Aug 4 2017
Like any business risk, cyber-crime must be addressed in the Boardroom
Business today is almost universally dependent on functioning networks and servers. So it’s no wonder that cyber-crime is fast-becoming one of the biggest business risk headaches.
Online theft now far out-strips physical theft. And it’s not just the financial side. From reputational damage and data protection, to crippling downtime, this invisible threat can have far-reaching and long-lasting consequences.
What chance does an SME have?
When the world’s biggest organisations – from the NHS to WPP – can’t protect themselves, what can an SME do? It requires just one security update to be missed, or just one person to open the wrong email, and the damage can be extensive.
So every business needs to face reality: cyber-crime is here to stay – evolving at a faster pace than businesses. Oz Alashe, CEO of CybSafe, says, “These are businesses. They sometimes even employ psychologists to work out how best to get access to the information.” Throw into the mix hacktivists, nation states and bored teenagers, and you have a formidable and unpredictable foe.
So what is the business risk, and how can you mitigate it to help your business grow with minimum disruption? These are the questions we put to the senior business leaders at our recent Cyber Security Roundtable, hosted in collaboration with Bluefin Insurance, Milsted Langdon and Royds Withy King.
The grim facts about cybercrime
It’s indiscriminate: You are a target
Last year’s government survey on cyber security breaches found that almost half of cyber-attacks were against SMEs. Yet most SMEs don’t think they’re a target – which means they’re not protecting themselves.
A Commercial Director attending our roundtable says, “We were attacked in February, and our first reaction was, ‘well why us?’ But it’s just software crawling the internet, looking for vulnerabilities – and next thing you’ve got a ransom note for £5000.”
It’s unpredictable: No system is impenetrable
Another attendee, Head of Business Development for a local firm, recalls, “When we got hacked last year, our server was compromised for all of one second during which Ransomware was put on. The hackers accessed through a disused printer logon – somehow, somewhere they managed to find it.”
Ultimately, it’s highly probable: People make mistakes
James Sage, Employment Partner at Royds Withy King, sums it up perfectly: “The human factor is always going to be there. Employees make mistakes. But it is possible to reduce the risk with excellent training.”
So what are the threats?
Financial: Cyber-attacks can be incredibly expensive. Ransomware, like the recent Wannacry attack, can bring organisations to their knees with just one click of an email link. The ransom itself might not be expensive, but the disruption can be huge.
The Head of Business Development said, “We didn’t pay the ransom, so they screwed up our data for a while. We lost a week while the IT company was reinstalling the backup. We’re still feeling the after-effects a year later – people have to work harder and smarter to maintain vigilance.”
Reputational damage: The long-term losses from reputational damage could far out-strip the initial financial cost of an attack. As the Commercial Director says, “We lost three different servers – so that was all of our own websites and probably a couple dozen client websites too. Immediately your reputation is on the line.”
And for some businesses there other concerns. As James Sage notes: “For firms like ours, reputational damage could be awful because of the highly confidential nature of business transactions and sensitive personal information.”
Privacy: All companies are required to keep clients’ information confidential now, but the new General Data Protection Regulation coming in May 2018 will bring tighter regulations and even bigger fines.
Legal: Some organisations, such as law firms and financial advisors, have additional legal responsibilities to maintain systems in order to avoid risk to client assets.
Risk mitigation: 8 great places to start
1) Take responsibility
Many businesses are still viewing cyber security solely as an IT or an HR issue. It’s not, it’s the Board’s. As Oz Alashe says: “The failing isn’t IT’s. It’s whether that question is being asked at the highest decision-making level. Because if this is important why wouldn’t you consider it like any other business risk?”
2) Don’t do nothing
With so much media induced ‘fear’, businesses are sometimes behaving like rabbits in the headlights. So accept that it will happen – it’s a question of when, not if. Then start to focus on securing your people, processes and technology.
3) Get the basics right
Be meticulous about firewalls, correctly configured internet gateways, changing passwords when people leave, and up-to-date security patches and malware protection. Put robust processes and policies in place: Which emails should people not open? How should employees work on trains? What information can they share on social media? And so on…
4) Train for less pain
Ultimately, all of it is about people – minimising human error. Mike Punter, Chairman of Innovecom, says, “Applying patches, replacing out-dated software…That’s still a human decision. So it’s about education right across the board, including senior executives – making the right decisions at the right time.”
Or as PwC puts it in a recent blog: ”It isn’t enough to simply train staff. Training must be followed by knowledge testing and… further training and re-testing should take place.”
As with any training, creativity is required to keep knowledge top of mind. As Sarah Sandercott, Learning & Development Director at Curtis Banks, says, “You don’t want to ram it down people’s throats to the point where they get complacent and fed up.”
5) Think negative
Even the most robust training and technology can’t guarantee protection, so you need to be prepared for the worst: how will you handle orders, manage network-free business, and tell your clients?
The Commercial Director, again: “We were completely transparent and honest. So whilst it was a pretty horrific few weeks, we came out of it almost with a better reputation than before. I think there’s so much more awareness about cyber-attacks. People understand it can just happen.”
6) Share your failures
“The natural tendency,” says Mike Punter, “is not to disclose that you’ve been exposed to a threat.” But he believes this is a crucial part of the solution, “What we’re talking about is learning from failure – in the way that the aircraft industry learns [from accidents]. People learning from each other’s experiences to close down some of these vulnerabilities.”
7) Insure against it
Insurance can be a huge source of peace of mind. Ian Sandham, Branch Director, Bluefin Insurance says, “What would you do if you had an attack? Who would you call? The beauty of having insurance is not just that they pay for it – they send the experts in. They’ll do the public relations, help fix the problem, tell you whether or not to pay the fine…”
8) Start with the Government’s Cyber Essentials
Like many businesses, Government has been slow to fight cyber-crime with the requisite resources.
But they have recently launched Cyber Essentials, a set of simple steps to help businesses protect themselves – with accreditation you can show to clients. “It’s by no means the panacea for all issues,” says Oz, “but 75% of the breaches that occur are preventable. Cyber Essentials looks at the basics to address that 75%.”
In summary, no one is completely safe. It’s a threat that’s here to stay and SMEs need to take it seriously. But it’s not all doom and gloom. Applying basic principles will help to prevent a lot. And you can at least be prepared for what you can’t prevent.
But it all starts in the Boardroom.
To find out more about how High Growth Knowledge Company support Boards in developing their approach to business risk through our Board Advisory Service, contact us today.