Friday, 28 February 2020

Why you must assume your business will suffer a cyber security attack

In an ever growing era of uncertainties, you must assume your small business will suffer a cybersecurity attack.

Cyber security threats and resillience

Hope in having a secure IT environment has never been a good strategy for survival or continued success and it is certainly not the case now. It’s not a matter of if your business will be victim of a cyber attack, but when. With technology growth and dynamic changes occurring so frequently, it’s just a matter of time before hackers and security threats start knocking at your doors.

Assume your small business can be affected by cyber security attacks – the threats and statistics speak for themselves

There are high-profile incidents exposing data breaches at some of the largest organisation and this shows that even they are still learning and haven't quite got it as yet. These threats are real and when serious incidents occur, they grab the headlines.

  • Hiscock which is one of the largest business insurance company in the UK highlighted that cyber security incidents for small businesses (those with fewer than 50 employees) rose by 11 percent in 2019, from 33 to 47 per cent. This shows that businesses who are connected to the internet or make use of online services are increasingly becoming targets for cyber criminals, so you must assume your small business will suffer a cybersecurity attack, too.
  • It was also highlighted that 55% of all businesses across London and the UK experienced some kind of cyber security attack in 2019, reflecting a rise of 15% for the previous year.and looking at the trends, this may be just the tip of the iceberg. Considering cyber security attacks are so widespread across the globe, it is now more important than ever that businesses include this as part of their organisation IT strategy.
  • Not many companies understand the scope or implications of cyber security as almost 75% of active firms were ranked as ‘novices’ in relation to cyber security readiness.

So, how you can you protect your company from cyberattacks and what 5 techniques could enable you to implement resilient cyber security strategy?

Here are some of the key highlights worth considering for improved cyber security awareness and resilience:
  1. Connectivity is foundation of all cyber security espionage
  2. Cyber security resilience and governance are crucial strategies for staying safe
  3. Make your business cyber resilient in 5 steps
  4. Create cyber resilience strategy that are revised regularly

Connectivity is foundation of all cyber security infiltration

cyber security threat prevention 
The internet has revolutionised the way we communicate and do business and while in many ways it is a blessing, on the other hand, there are numerous pitfalls that are not immediately obvious.

There is a price to pay for having the luxury of an always on technology that easily facilitate inter-connectivity, data-driven and digital interactions. 

With the genesis of  Internet of Things (IoT), the world is heading to an eternal connected state with little understating of security or adequate cyber infrastructures in place. This mean, you have to understand how to protect your business from cyber attack as they can happen at anytime, across any technology platform or communication medium.

To put this simply, there’s now more data in multiple places with access by more apps and users than can ever be remembered. We are in a new era of interconnected technologies by multiple users across varying locations and timespan.

The wide-open nature of the internet easily lends itself to unsuspecting cyber criminals, giving a greater level of flexibility and opportunities to sell whatever information and identity details that can be stolen. There are no borders to stop them and the demand for information has somehow justify the need to help along with the provision, by whatever means necessary.

And this has nothing to do with the act of using ransomware to blackmail your London-based business in an attempt to hijack operations to fulfil demands for payment. Infact, the seriousness of the cyber security situation goes way beyond that level of sophistication.

Anyone who has had computer virus attack knows the implications of and cost of recovery. Present day cyber attacks goes well beyond that as there are now reputation, customer relations and business continuity factors at play. Fundamentally, cyber security attacks can become very expensive.

The average cost of a cyber security attack per business has risen from £176,000 in 2018 to £283,000 in 2019, an increase of 61%.

Moreover, with the introduction of the EU’s General Data Protection Regulation (GDPR), which protects any personally identifiable information your business holds, a security compromise could enforce a fine of up to €20 million or up to 4% of the annual turnover for any breach of data privacy.

Cyber security resilience and governance are crucial strategies for staying safe

When you’re wondering how to protect your company from cyber attacks, the answer is not just to be cybersecure but cyber resilient, too. Cybers ecurity focuses on reducing the likelihood of a threat moving on to becoming a severe risk due to a cyber attack. Cyber resilience focuses on keeping your business operational irrespective of threat levels or cyber attack strategies.

