In case you missed it, October is Cyber Security Awareness Month. It seems like just about every day brings another news story about an ever increasing list of businesses and other organisations who have fallen victim to a cyber-attack or a data breach, but just who is behind these?
There’s no one answer. Some of the perpetrators are organised criminals who have moved online. They’ve worked out that it can be far more lucrative (and far less risky) for them to rob a database than to rob a bank.
Some are hackers of varying degrees of expertise. Ask anyone to picture a hacker and it’s usually an image of a teenage computer genius in a hoodie sitting in a darkened bedroom that springs to mind. The truth is that free online hacking tools can turn just about anyone into a successful hacker.
Then there’s the employee with a grudge, looking to steal or leak trade secrets or data. Or maybe they’re a corporate spy? Or a Foreign agent?
Or… maybe it’s you? Have you ever mistakenly sent a work email to the wrong recipient? The perils of autofill can make data leakers of us all.
Businesses need to get to grips with all of these ‘threat vectors’ and fast. If your business hasn’t thought about this then I’m afraid it may only be a matter of time. Just imagine how you’d feel if every email your organisation has ever sent was posted online? Or what if one of your finance staff was tricked into sending money to the wrong account?
The good news is that there’s an increasing number of free resources and (paid) service providers who are available to help. The National Cyber Security Centre (www.ncsc.gov.uk) has excellent materials and its ‘Cyber Essentials’ self-assessment option is simple to follow and can help you protect against a wide variety of the most common cyber-attacks. That’s a good start, but if you really want to reassure your customers that you’re working to protect their data then you really need to carry out a hands-on technical verification and be certified to ‘Cyber Essentials Plus’ (and some Government contracts now require this).
There’s a growing industry of cyber security specialists, auditors, ‘white hat’ hackers and penetration testers lining up to help businesses defend against cyber threats. And every business should be asking themselves if they now need to look at taking out Cyber Insurance.
In Scotland, this growing cyber security eco-system has been helped along immensely by the presence of Edinburgh Napier University’s Cyber Academy. Even the Law Society of Scotland has been active in this field offering solicitors like me the opportunity to become a Certified Specialist in Cyber Security.
In the meantime, what can you do to prepare for a cyber-incident? The first step is to identify where you keep your data. If you don’t even know where it is, how can you protect it? Regularly backing-up your data and patching your computer operating systems is essential too. Consider migrating your data to the Cloud. Google and Amazon have an army of cyber security specialists to protect your cloud computing data. Who do you have?
It’s also a good idea to develop a Cyber Incident Response Plan in advance. Just as you plan and prepare for a Fire Alarm, you should plan and prepare for a cyber-incident. Everyone should know in advance what role they should play and what they should do. They should follow pre-written ‘Playbooks’ so as to cut improvisation down to a minimum. In cyber security, pressure doesn’t make diamonds – it makes mistakes!
Finally, don’t make the mistake of thinking this is an IT problem. It’s a management problem. More specifically, it’s your management problem. Be part of the solution.