Robert Rutherford, CEO of the business and technical consultancy QuoStar
It’s no secret that the number of cyberattacks on UK businesses is increasing year on year. However, even though this trend can be seen across many different industries, many firms are still unprepared when it comes to cybersecurity.
With the number of Distributed Denial of Service (DDoS) attacks on the rise, it should be clear to all businesses that it’s time start to implementing the strategies that are needed to keep firms safe from cybercriminals.
After all, an attack on a company’s IT infrastructure can create total chaos for businesses of all sizes. As such, when these incidents do occur, it’s vital that firms have the resources available to respond quickly and with as little disruption as possible.
Prevention is better than a cure
For companies looking to protect themselves against a cyberattack, a good starting point would be the ISO 27001 standard, which is a recognised industry benchmark for managing IT security. Implementing this standard is a great way to determine what controls could be used to prevent cyberattacks and continually improve a firm’s information security.
Businesses should also consider creating an Information Classification Policy (ICP) to ensure that any sensitive information is handled according to the risk it poses to the organization. Under this model, firms can assign a risk level to any sensitive information, so that they can clearly set-out the methods and appropriate resources for handling this data, as well as any encryption, storage or transition requirements.
Policies like these can go some way towards boosting security, but they are not enough; employees will also need to be educated on how to spot, block and report suspicious activity in order to prevent cyber criminals from accessing an organisation’s network. By responding to a seemingly innocent phishing email, or by falling for a convincing phone call, employees can unintentionally provide hackers with all the information they need to access an organisation’s data.
With this in mind, employees at the very least should be taught to be on the alert for any activity – even when it appears legitimate – that asks for login details or other private information. Hosting regular seminars and workshops to raise awareness of internal threats is therefore also vital, as employees must be able to recognise red flags and understand when to inform management of any suspicious activity.
Limiting the damage of a breach
Even with the best training and IT security measures in the world, cybercrime will continue to impact businesses across the globe. As such, preventing a breach is only half the story: businesses also need to consider how they will keep the business operational in the event of an attack, as the impact of a breach can extend beyond IT.
There are ways to combat this risk. Having a strong business continuity plan will enable firms to take immediate action if their IT system has been compromised.
Cybersecurity and business continuity are actually two sides of the same coin; by working in tandem, these strategies can help to mitigate both the cost and impact of data breaches. There are three key elements to consider when implementing this kind of plan: resilience, recovery and response.
To guarantee resilience in the face of an attack, firms will need to ensure that their critical business functions will be largely unaffected by such an intrusion; this is where a strong ICP can help. Secondly, they will need to have arrangements in place to recover and restore less critical business functions as quickly as possible. Lastly and most importantly, firms will need to establish the capability and readiness of their employees to tackle and cope effectively with an unexpected attack.
Needless to say, all businesses need to have a robust cybersecurity plan in place to prevent attacks and protect their data and systems, but they must also have a plan they can follow if an attack – and associated outage – does occur. Any failures in this regard can be incredibly costly, not only financially, but also in terms of the damage they can cause to a company’s reputation.