The recent malware attack on the NHS was a timely reminder of what can happen if an organisation is not adequately prepared for cyber security threats. In the largest scale attack of its kind in history, the attackers used ransomware, which blocks access to data and then demands payment of a ransom in order to have it returned.
With over 50 data records stolen every second worldwide, no one is safe – and companies are falling prey to cyber attacks at an alarming rate. Normally an organisation will seriously step up its security measures after a breach, but needless to say, this ‘after the horse has bolted’ approach is almost invariably too little, too late. So why is this allowed to happen, and how can organisations stay safe while maintaining a balance between cost and protection?
Why we don’t take precautions
It’s simply human nature to think of threatening events as remote, and the kind of thing that will always happen to someone else. We naturally hope for the best, and in a sense cyber security threats are invisible. Also, many businesses have little spare cash to spend on what they see as a nice-to-have expense, so leaving things to chance often seems like a risk worth taking. Another problem is that it’s very hard for business owners who are not IT literate to make a judgement call on the level of protection needed.
Risk versus cost
IT security is essentially an exercise in risk management. It’s a bit like taking out home insurance – it might be a waste of money if nothing ever gets lost, stolen or broken, but if the worst does happen, you’ll be glad you had measures in place to protect yourself. Deciding between reducing the possibility of an attack by spending more or saving money and increasing the risk is tricky, and if you’re not an IT expert it can be impossible to really know what types of protection you need.
With cyber attacks becoming increasingly common, it’s no longer really an option to go without IT security, and with the EU’s General Data Protection Regulation (GDPR) coming into force, certain data protection measures will become legal requirements. With a limited data security budget, how do you spend your money wisely?
Know what to watch out for
In order to make a balanced judgement, you need to be aware of which threats you’re most at risk from and how to deal with them. This will vary from one company to the next, but knowing which types of attack are most likely to occur can be useful. The three most common threats leading to data loss are malware, accounting for 24% of attacks, phishing attacks and accidental leaks by staff, which contribute an additional 10% each. The most common other threats are password attacks, ransomware and denial of service attacks.
Get it right
With the right approach, you can identify where you’re most at risk and put only the necessary protection in place to keep your systems and data secure without breaking the bank. If you don’t know a lot about cyber security this can seem daunting, but following a few basic principles can help.
While a firewall is important, it doesn’t constitute full protection. A good starting point is to have an accurate inventory of all your IT assets – this will tell you what you’re protecting and why it’s so valuable and important to keep safe. Installing antivirus and regularly checking it to ensure it’s updated is another simple way that you can protect yourself from many of the most common threats.
Password breaches, whether caused by insecure passwords, staff accidentally giving their passwords away or a password attack (where hackers try different password combinations until one works), can be avoided with a strong password policy. Part of this involves training your employees on safe practices – this is something that is often overlooked. Limiting administrative access to certain networks or systems is another good way to make sure that files and programmes don’t fall into the wrong hands and that your security isn’t accidentally compromised.
Seek professional help
The tips above, while helpful, are probably not enough to keep you fully protected from all threats. The level of protection you require will vary depending on what your company does, what kind of data and systems you have, and any legal requirements that exist for your sector. To be fully secure, you really need to consult a security expert to figure out your level and areas of risk, and provide a solution to match these. A good IT security provider will offer a fair and realistic threat assessment and be able to implement the required protection.
If you don’t address your vulnerability to cyber attack, you’re likely to be taken advantage of sooner or later. This is not something that should be left to chance – and if you do fall victim to cyber criminals, it’ll almost certainly be too late to save your business, so putting measures in place now is simply the wisest choice.