How To Beat The Hackers & Improve Cyber Security At Work
In this digital age, it could be argued that cyber security is just as important, if not more so, than making sure your doors are locked and the alarm is on - although these are incredibly important, obviously.
For example, there’s a good chance that the data stored on your computers, networks and hard drives is worth a considerable amount more than the equipment itself. Physical items can be replaced, but your digital data is almost certainly a much bigger loss.
Read more: The Best Productivity Apps For Work
And there are some alarming stats around cyber security. According to the Department for Business, Innovation and Skills’ 2015 Information Security Breaches Survey, 90% of large organisations and 74% of small business were subject to a security breach in 2014, a rise of 81% and 60% on the previous year.
The report also shows that the average cost of a large company’s worst breach was a huge £1.46 million - £3.12 million, with the cost to small business clocking in at an equally damaging £75K - £311K. This shows just how detrimental a security breach or cyber attack can be on a business.
So how do you improve computer security at work?
Understanding the risks
One of the most important things business owners need to do, and one where they often fall down, is actually understanding the risks of cybersecurity. By understanding where these risks lie, you can put the necessary measures in place to improve security.
Where are attacks most likely to come from for your industry? Do you have any specific weak points that need addressing? What data is most likely to be targeted? These are all questions that need to be answered, which then brings us on to…
Training your staff
According to the report, 75% of large business and 31% of small businesses suffered staff-related security breaches, with 50% of the worst breaches caused by inadvertent human error.
A certain amount of human error is all but unavoidable, but that doesn’t mean you can’t train your staff to try and ensure such error is kept to a minimum. Training should be a regular occurrence to cover the various aspects of security, and also to keep on top of new legislation and types of cyber attack.
This training could incorporate everything from reminding employees not to leave passwords lying around to teaching them how to check for cyber attacks on the network.
Install the necessary software
You’re probably pretty clued up on this side of things, since such software has been around for quite a while now, but it’s still incredibly important to ensure you have all the necessary software installed on your computer.
If you go with a big name such as Norton or AVG, then they’ll often have all the different things you need so you don’t have to shop around too much for it.
Back everything up
Should the worst happen and someone actually gets access to your data, then it’s absolutely vital to ensure you have at least one other copy of it. If someone steals your paper documents, then they may well be lost forever, but the beauty of external hard drives, USB sticks, cloud storage is that you can keep multiple versions at the click of a button.
Backing up also helps guard against corruption and general loss of information, so it really is a must for every business, big and small.
Cyber security insurance
So many business owners don’t even realise that cyber security insurance is a thing, largely because they don’t realise that it’s something that can be insured.
To be honest, general awareness of the subject is generally pretty low. According to the UK Cyber Security Report, 52% of CEOs believe they have cover for cyber attacks, whereas, in reality, only 10% actually do.
The cost of cyber insurance is generally higher than other types of liability (around three times as much), but it’s something that’s still worth investigating now that cyber attacks are becoming more and more commonplace.
Move with the times
It’s not exactly a groundbreaking statement, but digital technology is changing all the time and it’s vital that business owners keep up or risk being caught out.
For example, the ubiquity of social media in our work and personal life means that there’s yet another way for potential hackers and scammers to attack your business and target your data. Again, this is where training comes in. Ensure staff are clued up on social media protocol at work, so they’re aware what they should and shouldn’t be doing.
But next week it could be something else, and attackers might target your website and personal data in a new way. Constantly keeping up to date with matters of cyber security is essential so you know how to prevent and react accordingly.
We spoke with Tony Anscombe, Senior Security Evangelist at AVG, a leading provider of antivirus and malware protection. Here’s what he had to say...
Where do you find most cyber security threats are coming from right now?
Thanks to the explosive growth of personal mobile devices, the huge shift towards cloud applications and the impact of the Internet of Things (IoT), cyber security threats can present themselves in a number of unprecedented ways. It is commonly employees - unaware of the risks - that act as the weakest link, allowing hackers a route in to their organisation.
Looking back at recent data breaches such as the famous TalkTalk hack, spear phishing is a frequent method of entry. This particular method targets individuals within a company or organisation to reveal details allowing hackers access to internal systems.
Cyber criminals are becoming increasingly sophisticated in their approach, using social engineering techniques to trick employees into realistic looking but fraudulent emails, or using fake or re-directed websites.
One tactic is to send employees emails, sometimes designed to look like they’ve come from a client or supplier. These bogus messages might contain a link or attachment which the unsuspecting employee clicks, downloading a virus or malware.
In your opinion, how serious are businesses taking cyber security these days?
