By Robert Wright, Head of Sales at Nexor,
As the number of cyber attacks in the UK increases, small businesses need to be proactive, rather than reactive, in their approach to cyber security.
Every day, small businesses in the UK fall victim to around 10,000 cyber attacks, and this number is on the rise. Worryingly, a huge 72% of businesses in the UK were defined as cyber security ‘novices’ in the Hiscox Cyber Readiness Report.
Since the introduction of GDPR, the average loss from a cyber attack is reported to be around £280,434, which is an increase of 61% compared to the previous year. Small businesses will likely take longer to recover from an attack, which is why they must have the correct infrastructure in place. Whilst it is still imperative to be cyber secure, businesses must become cyber resilient, too.
Cyber resilience and cyber security are counterparts, not opposites. Although they are similar, cyber security focuses on reducing the chance of an attack occurring, whilst cyber resilience ensures that your business is still operational after an attack, and able to recover.
As the volume of attacks is so high, experts assume that eventually, at least one hacker attempt will get through your security. Although this may seem pessimistic, we cannot hide from the fact that hackers are becoming more intelligent and can easily identify ‘backdoors’ in our security systems.
The game of ‘cat and mouse’ is never ending – we may adapt, but hackers will soon find a new way in. Therefore, it is vital that we begin focusing on our cyber resilience strategies, to ensure that business can go on as normal after an attack.
We have put together our five top tips on how to implement a cyber resilience strategy:
- Your employees
Human error is the cause of many IT incidents, especially when the correct training hasn’t been provided for staff members. Everyone within your company should be trained to understand the importance of both cyber resilience and cyber security. The cyber security training should focus on how hackers can gain access to systems and valuable information, what to look out for (e.g. email phishing) and who they should report suspicious activity to within the team. It is also important to implement cyber resilience training, so that staff members understand the processes in the event of an attack.
- Run simulations
Simulate a company-wide security incident at least once per year. Run through the steps your business will take in the event of a breach or attack to see how well your plans work out. Exercise in a Box is an online tool from the NCSC which can help you to test and practise your response to a cyberattack. This will allow you to iron out any kinks in your plans, so when a real life event occurs you won’t be caught off guard.
- Protect your critical systems
You should prepare a cyber resilience strategy to protect your critical systems from being affected by a cyber attack. Here are four useful techniques:
- Realignment – Understand and manage the connections between critical and non-critical systems, reducing the probability that a non-critical system breach will spread to a critical one.
- Access Control – Restrict critical systems access solely to those who need it to do their jobs.
- Redundancy – Where possible, have backup critical systems with separate protections in place.
- Segmentation – Segmenting your network according to importance and trustworthiness will prevent a breach from affecting your entire system.
- Develop an incident response plan
According to The National Cyber Security Centre, the characteristics of a cyber resilient system can be broken down into four phases. The phases are:
- Prepare (through preventative security)
- Absorb (reducing the risk of an incident escalating)
- Recover (developing and executing an incident response plan)
- Adapt (not only after an attack but also to the ever-changing landscape)
- Business leaders should first look at their own internal structures and processes to determine where there could be any weaknesses. From here, there should be a thorough plan for each of the four phases above – this will most likely involve input from a number of teams.
Review and adapt
As your business grows, it will naturally develop new ‘weak points’. Therefore, it is crucial that your cybersecurity and cyber resilience governance strategies are reviewed on a regular basis. Previously implemented measures may need refreshing to ensure they remain in line with your legal and regulatory requirements; this will likely require board-level commitment and internal auditing. New weaknesses will also open up as hackers employ more sophisticated attacks to get access to sensitive information.
Your employees can be the strongest defence, but they must be trained up and informed of any developments if they’re to help detect any potential threats and actively respond to them in order to protect the business.