These days, it’s depressingly rare for a month to pass without hearing about yet another large company’s IT security breach. It’s all the more troubling when the victim is either regarded as a ‘technology leader’, or handles customers’ financial data. Yet, whilst it’s the household names which grab the headlines, IT security breaches often pose an even greater threat to survival for small businesses. Whether the hacker’s goal is data collection, financial gain, or identity theft, it’s going to hurt.
The statistics are troubling: in 2014, 60% of small businesses experienced a cyber breach, and for the worst categories of breach the average cost was between £65,000 and £115,000, with 10 days of downtime. There may also be punitive fines from regulators. Plus, longer term, the damage to your reputation may be the hardest thing of all to repair. Is all of this something your business could survive?
Having filled you with a Brexit-esque level of terror, it’s now time to calm your nerves and discuss what you can do about it.
To get to the ‘good stuff’, a hacker has to first breach your outer defences, so let’s make this as hard as possible. Obviously, we don’t want silly things like wireless networks with no password. We also want to make sure there’s a decent firewall set up, which acts as the first line of defence against malicious traffic originating from outside our local network. This can be paired with a Network Intrusion Detection System (NIDS) which examines data once it has passed through the firewall, and logs anything suspicious.
The next line of defence is antivirus / antimalware software. This helps prevent malicious software from installing itself on your computers and the network to which they are connected.
Dodgy email attachments are a common way for viruses and malware to spread, so make sure you have a strong spam filter. As an added bonus, you won’t have to endure quite so many adverts for ‘male enhancement’ products, or dubious business proposals from Nigeria.
Any sensitive data stored in files or databases should be encrypted, especially when stored on laptops! Probably more data counts as ‘sensitive’ than you’d imagine credit card details and pretty much anything relating to your customers. We may or may not end up covered by the EU new data protection regulations, but the existing UK ones are similar. You have an obligation to your staff and customers to:
Your website most likely also receives customer data – even if it’s non-transactional, things like contact forms and newsletter sign-up boxes collect customer email addresses, so you don’t want them intercepted. The key to a secure website is SSL (Secure Sockets Layer), which makes your website accessible via ‘https://’ rather than ‘http://’ and displays a padlock in the address bar, coloured green if you have purchased a signed certificate verifying your domain name. Control Esc can easily help you get them for a few pounds per year. Using https and having the green padlock gives customers confidence that you take data security seriously and, as if you needed any more persuading, Google now considers SSL a positive SEO (Search Engine Optimisation) factor!
As the saying goes, a chain is only as strong as its weakest link, and with IT security, people are often the (overlooked) weakest link.
All technical precautions are invalidated when Keith from accounting uses the same password for work and a games website that gets hacked. There are less obvious considerations too – making sure bosses don’t just send emails instructing staff make payments as this makes the company vulnerable to fraud by impersonation. Staffs need training to learn to recognise a suspicious email attachment even if the sender appears familiar. Bosses need to follow authorisation rules and lead by example!
A comprehensive written data security policy is essential, and it must be communicated to, and understood by, all employees.
If I’ve done my job right, you should by now appreciate the criticality of IT security to your small business, but be relieved that there is lots you can proactively do about it. The other key point to bear in mind is that you need to take a holistic approach to IT security – it’s no use implementing comprehensive security measures in one part of your network, while there are gaping holes elsewhere. Consequently, it makes sense to consult an expert to ensure that your end-to-end security is airtight. Control Esc offers the UK Government CyberEssentials Security Certification free to all new and renewing full cover ‘All Inclusive’ clients. This offer includes a free Cyber Insurance policy worth £300.00 to help cover with the costs of a security breach and the ability to tender for many government contracts requiring certification. It also demonstrates company and board level commitment to security to customers and regulators.
Give Control Esc a call on 02071003650 to arrange an IT security review – it is free with a renewal or new contract, and is much, much easier than dealing with the aftermath of a security breach!