How to reduce the risk of a cyber security breach – key measures for your business

Cyber security: protecting your organisation

The risk of a cyber attack is growing, and 74% of small businesses in the UK have experienced a cyber security breach, up from 60% the year before.

The cost of a security breach is considerable, with the Government’s 2015 Information Security Breaches Survey (conducted by PWC) revealing that the cost for SMEs is between £75,000 and £311,000. It can result in a business being out of action for up to 10 days, and the firms surveyed estimated that it could account for a loss of a third of their annual income.

We look at the key measures that can help reduce the risk of a cyber crime or cyber security breach for your business.

Be prepared

Cyber risk is not just a matter for the IT department, but for the entire organisation. It is essential to identify the risks specific to your organisation, and introduce an Information Risk Management Regime.

Cyber security should therefore be part of your wider risk management strategy and business continuity planning, overseen by the Board.

Risk management

Nominate an individual to lead risk management; they do not necessarily have to work within IT – arguably, cyber risk management sits with the Compliance function – but should have sufficient knowledge of security systems such as firewalls, malware protection and anti-virus software to be able to discuss these with the Head of IT.

Internal incident response plans are essential for prompt detection and action.

Organisations should have clear policies on Bringing Your Own Device (BYOD), social media, IT acceptable use, electronic information and communications and provide clear guidelines for staff.

With many employees now working remotely, assess the risks involved in home and mobile working. It is essential that all staff understand the risks of using public Wi-Fi and recognise the need for strong passwords.

Policies and guidelines

The Government survey revealed that, when questioned about their worst breach, half of the organisations attributed the cause to inadvertent human error – up from 31% in 2014.

This highlights the need for security training, which is now provided by 72% of large organisations and 63% of smaller ones.

Cyber security training

Ensure your IT department is following recognised network design principles when configuring perimeter and internal network segments.

Filter all traffic at the network perimeter and monitor all traffic for unusual or malicious activity. Protect all host and client machines with anti-virus software that regularly scans for malware.

Network security and malware prevention

According to Government research, only 39% of large organisations and 27% of small businesses have specialist insurance in place to cover them in the event of a cyber attack or cyber security breach.

Whilst existing insurance policies such as business interruption or professional indemnity insurance may provide some element of cover, specialist cyber insurance is advisable if you hold sensitive client data such as contact data or banking details. If you are dependent on IT systems to run your business, or regularly process payment card or online payments, you should consider specialist cover.

Insurance

Confidential and personal information should be stored securely, and should only be available to those who need to access it. Employee records should be password protected, and client data must be properly safeguarded.

Limit the number of administrator accounts and ensure these types of account are not used for high risk or day-to-day user activities. Monitor user activity, in particular the creation of new user accounts. Implementing measures such as these will enable you to identify and manage cyber risk.

Confidential information

For more tips, news and articles visit www.lucasfettes.co.uk

Or why not keep up-to-date with all the latest news, views and comments by following @LucasFettes and our Lucas Fettes LinkedIn page?

Stay in touch