Amshire quizzes Cybersecurity expert Dr Paul Stephens, Director of Computing, Digital Forensics and Cybersecurity at Canterbury Christ Church University, on some of the topics relevant to smaller organisations and businesses.
We hear a lot about cyber-attacks on large multinationals but how much of a threat is cybercrime to the UK’s small and medium sized businesses?
It’s a much bigger problem than most people realise. According to the UK Government’s Information security breaches survey 2014 , 60% of small businesses had some form of security breach last year, with the average cost of these breaches doubling.
More than half of those surveyed believe there will be an increase in incidents in the future. The threat of cyber-attacks needs to be taken seriously by any business reliant on IT systems.
Cyber-crime isn’t going away. Which areas do you feel businesses should be most concerned about?
I think it is important to be aware of a range of threats and where they may come from. In contrast to the old stereotypical hacker who breaches security for enjoyment, the reality these days is much more likely to be that attacks are perpetrated by organised groups of determined criminals looking to make money.
In addition to these hackers and cybercriminals, you may also need to be aware of competitors looking for economic advantage and ‘hacktivists’ whose motives to attack your company can be political, social, economic or environmental. Company employees (both current and former) can also cause problems either accidentally or maliciously.
What are some of the more common examples of how small businesses can be affected by
Some of the most common effects of cybercrime are theft of financial details (yours and your customers), intellectual property (such as product designs) or other commercially sensitive data (such as negotiation positions) and customer details. Irretrievable loss or corruption of data is also a possibility.
Are businesses in certain sectors more exposed than others?
Possibly. This can depend on the kind of data your company keeps; however, if you keep any of the data outlined earlier then you are at risk. Some businesses may be required to comply with the Data Protection Act which states that “appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data”, so for client databases there is increased risk and responsibility due to legislation.
There may also be a need to comply with the Payment Card Industry Security Standards Council if you allow customers to pay with credit and debit cards. In more creative or product-based industries then your intellectual property could be a big worry. If businesses are negotiating with other businesses then this information can also be extremely sensitive and attractive.
What impact are mobile devices having on cybersecurity?
An acceptable behaviour and use policy is essential for these devices and should include what can and can’t be done. Access and use of sensitive data needs to be managed appropriately. This should include the use of strong passwords, encrypting sensitive information and the network links to that information, automatic locking of the device used, and a clear delineation between personal and business data and app usage.
What are the key steps an organisation should take to combat cyber threats?
There are a number of great sources such as 10 Steps to Cyber Security prepared by a division of GCHQ and Small businesses: what you need to know about cyber security by the Department for Business, Innovation & Skills (BIS).
I particularly like the latter’s approach of ‘Planning’ followed by ‘Implementing’ and then ‘Reviewing’. The Planning phase involves identifying your critical assets along with the risks to these, management of these risks and the legal and compliance requirements.
This phase also stresses the importance of asking how you would continue to do business following an attack. The Implementing phase looks to ensure that the correct security measures are in place, that staff are well trained in good practice, and installing measures to recover from any attacks. The Reviewing phase looks to systematically review these implemented measures.
However, it is advisable to enlist the help of IT experts such as your managed service provider to help develop and implement a cybersecurity strategy.
Do you think SMEs appreciate the business risks posed by cyber-crime?
I hope so! What is important is that the high level decision makers understand how important cybersecurity is. This means allocating a substantial budget to IT security which covers both the technological and staff awareness education aspects.