Member Article

Cyber-security - sure you’ve got it covered?

Cyber-crime is hitting the headlines with increasing regularity, and the Government’s latest Information Security Breaches Survey shows that 90% of large organisations and 74% of SMEs reported they had suffered an information security breach in the last year.

The average cost is reported as £1.46 million for big businesses, and £310,800 for SMEs and the EU regulations coming into force in 2018 will only add to the pain with fines up to €20m or 4% of their turnover, for security breaches that compromise customer data.

The latest figures are particularly worrying for SMEs. Despite experts warning that they are now the preferred target for cyber-criminals, far too many of them are still adopting a head in the sand approach and hoping it won’t happen to them.

Hackers often go after small businesses on the basis that they are likely to be soft targets and may lead the hackers to bigger fish via their contacts.

However big your business, you need to have a secure IT infrastructure and a well-thought out backup strategy and disaster recovery plan in place, which is regularly tested.

A staggering 80% of breaches can be foiled through basic precautions. These range from having policies in place around mobile working, acceptable use of personal devices such as phones and tablets and mobile storage media, through to downloading files, and using common sense before clicking on email links even if they look as if they are from a friend or colleague.

Typical security breaches practiced by hackers include:

Distributed denial of service – hackers overwhelm a company’s website with huge amounts of data from an army of compromised botnets until it crashes. For an internet-based business, this can be disastrous.

Ransomware – a malicious piece of code is introduced into the system, which encrypts all the data and paralyses the infrastructure so hackers can blackmail the company into paying for the decryption key.

Hack attack – hackers gain access to the company’s infrastructure, often through an email containing a hidden piece of code, to allow them to harvest sensitive data such as credit card information and passwords.

Water-holing – hackers place malware on low security websites where lots of users gather, such as chat forums. Users then pick up the infection and pass it on, often to company networks the next time they log in.

The UK Government is embarking on a big review of cyber-security and we were recently invited to a round table discussion on the draft Investigatory Powers Bill, chaired by Baroness Shields, Minister for Internet Safety and Security. The new bill will be the result of high level reports into how we strengthen security without compromising the right to privacy.

Part of the meeting was spent debunking myths around the proposal to regulate the surveillance powers of the police, intelligence agencies and public sector bodies, dubbed a Snooper’s Charter by some. For instance there will be no ban on encryption, communications services providers will not be forced to keep historical records of all data they handle, and access to data will only be given in extreme situations, and then only after proper authority and strict oversight.

I can understand concerns over privacy, but at the same time we have a collective responsibility to protect the UK, its people and its businesses. A current and very public stand-off between the FBI and Apple is a typical example of the delicate balancing act required.

As part of its investigations into the San Bernadino incident where 14 people were shot dead by a couple who the FBI believe may have terrorist links, the government agency has asked Apple to make a new version of the iPhone operating system that circumvents security features, and install it on an iPhone belonging to one of the perpetrators of the attack.

Apple say this software does not currently exist, although rumours circulating in tech circles suggest otherwise, and that in the wrong hands would mean anyone in possession of it could unlock any iPhone. The FBI argues that the use of the software would be limited to this case, however Apple counters that it is not possible to guarantee such control, and that it would be the real world equivalent of a master key that could open millions of locks, from the personal to the professional.

The FBI went to court to try to force Apple to comply, but when Apple CEO Tim Cook dug in his heels, saying this would set a grave legal precedent, the FBI brought in another company to unlock the phone.

The situation raises interesting questions as cyber-crime as a service (CaaS) continues to transform itself from ‘boys in bedrooms’ into a big industry in its own right, and thousands of IT systems are compromised every day.

As security attacks increase in their complexity, businesses need to wake up to the threats and make sure they can meet the challenges. Are you confident you have taken all the necessary precautions to minimise the threat to your business?

Whilst we won’t completely eradicate cyber-crime, and there is no magic bullet solution, my advice is to get the right expert partner alongside you to help you assess the changing threat landscape and put measures in place to protect your organisation from those who wish it harm.

This was posted in Bdaily's Members' News section by ITPS Ltd .