Here’s what you need to know
Yet another cyber-attack has hit the headlines and the Petya ransomware virus is spreading through computer networks around the world as we speak. It’s already hit firms across the UK, Spain, Germany, the Netherlands, Israel and the US, shutting down computers and demanding $300 to unlock them. Experts say the virus operates in much the same way as the WannaCry attack that took down the NHS last month, exploiting the same Microsoft Windows vulnerability.
The full details of Petya are being investigated, but incidents like this are becoming all too familiar, and countless organisations are still failing to take their cyber responsibilities seriously until it’s too late.
It just takes one weak link for hackers to gain access, whether that’s a default password, or failure to install a software patch, as was the case with WannaCry and Petya. The problem is often that organisations have the right processes, procedures and guidelines in place, they just aren’t enforcing them well enough, or engaging employees in why they’re important.
To be effective, cyber security can’t just be left to the IT department, but must be the responsibility of the whole organisation. It has to be baked into everything you do, from systems, processes and procedures, to employee culture and leadership. So how can you make this happen?
1. Top down cyber security: Gone are the days when cyber security can be left to the IT person to deal with. Technology is now so integral to how businesses operate, that cyber is an executive level issue and must be treated as such. There’s no point expecting employees to get on board with cyber hygiene if the CEO is still using his default password. The management team must lead by example, while working together to ensure the message is communicated effectively across the whole business.
2. Strategic risk management: Cyber security can be expensive so rather than just throwing money at the issue, look at it strategically. Analyse the most important and sensitive information and data held by your business and pinpoint the areas where the impact and fallout of a breach would be highest. This enables you to focus your spending and efforts on protecting those high-risk areas, while ensuring you’re fighting the biggest dangers in the right way.
3. Hire specialist expertise: With cyber criminals becoming more sophisticated all the time, keeping up with the evolving threats is almost impossible unless you have a security specialist to help you. While taking on a full-time expert might be unrealistic for start-ups and SMEs, we’re seeing more companies hiring information security consultants to advise them on the best approach to keeping their data safe and staying prepared for an attack. This person should have direct access to senior leadership team to ensure their advice permeates across the whole organisation.
4. Build cyber security in from the ground up: It’s much harder to build cyber security into your technology, systems and processes retroactively, so, if you’re an early stage business, start as you mean to go on. That means incorporating security considerations into your mission and vision statements, your internal company values, and making it a key element in any outside briefs and contracts. You can also include security as an element in job descriptions, employee contracts and progress reviews.
5. Encourage a positive cyber security culture: Effective leadership is a good start, but there are other steps you can take to achieve buy-in from employees. So, for example, making the first Friday of every month Cyber Awareness Day, where employees and management get together to discuss what they are and should be doing to make the business secure. This could also be the day that everybody changes their password, to minimise vulnerabilities. Or consider creating a team of cyber advocates, with responsibility for championing the issue on a day to day basis.
6. Communication, training and development: Your communication should begin with a cyber security policy, outlining key processes and procedures, what staff should and shouldn’t do, and the potential repercussions if the guidelines aren’t followed. Cyber training is another area that is often overlooked – a recent Government survey found that only 20 per cent of businesses have ever given staff some kind of cyber security training. While it might sound dull, it doesn’t have to be. Try to be creative about how you do it by organising quizzes, events and learning from examples of recent attacks.
Unfortunately, cyber security isn’t something you can do once and forget about for another year or two. With every new online tool, device, piece of software, or employee, cyber criminals have another door through which to access your systems and steal your data. Only a proactive approach to security will keep them out. It’s time for cyber security to come out of the back room and into the heart of the business.