Jon Milward, Operations Director, Northdoor
In 2011, cybercrime caused damages of up to £3.37 million to small businesses in the UK, which on average cost small businesses £5,400 per cyber-attack. However, the UK Home Office recently reported that in 2012 companies with less than 20 employees spent £200 a year on cybersecurity prevention tools. In contrast companies with 50-100 employees spent roughly £4,000 per year on IT security and companies with 100+ employees spent double that sum costing them £10,000 per year.
Cyber security threats
Businesses of all sizes should adopt a scenario based approach to security in order to fully understand the extent of their threat landscape. This entails considering all the different threats and imagining how they might play out. If you can explore in detail the potential impact of each scenario, you can then begin to build a true understanding of how your organisation is structured to cope. For example, what happens when a personal device that contains business data is lost or stolen?
BYOD strategies are accelerating and whilst this can result in greater work productivity and a boost to staff morale, it can lead to increased security threats or breaches. The question is how can this trend be regulated and to what extent can an organisation dedicate and reinforce processes when it’s the employees who own the devices?
SMBs are struggling to update their security software and policies, so whilst technology exists today to wipe out or disconnect access to business data when a device is reported stolen, it doesn’t mean lapses don’t still occur. Small businesses need to ensure that policies are enforced across all staff using the BYOD scheme. The rise of the mobile workforce using various mobile devices is now beginning to show how threatening such a scheme is to a business’ security and intellectual property, and protecting against this has never been more challenging.
So whilst many organisations believe that they have what they believe to be sound security measures in place, the reality is that often these are implemented in a piecemeal way with solutions only addressing specific needs. However, more often than not, a disjointed approach is not sustainable and a holistic approach is one that organisations should favour. Security should never be considered in isolation from the business. Instead, security should protect and enhance business processes and risk must be properly identified across key business areas.
Companies should be creating and continually making adjustments to their security policy, implementing any additional tools and processes needed to address threats. They also need to regularly review policy in line with changes in the environment, whilst evaluating themselves against the current policy to see if they have routinely followed procedure. If there seems to be a distinct lack of engagement with the organisation’s security policy, questions need to be asked as to how they refine the policy and whether the decision is taken to change or add tools to help with compliance around security.
The security landscape is constantly in flux with more advanced threats continually being generated. No organisation will ever be 100 per cent secure; any security and or policy must be agile enough to deal with the changing threat landscape.
- Any good security policy should include things like using strong passwords that include numbers and letters; not sharing or displaying passwords; and only opening email attachments from reliable sources.
- You should also encourage staff to use the web responsibly, and stay vigilant when contractors and outsiders are in the office.
- In terms of IT, you should monitor access to the network, including memory sticks and other plug-in devices, which can be used to steal company information.
- The sky is the limit when it comes to implementing security software, but there is a minimum level of security that any business should have. This includes: antivirus software to catch viruses and Trojan horse programs; anti-spam software to control spam which could contain malicious code or links to hacker web sites; and anti-phishing software to detect financial hacking techniques
Security has to be considered in the round. If asked the question ‘is our data secured’ mostly the answer will be yes because the organisation has put security tools in place. However, it’s not simply a matter of ‘yes’ or ‘no’ when it comes to security, it’s about asking and understanding ‘so what exactly happens when’… Only by exploring such questions will you know if your organisation is primed to handle all security eventualities.