In recent months, there have been a series of cyber-attacks impacting businesses globally. The latest threat from a variant of an earlier virus called Petya has taken down systems from companies around the world, costing an estimated $400 billion a year.
The malicious program demanded a payment, known as ransomware, to unlock files it scrambled on infected machines. Security experts, including Microsoft, Cisco and Symantec, said that they all have evidence that the malware was spread via an update to the tax software program MeDoc, popular in the Ukraine.
The UK Government’s National Security Strategy has stated that the threat from cyber-attacks from both organised crime and foreign intelligence agencies was one of the “most significant risks to UK interests”. The Information Commissioner’s Office (ICO) has indicated that small businesses who do not take precautionary action will be fined. In the notification, Sally Anne Poole, ICO enforcement manager, said:
‘If a company is subject to a cyber-attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.’
In the World Economic Forum, BT and KPMG report, “Taking the offensive- working together to disrupt digital crime” it is stated:
- Every year digital crime costs the world approximately $400 billion
- 97% of companies have been the victim of a digital attack
- Half of businesses do not have a strategy to deal with digital crime, including blackmail and bribery
- 55% of businesses have seen an increase in cyber attacks
- Only 22% are fully prepared to deal with incidents in the future
- 73% say digital security is on the board agenda
Source: World Economic Forum, BT and KPMG: Taking the offensive- working together to disrupt digital crime
How does the ransomware spread?
This type of malware can evade digital defences by abusing remote Windows administration tools to spread quickly across internal company computer networks. Typically, ransomware spreads via email, with the aim of fooling recipients into clicking on malware-laden files that cause a PC’s data to become scrambled before making a blackmail demand.
Four Steps to Protect Your Business
With the onset of the new General Data Protection Regulations coming into effect on 25 May 2018, it is critical for all business owners to plan their security accordingly. The steps outlined below are a good starting point to secure your business.
Step 1: Define your security policy and educate employees
Define your security policy and how you plan to protect your data and systems, as well as your response plan in the event of a cyber-attack. It is important to train your employees on the policy, something many small businesses neglect to do. A straightforward way is to set up a meeting with all new employees to explain the company’s security policy and to provide some basic training.
Your staff can pose an unexpected threat; sophisticated hackers could look to find a way into a business’s team to get information. Using contractors or temporary staff, who might not be put through such a rigorous recruitment process, is always a risk.
Authorise a team member to be responsible for dealing with attacks and to minimize the damage. Check how your suppliers and business partners are keeping your data safe. Think like a criminal and try hacking your own business to find areas of security weakness and fix.
Step 2: Watch out for urgent email
“Phishing” is the term used to describe an email, or digital message, pretending to be from a trustworthy source. For example, disguised as a senior colleague or important partner / customer, to gain confidential information. Teach employees to watch out for urgent and unexpected emails, and to delete immediately, as well as to report the source to the IT department or representative.
Step 3: Keep data private, separate and encrypted
When staff or contractors have been with a company for a long time and change departments, it is common for the employee to retain their data access permissions across several areas of the business, resulting in your employees having more permissions than necessary.
Make sure to map out your data sets, such that your most sensitive, customer centric information is protected deep beneath layers of security, hidden even from your employees.
Encryption software could be used to convert data and information into code to prevent unauthorised access when the business is sending, receiving and storing valuable information. Encryption software is readily available online and in stores.
Step 4: Password protection, the basics must be in place
Make sure passwords are strong and long. One of the most commons passwords used is “password” ironically, so not the best approach to security. Introduce policies and automation to force employees to change their password routinely, at least once every four months.