Chris Watkins, Principle Architect, Security, Ultima.
For many companies the risks of poor IT security are something they believe they have to live with. They don’t have the budget to put in place the latest IT security; a few don’t even believe they are open to attack. While these companies are expected to meet business as usual requirements and projects for mobile and SaaS solutions simultaneously, it’s easy to see how their IT security needs can come last.
However, there is a growing recognition in the last few years amongst board members that they could be a target. They are asking their IT directors if they could be exposed and are keen to make sure they are answerable on this issue to their stakeholders.
Recent industry research backs this up, finding that over half (58%) of SMEs think their businesses are at risk of financial loss from poor IT security and data compliance. The research, conducted by OnePoll for Ultima, also found a good degree of realism expressed by SMEs, with 41% acknowledging that spending money on IT security is not a priority for their business, and just over half (55%) acknowledging that they could probably never fully protect their business from IT breaches.
It’s easy for smaller companies to think that hackers only target large enterprises when this is not the case. We know of many firms who have had data breaches and lost significant amounts of money that have hurt their ability to do business. Government statistics show the cost of breaches for SMEs is between £75,000 and £310,800*. Attacks are now highly targeted and hackers are taking advantage of companies that don’t take even the simplest steps to secure themselves, for example, turning on security features.
So how can your firm find the balance between productivity and security, and how can you ensure your IT systems are up to scratch when it comes to data compliance?
There are measures and systems that all businesses should put in place to improve their IT security, from simply checking their security software and licenses are-up-to date, to undertaking Cyber Security Assessments and plugging security infrastructure gaps as well as making sure you are GDPR compliant. For Office 365, for example, you need to know what you are about to ensure all the security functions are deployed appropriately.
If your firm doesn’t do this, with the new GDPR regulations coming into force in May, you could be faced with significant financial penalties for infringing data protection legislation on top of any business financial loss. GDPR isn’t an IT play; it’s a business challenge about how companies process data. But IT systems have a key role to play in enabling the safe and secure handling of the relevant data.
If your company doesn’t have the internal resources and IT expertise to ensure IT systems are secure and up-to-date then you have the option of outsourcing IT at a reasonable price to a managed services provider. An audit can quickly establish where your firm has gaps in its security. But make sure that the company undertaking the audit approaches the audit with an appropriate level of realism. If you’re a 500 user manufacturing company they need to make sure they are assessing the level of IT investment, policies and procedures against the level of risk the firm is likely to experience. Boards should also consider the possible damage that could be done to their brand versus the cost of ensuring their IT security is sound.
IT support can be provided on a 24x7x365 day basis, where the company’s network is proactively monitored and technical experts are on hand to assist with any problems alongside internal IT staff. Managed services can be provided in full or in part with you deciding whether to outsource a critical part, or your entire core IT infrastructure. On-demand services are a flexible, scalable and cost-effective option. They allow for cloud adoption, distributed data and mobility, while protecting against advanced malware and cyber security threats.
One scheme that many companies could benefit from is the Cyber Essentials Scheme, a government-backed security standard, which identifies the security controls an organisation must have in place within their IT systems. The Cyber Essentials Requirements document sets out the necessary technical controls, whereas the Assurance Framework shows how the independent assurance process works, and the different levels of assessment organisations can apply for to achieve certification. It’s a good standard to work at to ensure your company is appropriately protected and contains guidance for security professionals carrying out the assessments.
There are many ways that firms can improve their IT security which don’t require large expenditure. Making sure that licenses are up-to-date and that you are keeping up with the latest software patches is critical but often missed. If you are in doubt about your company’s ability to stay ahead of the game on IT then outsourcing to a managed service is a good way forward. Equally, ensuring internal IT staff are following the Cyber Essentials Scheme will help put you ahead of most security hurdles.
* Information Security Breaches Survey 2015, Department for Business Innovation and Skills