By Sungard AS
As multinational enterprises put more resources into security and breach prevention, criminals are increasingly diverting their activity towards smaller businesses as softer targets. So it's vital to understand and manage cyber risks before your business is compromised and your security is held to account by banks, insurers or investors.
As a business owner, you may not be aware of what happens to the information your employees, customers and suppliers have access to. You may not even be able to state with confidence where your most important data is held – whether that's onsite on desktops and servers, in the cloud, on mobile devices… or the dreaded USB sticks. So where do you start?
Identifying cyber security risks
Step #1: Identify and document asset vulnerabilities
Your first step should be a risk assessment to understand what makes your business attractive to cyber criminals (customer data is likely to be your biggest commodity at risk) and where your main vulnerabilities lie.
Start with some basic questions, such as 'what information do we collect?', 'how do we store it?', and 'who has access to it?' You should then examine how you currently protect your data, and how you secure your computers, network, email and other tools.
For example, consider whether you have a formal written policy for social media usage on any device (including employees' personal ones) that connects to your company network. Do you provide internet safety training for your workforce? Do you wipe all old machines of data before disposal? Do you require multi-factor authentication (more than one way of confirming a user's claimed identity) to access your network?
Step #2: Identify and document internal and external threats
Do your research and familiarize yourself with the main types of cyber crime and how they're perpetrated – the tactics, techniques and procedures used to target organizations. And don't focus exclusively outwards. While the word 'hacker' may conjure up visions of a malevolent teenager in a bedroom in some remote corner of the world, or a shadowy presence on the Dark Web, you should acknowledge the potential for a disgruntled or heavily indebted employee to steal intellectual property or commit cyber-enabled economic fraud.
Step #3: Assess your vulnerabilities
There are a growing number of tools (many of which are free) that you can use to scan your network and determine what services you are running, to determine whether your software versions are up to date, and to look for known vulnerabilities. There are also tools that will allow your IT administrator to run pre-defined exploits against your own systems and use brute-force attacks against your end users. You may wish to go one step further and appoint an outside security specialist to gauge your company's resilience through penetration testing, in much the same way as vehicle manufacturers use 'tame' burglars to break into cars.
Step #4: Identify potential business impacts and likelihoods
Carry out a business impact analysis to determine the effects or consequences – financial, operational, reputational – of a cyber attack on your business and who would be affected. If you have a business continuity plan or resilience plan, you should already have a clear picture of the costs linked to IT failures or business interruption. If not, a specialist can guide you through this process, and ready-to-use questionnaires are available to help you collect information from various parts of your business.
Step #5: Identify and prioritize your risk responses
Once you understand the potential impact of a cyber attack on your business, you can start to prioritize how you will resolve any immediate flaws in your security. If you make any changes to your system security, test them to ensure you have not only closed the holes but that the changes haven't negatively impacted any of your other systems. Since people can be your greatest security liability, ensure rules and best practices are documented in policies, and undertake a regular program of staff education on the risks that come from today's interconnected ways of doing business.
Since there is no way to protect your business 100% from attempted cyber crime, you also need to be prepared in the event of an attack. Ensure everyone knows exactly what they need to do and when, and that they have the skills and resources in place to do it.