider. They can help you to develop and implement a cyber security strategy.
Do you think SMEs appreciate the business risks posed by cyber-crime?
I hope so! What is important is that the high level decision makers understand how important cybersecurity is. This means allocating a substantial budget to IT security which covers both the technological and staff awareness education aspects.