Nearly half of all cyber-breaches stem from criminal or malicious attacks, with an average cost to victims of $4 million, according to an IBM study on data breaches.
In recent years, flexible working practices have become evermore popular, and as a result the workplace as we know it is changing. We now work in different countries; we work while travelling in trains, planes, and automobiles. Some of us even work while on holiday.
Whilst embracing remote working, directors must be aware of the cyber-security risk this poses. When out of the office, employees are often using phones or tablets that are not company-supplied. The danger here is that unprotected devices can be lost or stolen with company information and emails on them. What’s more, out-of-date operating systems, and use of public internet make mobile devices vulnerable to hacking.
Here we take a look at what the dangers are, and the steps directors should be taking to prevent cyber-attacks.
Know what is at stake
It is important for board members, CEOs and directors to know the risks of cyber-attacks in order to implement proper prevention methods across the business.
In 2016, 90% of corporate directors reported that cyber-security risks were routinely covered in board meetings, according to the NACD’s Director's Handbook on Cyber-Risk Oversight.
This is undoubtedly down to news coverage of major cyber-attacks, such as US retail giant Target have customer data compromised, right through to major geopolitical events such as the fallout from the WikiLeaks data trove.
In 2015 UK internet service company TalkTalk had security weaknesses exposed by a teenage hacker. This cyber-attack cost the company more than 100,000 customers and £60million according to The Guardian.
Cyber-security experts have warned that no business or industry is considered safe from an attack, hackers will simply target the most vulnerable. A breach can begin by an employee inadvertently downloading an infected file, or through a more targeted infiltration by capable hackers who can bypass basic security measures. In many cases hackers will demand money after stealing data from a company.
The Danger of the Unknown
No alarm bells sound when online thefts occur; an average of 146 days can pass before officials realise information was compromised, according to the NACD.
Not making cyber-security a priority puts a company at unnecessary risk, and you should see it as a red flag if you believe your company is not experiencing any cyber incidents.
Known events are only the tip of the iceberg when it comes to cyber-breaches. In many cases, and concerningly, it is the situation that a company will not know they have been attacked until they suddenly start losing bids, or competitors release products with striking similarities.
So what can be done to prevent these attacks from becoming damaging to our businesses?
Implementing a Strong Cyber-Security Strategy
By making cyber-security a priority from the top, you should be able to take steps to implementing a strong strategy.
Anurag Chaturvedi, who specialises in information technology risk assessment, estimates that large companies in the UAE will spend 40% to 55% more this year compared to last year on cyber-security in order to meet rising threat levels.
Start by assessing the risks to your company. Do you hold high volumes of customer data? Are staff working remotely and therefore using personal mobile devices? Are there areas of weakness across your IT systems? A detailed risk assessment will allow you to consider what best practices are for the IT at your business.
SMEs and larger companies alike will find that it is often the case that risks need balancing with costs, but adequate policies should be deployed in order to detect ongoing and future attacks. Board members and those at the top of companies should concentrate on protecting the most valuable data, or the “crown jewels” of the company.
Once you have completed a risk assessment tailored to your company you should consider whether you have the technical expertise in house, or whether you need to bring someone on board, or have a consultant on hand.
Because no one is immune to cyber-attacks, you should have board-approved plans and policies for how to react and minimise the damage if they do get breached.
Once plans and policies are in place you should ensure contextual indicators are reported on. For example, how many threats to the network were detected in a given month; whether any breaches occurred; the cost of those breaches; and how your company has responded to threats and managed and maintained its networks.
Minimise Risky Cyber Practices
The entire responsibility of cyber-security should not fall at the feet of those at the top and any third party tech expertise. Each and every member of staff should be encouraged to protect company data. Here’s some practices you can implement:
- Secure passwords - encourage employee’s passwords to be as secure as possible. A good password should include uppercase and lowercase characters, symbols and numbers, and the same password should not be used multiple times.
- Keep devices locked - locking devices when not in use is essential when working remotely, but is also important in the office setting where there is any risk of outsiders gaining access to your tech. Devices should always be passcode or fingerprint protected when locked too.
- Keep operating systems up to date - A phone or tablet with an out-of-date operating system is more vulnerable to hacking.
- Avoid using public Wi-Fi - unsecure networks pose risks. For best protection, turn off Wi-Fi in your phone’s settings when working remotely.
More than ever staff are working remotely, if it is not realistically achievable for your business to roll out company phones or tablets for these staff you should encourage them to use their work laptop whenever possible when working on the go. Failing that, encourage employees to allow the IT department to access their devices. This way, they can track and remotely erase their device if it is lost or stolen.All businesses should be making cyber and mobile security a top priority. Cyber-security policies should align with governance, overall risk management, and the company's business planning, and overall strategy.Data theft could jeopardise pending mergers and acquisitions or create a public relations nightmare. With money and reputation at stake, cyber-security needs to be made a company-wide priority from the top.