In the last few years cyber-security has become an increasingly significant issue because of how interconnected businesses now are. Nowadays, most companies are connected to a complicated network comprising of various mobile and cloud connections. This, coupled with the increasing popularity of employees working from their own unsecured device on a business’ network, has increased the number of weak spots along the communication chain.
The problem with this interconnectivity is that businesses are now at increased risk from sophisticated hackers, software bugs and viruses that search out these weak spots and wreak havoc for businesses of all sizes.
Unfortunately, it seems that these sorts of attacks are becoming more and more commonplace – as many as eight in ten of the UK’s biggest companies have suffered a serious cyber-attack, costing the UK economy tens of millions of pounds annually.
And it is not just larger companies that are at risk – according to new research commissioned by the Government’s Cyber Streetwise Campaign, SMEs are putting a third of their revenue at risk because they are downplaying the threat of cyber-attacks, leaving them exposed and vulnerable.
A common misconception amongst businesses is that cyber-thieves are only interested in money. However, in reality, rich data also makes a business an attractive target. Businesses that hold a large amount of customer data are also vulnerable. Take for example the recent case of Ashley Madison, whose customers’ confidential information was leaked for the world to see. The devastating effects that this data leak has had on people’s lives, as well as on the business, serves as a stark warning of what can happen when a business is targeted.
There are a number of preventative measures that SMEs can take to minimise the risk of an attack such as setting strong passwords, not giving away passwords away to third parties, deleting any suspicious emails, and ensuring the most up-to-date anti-virus software is always installed. Setting aside budget to appoint an experienced web manager is another advised way to protect against attack.
Businesses should also be very careful about what information is put into the public domain as this will all make-up the digital footprint of a company. Essentially, any information a business wouldn’t want in the public eye, shouldn’t be added to its digital footprint.
However, even when a business has done everything it can to protect against an attack, it can still face security threats. The below points illustrate what can be done in this scenario to minimise panic and reduce the damage.
Identify the origin
It is important to determine whether the attack came from an internal or external source. A current employee with an axe to grind could be responsible, or alternatively it could have come from a completely external perpetrator. However, it is worth noting that often cyber-attackers are never discovered, as their sophisticated software can ensure their movements are untraceable.
Assess the damage
It is important to determine as quickly and as calmly as possible the full extent of the damage. Businesses can call-in the expertise of I.T. specialists to determine exactly what has been taken and the full extent of the problem. Sometimes, the situation is not as severe as first thought and a solution may be able to found quickly, as long as it is handled calmly.
Call a specialist
If the damage assessment shows a considerable security breach then it is wise to call in the expertise of a specialist. Speaking to insurers and enlisting the help of a legal professional will help determine whether the business is covered and can be fully compensated for its losses. Unfortunately, depending on the individual case and circumstances it might be difficult to make a claim – especially if the business has knowingly given out passwords and it has turned out that someone given this data is responsible for the crime.
Remove shared content
If information has been shared on social media sites such as Facebook or Twitter then it is within the civil rights of the business to request that this be immediately taken down.
Depending on the severity of the situation, it might be appropriate to inform the authorities of what has happened. The Information Commissioners Office (ICO) are responsible for the enforcement of the Data Protection Act 1998, so they will be able to offer help and guidance if the attack isn’t down to negligence on the part of the business.
Even in the midst of a crisis, it is important that a business handles the situation in a calm and considered manner as this is essential for managing the reputation of the brand. One of the main issues facing a business after a major attack is maintaining the customer’s confidence, and so keeping them informed and tackling any of their concerns should be a high priority.
Learn from mistakes
Businesses should put in place an action plan in response to the attack to ensure it doesn’t happen again. It is important to take the time to learn from the attack and ensure security measures are continually evolving to correspond with any changes in legislation. A full audit of a business’s security policies will also help identify any holes in the current security practices and will help to identify any areas for improvement.
The aftermath of a major attack can really test the resilience of a business, however, by protecting the reputation of the company and confronting the problem with a calm head, damage can be kept to a minimum.