For small and medium-sized enterprises (SMEs), there are always numerous challenges for any business starting out. Unfortunately, cybersecurity can often be overlooked as a result of the common misconception that only large corporations are vulnerable to attacks. In fact, as many as 58 percent of malware victims are small businesses, according to the estimations of Alert Logic, and 43 percent of data breaches target small businesses, according to Accenture. On average, cyber attacks cost small businesses $200,000 in the US every year.
To make matters worse, data from Cisco shows that 60 percent of SMEs fold within six months of a cyber attack, meaning the damage done is irreparable in most cases. For UK-based businesses looking to enhance their IT security, Computers In The City is a reliable and experienced IT company specialising in IT security.
The growing importance of cybersecurity
In recent decades, the value of data has been increasing; in fact, in 2017 it overtook oil to become the world’s most valuable commodity. Businesses are increasingly dependent on big data and analytics, with a rising number being data driven or even solely data based, such as Facebook or Airbnb. With data such a central asset to more organisations, it may come as no surprise that criminal elements seeking to exploit the vulnerabilities of IT systems have emerged.
There has been an inexorable rise in cybercrime since computer networks have offered the opportunity to hackers. Attacks have become more audacious, frequent and damaging, with an increasing number of high-profile data breaches reported.
In a 2015 breach at the US Internal Revenue Service, 700,000 social security numbers and sensitive information was hacked, while in the following year a Distributed Denial of Service (DDOS) attack across one million internet of things (IoT) devices caused popular sites like Netflix, Paypal, Spotify and Twitter to crash. Such attacks can be extremely costly to business, and Cybersecurity Ventures has forecast cyberattacks will cost businesses $6 trillion by 2021, an increase from $3 trillion in 2015. This amounts to the largest transfer of wealth in history, exceeding the illegal trade of narcotics worldwide.
Making plans and creating strategies
Cybersecurity is frequently carried out as a series of unconnected measures in different areas of operation. While this approach may be beneficial for individual aspects of the business for a given time span, an all-encompassing, holistic approach will be much more effective over a longer period.
Security policies should be integrated into the business strategy and clearly defined for every area of the business. This can include cloud computing, IoT, security audits, social media security and data backup. The security policy should address areas of potential weakness and account for new technologies and media that may present new vulnerabilities.
Cybersecurity strategies need to include objectives to be carried out, and a programme that is adopted throughout the organisation. Objectives and contents must be periodically reviewed to ensure they are kept relevant to the changing situation of the organisation.
Risk management
While risk management is an ongoing process of identifying, assessing and responding to risk, cyber risk management applies this principle to an IT context. It involves decision making, management, communications and situational awareness concerning risk.
Cultural elements of risk management are important, and these include leadership involvement, accountability and ongoing training. Communication is vital in managing risks, and the potential business impacts should be made clear through information sharing tools.
Risks need to be prioritised based on risk trends, impact, and the time scale of the impact.
Disaster recovery, business continuity and resilience relate to an organisation’s ability to continue to operate following a disruption. The CERT Resilience Management Model (CERT-RMM) is often used to improve the resilience of a business.
Cybersecurity practices should consider all potential threats. For example, those posed by third parties in the supply chain, or insider threats which may be intentional or inadvertent, as is the case with phishing. Implementing basic measures to secure infrastructure, prevent attacks and reduce risks is often referred to as cyber hygiene. A list of 11 practices in cyber hygiene has been provided by the Software Engineering Institute.
Patches and updates
Device software patches and updates need to be applied regularly and consistently for maintaining an effective cybersecurity strategy. Software updates often include patches which can cover security holes hackers can exploit. Updates can protect data and combat vulnerabilities in IT systems, but often they are left uninstalled when it isn’t clear which individual or department is responsible for the task.
To ensure this task is completed, roles need to be clearly defined as part of an effective cybersecurity strategy. Establishing a test lab is important, as well as making clear the responsibilities within the testing process.
Supply chain security
As previously mentioned, an awareness of how products are flowing through the supply chain is important to security, and the vendors and resellers involved. A high level of security must be in place to ensure that stages in the supply chain can’t be exploited as potential vulnerabilities.
Steps taken to heighten security in the supply chain can include the use of blockchain technology that guarantees transparency and validity in transferred products, a trusted platform module (TPM) that uses encryption, or a secure boot that ensures device firmware hasn’t been altered anywhere between manufacturing and deployment. These practices will protect devices throughout the supply chain and lessen the risk of an insider threat.
For smaller businesses, concerns of IT security can seem insignificant when compared with the more central occupations of working on the business core and striving to reach new levels of success. But with the rising threat of cyber crime an everyday issue for businesses of all sizes, cybersecurity can simply no longer be ignored. The large number of small enterprises falling victim to attacks will all agree – failing to take cybercrime seriously isn’t worth the risk.