Is your business cyber secure?

23 October 2019

Cyber Security and your Company

Cyber security is nothing new but it is something that has been making headline news for all the wrong reasons over the last few years – not least with the attack that crippled the NHS. Even if we don’t really understand what they are, we’ve probably all heard of Trojan viruses, Worms and Ransomware infecting computers. B2B data is as much at risk as any other.

In our homes we are all (hopefully) much more aware of the need to have up-to-date anti-virus software on our computers; to not click on suspicious looking email attachments; spot Phishing requests purporting to be from PayPal and our Banks…and not to let that nice man calling from the Windows Technical support team in India take over our PCs. However, the scammers are becoming increasingly sophisticated and even the most cautious people can be caught out.

With your personal computer, the worst that can probably happen is that your bank details will be stolen (which you can hopefully block once you see the fraudulent transactions coming through) or you’ll lose control of your PC through Ransomware. Incredibly annoying and potentially costly to you but nothing more – you learn, you back up next time and you move on. This is not the case when it comes to companies.

Cyber Security and Companies

At work, larger companies will have whole teams dedicated to maintaining the security of their IT systems from outside attack. They will have Firewalls, sophisticated email filters and anti-virus software constantly monitoring things but typically, and frustratingly for them, the weakest link in their defences is again us – their employees

The IT security teams can build tall strong walls but it only takes one person to accidentally (or deliberately) give away the keys to the main gate by clicking on an email attachment or doing what they the boss is asking and the criminals can be in and stealing data or money from the business.

As customers are increasingly engaging with companies online and allowing their personal details to be captured, the opportunities and impact of data breaches are increasing all the time. Just take a look at this fascinating visualisation of major data breaches over the past few years to see the full scale of it.

It is worth noting that these are just the ones we are aware of as some companies are oblivious they have been hacked; don’t admit it or operate in countries that do not have laws in place to require a company to publicise any data breach.

Data breaches don’t always give criminals access to anything immediately valuable such as bank details but by accessing things such as dates of birth, social security numbers, maiden names, home and email addresses, phone numbers and passwords etc. it can open a customer up to identifying fraud and other scams.

We trust companies to look after our data appropriately and any data leak is seen as a significant break of this trust and impacts our confidence in them. It is also something the press is quick to pick up on and can generate incredibly bad PR for the company.

This can significantly impact sales and revenues for that company but the real financial cost can come in the form of fines – especially now with GDPR in place, breaking these regulations can come at a huge price to your company, resulting in fines of up to $20 million or 4% of annual worldwide turnover – whichever is higher.

In 2015 the UK government commissioned a survey into the scale of information security breaches and found that 90% of larger companies and 74% of SMEs had reported a security break. The fines these companies received from the regulators came to around £1.4 billion. The £1.4 billion that UK companies were fined could, if the maximum fine was imposed (unlikely as only most extreme cases where negligence was proven) would equate to around £122 billion.

That is potentially a huge figure and why most companies are paying real attention to the new law; running sessions to make sure their staff are fully aware of the new regulations and ensuring that appropriate processes are in place to minimise the risk of data breaches or misuse (contacting people who have opted out).

I know what you are thinking… we are not going to be in the EU much longer so this won’t affect UK companies. Think again, the law affects anyone who is holding data on EU citizens and so international companies all around the world have to adhere to it too.

In the US they took the increase in data breaches just as seriously with Donald Trump signing an executive order in 2017 that holds the heads of departments and agencies personally accountable for managing cyber security within their organisations.

What steps can companies take to try and minimise the risk of Cyber Attacks?

On top of having enterprise level anti-virus software and Firewalls etc. there are five things that I would say are most important to try and defend your company from cyber-crime – whilst leaving your data flexible enough that it can still be accessed and shared as required to run your business.

1.  Encrypt your Data

–  Advanced data encryption should be an integral part of your data security process. By advanced we mean they have fast and flexible encryption keys that can be changed or rotated frequently so that a hacker doesn’t have time to crack them. If someone did manage to break into your database this encryption will ensure that they don’t get much further and access your data.

2.  Limit Access to the Data

–  25% of data breaches (according to 2017 research by Verizon) involved someone from inside the company. You can immediately minimise the risk of accidental or deliberate breaches by only giving access of data to people who need it. Different people will need different pieces of customer data to do their jobs so limit their access to just that section as opposed to the whole database. You can also anonymise the data.

–  Make sure everyone in your company, especially those with access to your data; understand the impact of cyber-security, the regulations, the processes in place and the role they play in preventing breaches.

3.  Expect the same standards from your suppliers

–  In this day and age it is quite natural for companies to have external companies that will need to access your data to help you run your business. This is obviously a potential vulnerability so you should audit them in the same way you do your own company and not work with anyone who does not have appropriate cyber security processes in place.

4.  Keep track of data and any changes

–  You need to keep track of where your data has come from, when or if it is has changed and how. You need to ensure you have the most up to date information so that things such as opt-out requests are complied with and not lost should you migrate to new databases etc.

5.  Careful how you move or share data

–  We’ve all read the stories of people leaving laptops containing sensitive state information on trains or a junior employee (I assume he did not make it to senior employee) at HMRC who sent an unencrypted CD in standard delivery through the post that never turned up. Unfortunately for them in contained the bank details and addresses of 9.5 million parents and the names, dates of birth and National Insurance numbers of all 15.5 million children in the country.

The lesson here…

Keep a very tight rein on who has access to your data and where it is stored. Don’t let people post or carry around your sensitive data unless they have a very good reason and always ensure it is appropriately encrypted.

If you have all these things in place then you are going to significantly reduce the chances of an IT security breach. If your company is unfortunate enough to have a data breach then being able to demonstrate the steps you had taken to actively prevent it will stand in your favour when the fines are being handed down.

Author: Matt Lester, Associate Director – Search and Digital Performance at Fidelity International

Disclaimer: Please note that this blog only contains general information and insights about legal matters. The information is not advice, and should not be treated as such. Kompass.com