Today’s business environment relies on digital technology to function. This brings great opportunity as well as risk. Business is undertaken more effectively and efficiently, but information flows can be intercepted and compromised. Whilst online crime has often been viewed as an issue facing larger businesses, smaller organisations are increasingly coming into focus as the next soft target (with their intellectual property and customer and payment databases).
The average cost to a small business of its worst security breach is estimated to be between £35,000 and £65,000
According to the latest 2013 Information Security Breaches survey, 87% of small businesses have reported a security breach this year (up from 76% a year ago). The average cost to a small business of its worst security breach of the year is estimated to be between £35,000 and £65,000.
However, by following a number of basic steps, organisations can significantly improve their online security and help safeguard their most important assets and trading relationships. Implementing a full Information Security Management System is best – but ‘doing the basics’ is a good place to start and can improve your chances of avoiding a compromise by up to 80%.
These 10 steps mirror and build on the ‘10 Steps to cyber security’ issued by BIS (Department for Business, Innovation & Skills) aimed at larger organisations and available here.
The recommended 10 steps are as outlined below:
1. Allocate responsibilities and identify your key information assets
As with any business activity, in computer security it’s crucial to identify what must be done and who will do it. Overall responsibility should rest with a senior manager who has a broad view of all the risks and how to tackle them
Management should identify the information and technology that’s really vital to the business, where the big risks lie – and then take steps to safeguard that.
2. Protect your computers and your network
Malicious activity could come from outside or inside your business.
Attacks from outside, for example by trouble-making hackers or competitors, can be largely repelled by installing a firewall. It can also be used to manage your staff’s internet activity, for instance by blocking access to chat sites where employees might encounter security risks.
3. Keep your computers up to date
It’s essential to keep all your computers up-to-date with the latest patches. Normally, they can be downloaded and installed automatically.
Remember that just one vulnerable computer puts all the others at risk. It’s important to ensure that all available patches are applied to all of them.
4. Control employee access to computers and documents
Although your computers should be guarded by a firewall, you should still protect user accounts and sensitive documents with passwords.
Passwords should be difficult to guess but memorable, and never written down. Ideally, ensure that passwords include a combination of upper- and lower-case letters, numbers and symbols and require employees to change passwords regularly.
5. Protect against viruses
Malicious software (or ‘malware’) may not always be as devastating as the headlines suggest, but can still slow down your systems dramatically, and passing them on to customers will win you no friends.
Fortunately, there is plenty of protection available. Your computers may have been sold with anti-virus software (the generic term, although most products also protect against other kinds of malware). If not, you can easily buy it.
6. Extend security beyond the office
Today’s employees often work from home or on the road and use their own laptops, mobile phones, tablets and so on.
It is difficult to extend to these situations and devices the same level of security that you can apply to office computers. However, you can reduce risk by requiring that any personal equipment used for work is approved. At a minimum, it should have anti-virus software and password protection.
7. Don’t forget disks and drives
Removable disks and drives such as DVDs and USB sticks pose security risks in two ways. They can introduce malware into your computers, and they can be mislaid when containing sensitive information.
Ensure that as far as possible, only disks and drives owned by your business are used with your computers. Discourage employees from using them in third parties’ computers (e.g. in Internet cafes), and set up anti-malware software to scan them whenever they are used in the office.
8. Plan for the worst
No system is 100% secure, so it’s worth planning what you’d do if things went badly wrong.
Establish how you will know that there’s a problem. You shouldn’t have to wait for computers to go down; your firewall or anti-virus software, for example, may provide advance warning that something unusual is going on. Your plan can be laid out in a document, and delivered in training sessions.
9. Educate your team
Tell everyone in the business why security matters, and how they can help, using training sessions and written policy documents. This will encourage them to follow practices such as regular password changes.
There are non-technical risks, too. One is ‘social engineering’, where hackers try to trick employees into revealing technical details that make your computers vulnerable.
10. Keep records - and test your security
Security is an ongoing process, not a one-off fix. So it’s important to keep clear records.
Good record-keeping will also help you regularly test all your security measures and ensure that you have functioning, up-to-date software. Any business is only as secure as its weakest link, and testing will make sure that no weaknesses are overlooked.
The IT Faculty will be publishing a fuller version of these 10 steps later in the year. More resources can be found on the Faculty website at icaew.com/cyber.
Richard Anning FCA is head of the ICAEW IT Faculty