As multinational enterprises put more resources into security and breach prevention, criminals are increasingly diverting their activity towards smaller businesses as softer targets. So, it's vital to understand and manage cyber risks before your business is compromised and your security is held to account by banks, insurers, investors, and of course, customers.
As a business owner, you may not be aware of what happens to the information your employees, customers and suppliers have access to. You may not even be able to say with confidence where your most important data is held – whether that's onsite on desktops and servers, in the cloud, or on mobile devices. So, where do you start?
Identifying cyber security risks
Step #1: Identify and document asset vulnerabilities
Your first step should be a risk assessment to understand what makes your business attractive to cyber criminals (customer data is likely to be your biggest commodity at risk) and where your main vulnerabilities lie.
Start with some basic questions, such as 'what information do we collect?', 'how do we store it?', and 'who has access to it?' You should then examine how you currently protect your data, and how you secure your computers, network, email and other tools.
For example, consider whether you have a formal written policy for social media usage on any device (including employees' personal ones) that connects to your company network. Do you provide internet safety training for your workforce? Do you wipe all old machines of data before disposal? Do you require multi-factor authentication (more than one way of confirming a user's claimed identity) to access your network? Additionally, when employees leave the company, do you permanently suspend their authentication credentials so they can no longer access your network and its servers?
Step #2: Identify and document internal and external threats
Do your research and familiarise yourself with the main types of cybercrime and how they're perpetrated – the tactics, techniques and procedures used to target organisations. And don't focus exclusively outwards. While the word 'hacker' may conjure up visions of a state-sponsored hacker residing in some remote corner of the world, an individual running ransomware attacks from his bedroom, or a shadowy presence on the Dark Web buying up administrator or domain passwords at premium prices, you should also acknowledge the potential for a disgruntled or heavily indebted employee to steal intellectual property or commit cyber-enabled economic fraud.
Step #3: Assess your vulnerabilities
There are a growing number of tools (many of which are free) that you can use to scan your network and determine what services you are running, to determine whether your software versions are up to date, and to look for known vulnerabilities. There are also tools that will allow your IT administrator to run pre-defined exploits against your own systems and use brute-force attacks against your end users. You may wish to go one step further and appoint an outside security specialist (e.g., a ‘white-hat’ hacker or, better yet, a mainstream cyber incident response partner) to gauge your company's resilience through penetration testing, in much the same way as vehicle manufacturers use 'tame' burglars to break into cars.
Step #4: Identify potential business impacts and likelihoods
Carry out a business impact analysis to determine the effects or consequences – financial, operational, reputational – of a cyber-attack on your business and who would be affected. If you have a business continuity plan or resilience plan, you should already have a clear picture of the costs linked to IT failures or business interruption. If not, a specialist can guide you through this process, helping you collect information from various parts of your business ahead of any interruption to it.
Step #5: Identify and prioritise your risk responses
Once you understand the potential impact of a cyber-attack on your business, you can start to prioritise how you will resolve any immediate flaws in your security. If you make any changes to your system security, test them to ensure you have not only closed the holes but that the changes haven't negatively impacted any of your other systems. Since people can be your greatest security liability, ensure rules and best practises are documented in policies, and then diligently undertake a programme of staff education on the risks that come from today's interconnected ways of doing business.
Since there is no way to protect your business 100% from attempted cyber-crime, you also need to be prepared in the event of an attack. Ensure everyone knows exactly what they need to do and when, and that they have the skills and resources in place to do it. And, in turn, an ability to not only recover from a breach, but also to restore its integrity to your team as well as the full faith and confidence in your business from customers.