Effective business continuity is essential for protecting your company brand image and disaster recovery strategies are fundamental to overcome downtime and restore normal operation promptly in the face of a successful cybersecurity system compromise.

Some industry experts are of the opinion that eventually at least one security hacking attempt will get through to every business environment during its lifetime and the only true way for sustainability is to have a disaster recovery plan in place that ensures business continuity.

Security threats are constantly evolving into more sophisticated attacks and many exhibit an exponential multiplication factor for categorised threats. With technology adopting a seemingly similar level of dynamic growth technology cybersecurity, it’s more like a game of cat and mouse or better yet, a cat chasing its’ own tail.

Make your business Cyber resilient in 5 steps

You can incorporate cyber resilience into your business by adopting a well-defined and solid IT security strategies. This increase the capability and functional criteria for your business to remain operational in the face of a hacking attack or other cyber threats.

1. Involve staff and company Stakeholders

Having technology professionals or your own tech department, does not shift the responsibility for cyber security to them alone, this must be a shared responsibility by everyone within the business.

Technology can only go so far in ensuring security measures are in place, but ultimately data security and resource usage is in the hands of those entrusted to be part of the business operation. 

This means that human factors will play an important role in reinforcing the cybersecurity process. If online safety and IT security is important for your business, then accountability should start at the top and work its way throughout the entire culture of your organisation.

Member and sub-teams should know how to protect the business from cyber attacks and for this to be effective, training is required.  Cybersecurity training should focus on empowering your staff with the knowledge and understanding to detect and stop the many ways hackers can get pass defences and access valuable company information. An area of significant interest for staff training is understanding of what email phishing looks like and how the process for raising suspicion attempts regardless of apparent impact – big or small.

There is also the need for cyber resilience training for the entire team, which boost everyone knowledge about business continuity processes that comes into effect should there be a successful cyber compromise.

2. Protect your systems and digital assets

Being cyber resilient doesn’t happen by itself, there is a need for preparation and test-runs. Effective cyber resilience requires a four-step approach for the protection of critical systems and digital assets from being impacted during a cyber security incident:

Realignment: Reduce connections between critical and non-critical systems. This increases the chance of containing a virus attack or a hacking proliferation from non-critical systems to core digital assets.

Access control: Restrict critical systems access solely to the role of those who need them to do their jobs and for defined timeframes.

Redundancy: Back-up critical systems with additional, yet separate protections that can be activated quickly in the event of a cyber attack.

Segmentation: Segment your network according to the importance and trustworthiness of the various resources; this is crucial for the prevention any data and system-wide breaches spiralling out of control automatically should an incident occur.

 3. Develop an effective incident response plan

According to the UK’s government’s National Cyber Security Centre (NCSC), a cyber resilient system has four key characteristics:
  • Preparation (preventative and thorough IT security strategies)
  • Absorb (reduce the likelihood risk of an incident or threat escalation)
  • Recover (develop and deploy a functional incident response plan)
  • Adapt (prior to and after a cyber incident by evaluating the threat landscape).

Business leaders are normally good at SWOT analysis and addressing cyber security will require undertaking regular assessments of internal structures, operations and processes within your business to flesh out areas of weaknesses. Derive a thorough plan of action for each of the four characteristics in relation to their failure points.

Undertaking a cyber security incident plan is not an single person activity, but will require active contribution from staff across business functions and teams, Being the subject matter experts in the job they do make it easier to pull on historical experiences for deeper understanding of where threats are likely to occur and remedial actions.

4. Run Simulations

Simulating a company-wide security incident response is an excellent strategy for understating how the organisation will react when faced with a real cyber attack. Depending in the nature of the business and the IT environment, conducting periodic cyber attack simulations can help to highlight major pitfalls and reinforce lessons learnt.

