Technological developments are taking place at an incredible speed which enables businesses to be more efficient, in terms of both time and money. Despite these benefits, technological advancements have also brought a new set of threats and challenges that many businesses have never experienced before. As a result of this, companies need to learn how to deal with these new phenomena in order to best protect themselves.
The recent global ransomware attacks on the NHS and other services have brought cyber-security into the limelight. Cyber-security is defined as the protection of all systems, networks and data from theft, damage or disruption (itgovernance, 2017). It has been reported that there have been attempts to attack organisations beyond the National Health Service (National Cyber Security Centre, 2017). It is therefore vitally important that businesses of all sizes prioritise online security as an area that is worthy of investment.
Why is it vital for all companies to invest in cybersecurity?
Cyber security is not a problem that can be fixed indefinitely with the purchase of one particular piece of software. It is dynamic and ever-changing, therefore requiring an ongoing process of risk assessment and safeguarding. Cyber-attacks are almost impossible to predict but with sufficient security and preventative measures, their impact can be minimised.
Hackers are constantly learning new tricks and developing new ways to breach security measures. Cyber criminals are able to buy inexpensive hacking software from the internet, meaning that it is becoming increasingly easy for these individuals to get hold of private information and misuse it.
The insider threat to a business from its' own staff and contractors should not be overlooked. Internal security procedures and policies must be communicated effectively to staff at induction and on a regular basis thereafter.
So, what is stopping companies from investing?
One common reason why financial decision makers may decide not to invest in cyber security for their business is because of the idea that 'if it ain't broke, don't fix it'. If the company has not been targeted before, they may not see any reason to invest further into cybersecurity measures. In reality however, an attack could be imminent which could potentially have devastating effects on the business. The fact that a business has not been targeted in the past does not mean that it will not be targeted in the future; a realisation that is reinforced by the recent ransomware attacks on the NHS.
A common misconception by some companies is that simply complying with relevant security legislation is enough to protect them. The ISO 27000 family of standards, for example, helps organisations of all sizes to keep its information secure through providing recommendations for an Information Security Management System (ISO, 2017). This will help a business to protect its information assets in cyberspace, but alone it is not necessarily enough to protect them from a targeted ransomware attack. Some CEOs or financial decision makers may have a lack of knowledge or awareness about the level of risk, therefore not enough investment is put into cyber-security.
What does the solution look like and how can we get there?
To put it simply, there is not one overall solution to protect a company from cyber-attacks, but there are many different measures which can be implemented to reduce the harmful effects of an attack. It is about finding and fixing problems – not building huge defences. It is probably impossible for a company to be 100% protected against cyber-attacks. The focus should be on creating an internal process which finds bugs or vulnerabilities and works to restore them - in turn improving the cyber-security of the business.
Another way that a business can be made safer is to ensure that financial decision makers understand the detrimental impacts that a cyber-attack could have on the company, for example; loss of sensitive data, negative effects on the company's reputation, the significant financial cost of a breach to the network and the reduced productivity in the long-run.
Finally, it can be very helpful to liaise with other companies within the same industry sector to discover the cyber-security measures that they are adopting and how effective these are. This is useful in highlighting your company's current position and what needs to be improved in the future to bring the company into line with other market leaders.
Simple precautions that all companies can take in order to avoid 'Ransomware' attacks:
Recommendations by the National Cyber Security Centre (Part of Government Communications Headquarters) are as follows:
- Keep your organisation's security software patches up to date
- Use proper antivirus software services and ensure they are also kept up to date
- Most importantly for ransomware, back up the data that matters to you, because you can't be held to ransom for data you hold somewhere else.