It seems like barely a day goes by without a new cybersecurity breach hitting the news. That’s not just some vague notion, either. The risks are very real.
That’s why this year’s Global Risk Report by the World Economic Forum listed cybersecurity attacks as the top threat to the global economy in 2018, alongside climate change. It’s a sign of the times: In 2016, companies revealed breaches of more than 4 billion data records – more than the previous two years combined.
And cyber security doesn’t only affect large corporates. Last year, a Government report found nearly half of all UK businesses suffered a cyber breach or attack in the past 12 months. For small businesses, the stakes are actually higher: the report found one in five small businesses took a day or more to recover from their most disruptive breach.
So what can businesses do to insulate themselves from cyber security threats?
We sat down with Steven Forrest, Vistage member and CEO of Forfusion, specialists in cyber security, to learn more.
What are the biggest challenges facing SMEs when it comes to cybersecurity?
Steven Forrest: One of the biggest challenges that we see, and this is feedback we get from customers, is how hard it is to identify the real threats. Businesses don't really know what constitutes a threat and whether it's going to affect them. Moreover, they don’t understand the implications.
Businesses don't have the required experience in physical security, ransomware, or anti-malware. And beyond technology, businesses often forget that cybersecurity begins in the real world with people and processes.
Should this be someone's role within the business? Is there a person that should take control of mitigating risks?
SF: Yes, there needs to be somebody who takes responsibility for developing policies for making the organisation aware of potential risks, and implementing the necessary measures to mitigate those risks. Typically, this person would be senior enough to enact change; preferably an accountable individual acting as a Senior Risk Officer (or SRO). I’ve personally seen large companies with Security Managers or similar, where they have no authority and are seen as an impediment to doing business, rather than someone who is trying to protect the business. They end up being ignored, and are often used as scapegoats when things go wrong.
That person should also deal with any third party security providers. If I think about my own business, for example, we use specialist departments within law firms, and we use experienced, multi-disciplined accountants. We rely on external specialists; it just wouldn't be wise for us to try and invest in such specialists and add to our payroll, but it doesn't mean to say we wouldn’t and shouldn't have an appropriate person to provide an interface between each of the businesses we deal with.
Technology is obviously a huge help to SMEs, but the rate of change and proliferation of new technologies is a challenge too. What’s your advice for businesses who want to keep up, but are overawed?
SF: The challenge with security is that you have to constantly tinker and make provisions to protect the business. A qualified individual within in the business is important, but responsibility can’t just rest with them. If several touch points don’t exist across all aspects of people, process and technology, and access isn’t available to market leading security vendors, it’s not possible to have the necessary information on which to act.
One thing we try to do with our customers is have them think about cyber and information security as a selling point. I.e, if an organisation has laid the foundations by going through a Cyber Essentials course and associated examinations, it's a really good selling point, and something that should be promoted to customers.
For mid-market customers and above, we would normally recommended adhering to a good cyber security framework, such as the NIST Cybersecurity Framework; it’s technology neutral, and can be applied to new technologies and new risks. Making ad-hoc responses to ever-changing risks is not sustainable or effective in managing cybersecurity. Strong, established governance with sponsorship from senior management is required, so that the resulting policies and processes can be applied fully and properly.
So, you're talking about setting up a security policy in-house. What does that look like?
SF: This has reared its head, really, because of the impending GDPR legislation. It's very common, for example, for a lawyer to go and speak to businesses about GDPR. That's fantastic from a legislation standpoint, but it doesn't really give an organisation a clear understanding of what to do in practical terms. That is, what policies or procedures they need to implement, or what they need to do with technology to improve their security posture.
That’s where there's real value in having somebody that does have knowledge on the inside, as a full-time employee working for a business. These days, it's almost a full-time job for somebody to track changes and enforce updates and continually track developments in the outside world. It's an iterative process that continually needs attention and house-keeping that must be undertaken.
How well-prepared is the UK to tackle cybercrime, in your opinion?
SF: Unfortunately, the vast majority of organizations are not prepared. GDPR is a good point of reference. The deadline is May this year but the vast majority of organisations may not have started making changes to meet this legislation head-on.
The problem is, there are some organisations out there that have been hacked, and they're still reluctant to make provision afterwards. They think, for some reason, that they won't be targeted again.
If you consider the various attack vectors and ways that these awful individuals target organisations, they're automated attacks. A victim could be anybody that accesses the Internet. It doesn't have to be the IBMs or the BTs or the Microsofts of the world. It could be an organisation that's generating £50,000 a year selling professional services.
What are the main types of security breaches that you see? Is it as simple as phishing emails? Or is it deeper than that?
SF: Yes, email scams are very, very common and it's one of the easiest ways to access a network. They're sometimes quite difficult to avoid. More recently we’ve seen an increase in ransomware. It’s perhaps one of the most prolific forms of malware as it provides the cyber-criminal with so much money, often in the millions per day. Ransomware is automated, and importantly, it does not discriminate as to who it targets
Much of what is going on, including hacks and all the other bad stuff we hear about, could quite easily be avoided if workforces were educated appropriately and understood the risks. What to do, what not to do, what email attachments to click on and to open, when and how to report issues, as well as concepts like malware and ransomware.
What does that education look like?
SF: It can be very basic. It can be a simple short course. It can be an email, it can be video on demand, it can be a responsible party holding workshops and making people aware of the risks.
It’s not just a case of showing people. That won’t necessarily teach them how to keep themselves safe, it’s always better to make any teaching or learning activity interactive. It makes it real and engaging.
This information is readily available and it could be as straightforward as what communications to open, what not to open; checking URLs, checking embedded URLs. How to identify and spot perhaps behaviour or communication outside the norm. Without going through this education, a lot of people simply won't be aware.
If a business is compromised, what should they do? What are the steps?
SF: It’s an end-to-end process. There are definitely processes that should be followed in the event of a breach, but we need to look at processes way ahead of that, because we don't really want that to happen. A typical example of a process would be defining five steps to achieving protection within an organisation.
The first step could be to engage a third party or to employ someone with suitable skills. The next step could be sit foundational courses and get a tick in the box. Consider Cyber Essentials and Cyber Essentials Plus, for example. The next step in the process may be identifying very robust security policies, which will cover all manner of things. It can just be a few simple steps or it can contain hundreds of complicated steps.
We talk a lot about the risks of cyber security, but would you say there are opportunities, too?
SF: A lot of people are forced to react due to the nature and the tone of blogs and posts and news that they read on social media. Organisations need to be more aware about what they react to. Rather than react to threats and what we call ambulance chasing, they should actually look at it from a positive standpoint.
It's not all about risk. It's not all about worry. It's not all about putting people under pressure. It's actually about encouraging organisations to do the right thing for their business and for their customers. If they take that approach, they'll find that they're able to cut through the noise and make the right decisions, rather than make decisions as a result of threats.
Thanks Steven for talking to us. Enjoyed this piece? Read our interview with Dr Balaji Krishnamurthy; Meaningful Work for Meaningful Pay: Uncovering the New Talent Management Paradigm With Balaji Krishnamurthy.