Although the large scale hacks making the headlines are raising awareness of the importance of cyber security, generally, businesses need to be making the topic much more of a priority.
Businesses aren’t taking cyber security seriously enough until they’re educating employees on the risks, implementing (and regularly updating) security solutions and making active decisions about the way in which company data is utilised.
I’ve found that many businesses tend to think they're too small for a hacker to notice – this is a myth. A Scottish hairdresser was hacked last year and had their business held to ransom. You certainly don’t have to be a corporate giant to be a target. Hackers deliberately target small businesses – considered ‘easy targets’ – particularly those who provide services to bigger brands. They use them as a Trojan Horse and try to gain access to their larger customer's systems, data or employees.
What are some of the most common mistakes businesses make when it comes to their cyber security?
One of the most common mistakes businesses make when it comes to their cyber security is doing nothing - which is scarcely sustainable!
Business owners have been quick to embrace the flexibility and cost benefits of letting employees use their own devices and apps to carry on working outside the four walls of the office. But rarely is enough consideration given to the associated risk of losing control over the security and privacy of company confidential data – a common error.
Considering the majority of individuals use basic, easy to guess passwords that put their employer’s data at risk – this is a very real problem.
All businesses need to think beyond their own immediate lines of defence. They should be talking to their clients and suppliers, as well as their employees, to agree the best way of protecting and managing data securely.
Where do you think threats are going to come from in the future?
The adoption and usage of wearables is rising within mainstream society through fitness trackers and smart watches, for example, so it’s natural that similar devices will soon be widely utilised within the working environment too.
Wearables offer the opportunity to simplify processes and everyday actions – such as providing security clearance to buildings or as a way of tracking activities so that time is used efficiently. Yet, a case can be argued about its use more extensively within the workplace such as when tackling data visualisation and design tasks (aided via augmented reality headsets), easier video conferencing (via smart glasses) or simply allowing greater efficiencies for voice recognition/dictation devices to speed up written documentation.
Like any other device, wearables run on software and software can be vulnerable to attack. In essence, every extra connected device that enters the workplace is an extra route in for hackers.
Assuming IT security is already in place and being monitored, the most important action for businesses to take is educating all their staff about the security risks personal devices pose to the workplace. Everyone in the organisation must know what the potential risks are and understand the reality that the watch on their wrist could compromise company data if not properly secured.
We also spoke with IT Governance for their take on the issue of cyber security. Here’s what they had to say...
How important is it for businesses to take cyber security seriously?
Companies can no longer afford to ignore the ease with which both criminals and employees can cause large-scale data breaches. Although cyber attacks are a real risk, companies should also ensure that they are implementing effective internal processes and deploying adequate staff awareness training to ensure that the threat of a data breach can be contained.
Where do you think threats will come from in the future?
We will continue to see more frequent and severe cyber attacks as companies become more reliant on technology and continue to ignore the importance of maintaining basic cyber hygiene. Ransomware attacks are also fast gaining ground due to the speed at which these attacks can be executed and the near-guarantee that the criminals will profit from such attacks.
What are some of the most common mistakes companies are making when it comes to their cybersecurity?
The biggest mistake companies make is that they underestimate the threat of cyber attacks, believing they are not a target, and therefore not at risk. 82% of SMEs recently said in a survey they’re not targets for attacks as they don't have anything worth stealing. The truth is that all companies are targets, no matter how small they are. This is because cyber criminals use automated software to seek out vulnerabilities that exist on unprotected systems, networks and websites to launch their attacks. Any company that isn’t adequately protected will be identified and exploited by these criminal networks.
Cyber attackers also use a range of innovative tools to deceive unsuspecting users to click on malicious links that can be found in phishing emails or social media. By deploying basic cyber security measures, most companies can prevent up to 80% of cyber attacks.
The UK Government has recently launched a cyber security standard, the Cyber Essentials Scheme, that does just that. Based on the implementation of five simple controls, and costing as little as £300 to achieve certification, it enables businesses to demonstrate to customers, clients, stakeholders and the public that it is indeed cyber secure. Certification that includes independent, external testing of the company’s infrastructure provides additional reassurance of the organisation’s cyber security status.
Will we ever be able to completely guard against cyber attacks?
Probably not. That’s because cyber crime is constantly evolving. New vulnerabilities are discovered all the time, while exploits and tactics are being refined to overcome existing cyber defence strategies. Fighting cyber crime is an ongoing battle, and no business is ever 100% secure. The key is to develop a cybersecurity incident response plan that will contain any damage if the organisation should be a target.
What do you think is most important in tackling the threat of hacking? Let us know in the comments.