An FD’s guide to cyber security

Few business disasters deliver legal, financial and reputational damage quicker than a breach of your organisation’s cyber security.

Businesses as big as Sony and as small as independent contractors are targeted every day and the average cost of a breach is well into six figures, costing the UK economy £27bn every year.

In 2016, a topic that may seem like a purely IT issue is very much now in the FDs domain. With that in mind, here’s what you need to know about keeping your organisation protected.

Your data is a valuable asset

Most companies have a good understanding of the pounds and pence value of their stock, machinery, property and vehicles, but many don’t take into account the value of the information sitting on their systems.

Information such as financial data, personnel data, intellectual property and commercially sensitive items all add value to your business and would be costly to replace. As with any other asset, your data should be protected, accessible only to those that need it, and with vetting and signed contracts in place where external organisations have access.

You have a legal requirement to keep your systems safe

Valuable data can be costly to replace. Having it fall into the wrong hands and seen by the wrong sets of eyes can be embarrassing and hurt confidence in your brand.

And while that’s all painful enough, few organisations realise that keeping customer data safe from cyber attacks is set to be written into EU law, with mandatory disclosures of data leaks and sizeable fines for careless companies.

Even if and when the Brexit comes to completion, UK law will almost certainly follow, meaning that falling victim to cyber attacks will add a legal aspect to a financial and reputational disaster.

Most hackers are invited in by employees

It comes as a surprise to many that most victims of cyber crime were not defeated by highly skilled computer programmers, but simply staff handing over sensitive information to the wrong people.

Human error is the biggest cause of cyber security breaches, from staff clicking dodgy links in emails to giving out too much information over the phone. The most secure system on the market will become vulnerable if the password isn’t kept a secret.

And lapses in judgement aren’t solely the domain of entry-level staff, as senior management are often just as culpable.

There’s a theory that a clipboard and a hi-viz jacket is enough to gain you access to most buildings. In cyber crime, you don’t even need the jacket, just to ask the right questions of the right member of staff.

To counter this, devise a system that limits access to data only to those that need it. Employ a policy of using strong passwords (and not writing those passwords on a post-it note stuck to a monitor) and training staff in how to spot scams and understand the importance of keeping data safe.

You can and should insure against cyber attacks

All companies are vulnerable to cyber attacks. If Sony can fall victim, then no organisation is too big. And for those that think they’re too small, all it takes is one disgruntled former employee or vindictive competitor.

It’s vital to ensure that your insurance covers you specifically in the event of a cyber attack. This relates back to accurately assessing the value of your data, how it’s stored and who has access.

In the first instance, you’ll need to comply with your insurer’s terms relating to cyber security to ensure you can make a claim if a breach does occur. For those heavily reliant on IT systems or with large data stores, there are specialist cyber security insurances which can provide bespoke cover and help with recovery.

Talking with your insurance company about cyber risk will also give you the opportunity to lower your premiums by putting in place safer systems that meet their standards.

There’s plenty you can do

Cyber crime is the biggest cause of business disruption in the UK, and you never when you might be hit or where the attack may come from.

It all sounds a bit grim, but there is plenty you can do to protect your business. We’ve discussed training staff to understand the importance of protecting data, and management has a role, too.

Use the latest security software on your systems, and keep all of your software up to date. Often, when a new version is released, it’s to close a security loophole, so it pays to keep on top of updates.

If you’re working with particularly sensitive information, consider this when undertaking due diligence on new recruits, minimising the risk when allowing new recruits access to valuable data.

The UK government has acknowledged the risk cyber crime poses and has introduced the Cyber Essentials training scheme to aid businesses. Investing in this training for your staff could prove invaluable in securing your organisation’s defences.