The 2017 Cyber Security Breaches Survey* revealed that nearly 70% of large UK businesses have suffered data breach or cyber-attack in the last 12 months, with the average cost to each business affected totalling over £20,000. WannaCry, the most notorious of this year’s ransomware attacks, disrupted 34% of NHS Trusts in England, leading to thousands of operations and appointments being cancelled and five A&E departments unable to treat some patients**.
But with so much of our organisational data now stored online in the cloud, and IT systems and software driving virtually every business process, how can a company protect and preserve the integrity of their data without becoming so security-conscious that efficiency, productivity and budget is compromised?
The first step to reducing your risk is raising awareness of fraudulent emails. The Cyber Security Breaches Survey found that the most common form of cyber-attack is malicious emails purporting to be from a known person or organisation. These emails coax the recipient into revealing passwords or financial information (through fake landing pages, for example), or opening dangerous attachments which comprise trojan malware or ransomware leading to data breach. It’s important that everyone in your organisation is made aware of these risks and is actively encouraged to question the legitimacy of emails received before opening attachments or entering their personal or financial information.
A current example of ransomware being distributed through emails is the Scarab virus. While this virus was detected for the first time in June, in November it was sent to 12.5 million email addresses through the use of a spambot. Mimicking legitimacy, the email’s subject line was “Scanned from [printer company name]”, making it appear that the attachment was a scanned image or document sent directly from a multifunction device. However, the attachment instead installs ransomware on your machine which encrypts your data until a ransom is paid in Bitcoin – and even after payment, there is no guarantee that the decryption key will be sent.
Whilst training your team to be vigilant is extremely important in avoiding cyber-attack, it does not replace the protection that anti-virus software, firewalls, updates and patches provide.
Anti-virus software is a particularly important measure, and should be installed on every device used by your organisation – including smartphones. Ensure that your firewall is switched on to create a buffer between your network and the internet, and use the ‘automatically update’ option on PCs to apply the latest software and firmware updates provided by manufacturers and vendors. The WannaCry virus which caused such havoc earlier in the year was the result of a critical system vulnerability in the Windows Operating System which a Microsoft patch had addressed. However, due to a lack of resources and a desire to test new updates before pushing them out to all users, organisations had not yet applied the fix, which amplified the WannaCry impact. Applying the latest software and firmware as quickly as possible will minimise your exposure to risk.
Passwords and authentication are also important. Ensure that every device within your organisation is password protected, and avoid predictable passwords (like passw0rd or a family name). To protect particularly sensitive data like banking information, consider two-factor authentication to warrant against unauthorised access.
During the festive period, businesses are faced with another risk – employees who use company machines or mobile devices to buy Christmas gifts. Last year alone, the cost of online fraud was £16m – a significant increase of 45% on the previous year. Employees should be encouraged to check and verify vendors (being particularly mindful of ratings), and should carefully guard their PIN and passwords. Wherever possible, try to discourage employees from using company machines for their online shopping or any other personal business, as this only serves to increase your vulnerability to ransomware and cyber-attack.
Finally, whilst the measures described here will go a long way to protecting your data, it is virtually impossible to guarantee that your systems cannot be breached. In 2016, both the FBI and US Homeland Security were hacked, demonstrating that even those organisations with large cyber-security budgets and specialist cyber knowledge are vulnerable. Cyber attacks are like any other risk and have to be managed and mitigated. In addition to safeguarding against these threats using accredited processes, data also needs to be protected using a rigorous and robust daily back-up process, ensuring that a copy of the information most critical to your business is securely stored offsite, be it in the cloud or another remote drive. In this way, should your systems be compromised, you can at least access your data from a non-affected machine allowing day-to-day operations to continue and minimising downtime and associated cost.
To tackle the threat and impact of cyber-attack, the UK Government has recently opened a new National Cyber Security Centre (NCSC) which is tasked with providing expert advice to organisations and businesses in every sector of the economy and society. Their 10 Steps to Cyber Security document (https://www.ncsc.gov.uk/guidance/10-steps-cyber-security) provides an excellent starting point for those organisations looking to implement low-cost, effective measures to reduce their risk. We would also recommend the Government’s Cyber Essentials Scheme (https://www.cyberessentials.ncsc.gov.uk/) as a way of demonstrating to your customers and stakeholders how seriously you take cyber-security and the safety of their data.