Cyber Security Myths for SMEs (£)

The average cost of a data hack-attack is now costing a small/medium business in Europe, Canada and the US around $3/5 million every attack and it is increasing annually. 

There are a lot of misapprehensions that are circulating about Cyber Security and these need to be understood and discussed within the organisation.

First – Many organisations that are below $25 million in turnover believe that they are not in the league to be attack and even if they are it will be of minor IT importance. Often this is what the IT manager has told the Board. They are still too small to be severely attacked by hackers.

However, this misses the point that attacks are not aimed directly at larger organisations, they are aimed at vulnerable aspects of any part of a commercial opportunity. Also smaller organisations are often hacked because they have inadequate levels of security, often they have not even gone through a training or hacking audit to receive cyber insurance.

Second – There is also a large belief that the return on cyber insurance investment and cyber security training is not worth the money spent.

However cyber training and audit is significantly cheaper than being attacked. Obviously businesses all differ in size and susceptibility to attack but implementing the ISO 27001 international type standards costs as little as $1k with the potential savings from attack being extensive. 

Third – There is a myth that when and if a Hack happens the problem lies outside the organisation, this is often not the problem. 

Internal management and staff are the issue as they have not been trained and educated to resist and reject malware that is sent via emails to them. The other internal issue with staff and management is upset, annoyed and disgruntled employees who hack their own systems or another department’s system.

Fourth – There is also a wide and deep belief that Cyber security and improved systems security is far too expensive and finally not worth the trouble.

However, although it is always difficult to say independently what the cost of upgrade and security will cost what we can say is the costs of not doing the upgrade and security as an ongoing process is far more expensive once you are hit. The average breach is now costing individual companies sums in the millions of pounds/dollars. 

By reducing the risk and implementing cyber security audits and checks you will in the medium and long term certainly save your business a lot money and the improvements will give you a far more secure future.

The sensitive information you hold is serious money for the hack attackers: corporate data, customer details, classified and private/copyright/patents that could be used for blackmail or to sell on. The most important information is extremely valuable to Hackers.

On an average day there are in the region of 120k hacking attacks with the average cost per breach at around $6/7million.
One of the most important controls is with your staff education and training processes and ensuring they take security as an important part of their working and private time. Often organisations have no control over the applications and security measures installed on an employee owned device. 

With the increasing use of Bring Your Own Device (BYOD) which is increasing every year, devices are increasingly being connected to company networks and used to access sensitive information. 

By working with BYOD,  staff can bypass the majority of your organisation’s security measures and inadvertently, they will introduce insecure applications into the company network. This will often create serious weaknesses for hackers to exploit.

These risks can be reduced by developing a clear BYOD strategy and by ensuring minimum standards of security are adhered to across all devices connected to the company network.

Another issue that needs to be addressed across the whole organisation is Password Protection. Everyone from the CEO to the Office Intern needs to be aware of the issues that develop when secure passwords are left too long without change. 

Common choices of Password need to be explained for their problems and checks and changes regularly made.

Biometric security techniques are gradually happening and  offer an opportunity for organisations to eliminate passwords altogether. Another promising area in biometrics are voice recognition tools. There's some impressive technology around that allows employees to authenticate themselves with their voice.

Some employees often say that security measures are a serious problem to working usability. And if these employees have organisational privileges then the security systems may be disrupted or taken down, with awful effects for the organisations systems. Aside from limiting the availability of administrative privileges, it’s very important to educate users about the importance of all the available security measures. 

Responsible for Information for SMEs

Responsible for Information is a free, UK government sponsored, e-learning course aimed at staff in micro, small and medium sized enterprises (SMEs). It helps employees and business owners to understand information security and associated risks, it also provides good practice examples and an introduction to protection against fraud and cybercrime.

Each module is tailored to the specific needs of the target audience and includes role specific content. It will take between 45 to 75 minutes to complete the course depending on the module you are taking. All modules conclude with an assessment to test the user's understanding.

Go to the GOV.UK government website for further information.

All businesses can benefit from understanding Cyber threats and online fraud. The UK Government has worked with leading industry partners to develop free e-learning courses to help staff understand online threats and how to protect business data, money and reputation.

The training is relevant to staff and owners in a wide range of businesses, from sole traders to larger companies.

AR