Common practice is have cyber resilience testing atleast once or twice a year.
The free ‘Exercise in a Box’ is a ready-made online tool from the NCSC can help with the walkthrough of cybersecurity processes and approaches for your organisation.

 5. Review, refine, refresh and adapt

Since cybersecurity threats are constantly changing in type and complexity, it is essential that your preparation and defence mechanisms adopt similar approaches.

Working with your IT security governance team can ensure that strategies are reviewed regularly and any updates are approved on to reflect your organisation’s policies and culture. There will be occasions where existing security working practices have become outdated and need to be refreshed to counteract prevailing risks and minimise the likelihood of unforeseen cyber security threats.

Most importantly, you must ensure your business continue to meet all necessary legal and regulatory obligations and auditing requirements.

Moreover, influence a culture of staff participation so your teams can help to strengthen the line of defence against cyber security threats and adapt with the evolving threat landscape.

In Concluding…

Get your cyber resilience into shape and start protecting your business from IT security threats or cyber attacks. If IT security is not an area you are familiar with but need additional help for protection of your business and digital assets, our security experts are available to discuss your requirements.  

Wednesday, 12 February 2020

Risks and Countermeasures of Sending Personal Data by Email - What Are They?

Sending personal data via traditional email is insecure since any data travelling over the internet unencrypted can be intercepted or hacked.

Should such scenario occur, those sensitive information can automatically taken and a breach is imminent. With GDPR now a major part of data security, there are regulations around the safety of sending of personal data via email.

  1. What measures can be taken and what does this mean for business data breach?
  2. How can one adequately secure the communication of personal data?

GDPR does not does not provide specific measures regarding sending personal data via email to avoid regular updates to the regulation and the law or countermeasure implementations.
Primarily of interest is an area of section 32 which states that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

This also extends to take into consideration; inter alia as appropriate:

  • (a) the pseudonymisation and encryption of personal data;
  • (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

Technical measures are left to the discretion and responsibility of the data processor of the personal data.

Sending an email to one person with just data for that one person has different bearing to sending bulk data containing data of multiple persons, In the latter case, more protection is required. Where it’s impracticable to use alternate means for sending large amount of personal data then a Data Protection Impact Assessment may be required to mitigate against pending risks.

So what options are available as countermeasures for sending personal data via email?

  • Use a secure portal.
  • Enclose the data in an encrypted .ZIP file

Using a secure portal.

Use a portal that require users to logs securely thereby reducing the risk of data being intercepted by an intermediary.

Enclose the data in an encrypted .ZIP file

This approach involves enclosing the data within a password-protected zip file and email it to the recipient. Ensure password is sent via a different communication medium such as messaging systems (WhatsApp, SMS or phone call).

There are numerous cyber security threats and measures that can benefit business in an effort to protect data access or security breaches. Each solution is different and the criteria for implementation will require an understanding of existing / future business practices and threat mitigation approach based on the business needs, threat severity and level of exposure.

What security measures have you put in place as a solution for cyber security risk?

Monday, 3 February 2020

Voice over Internet Protocol (VoIP) is a rapidly growing technology that is now being used for unified communications across the world and businesses are capitalising on this technology for increased value-added realisation. That said, would it be correct to say that VOIP will have it's own share of advantages and disadvantages when compared to traditional phone systems? In this blog, you are invited to join in as we explore the potentials and options for voice over IP as a feasible technology for business communication and phone calls.

What is VOIP and are there Key Considerations for Small Businesses?
VOIP a network technology based service that allows users to make calls over the Internet as the primary communication medium instead of traditional phone lines. VOIP service primarily converts analogue signals into digital transmission packets and rout them from source to destination using the internet as the connectivity medium.

Upon arrival at the receive end, these datagram packets are then converted into voice signals via a decoding engine so humans can understand them in intelligible forms.

Are There Identifiable Advantages of Voice Over IP for Small Businesses?

The answer is Yes! With VoIP small businesses across the globe are able to leverage functionalities and services that were once privileged by only large enterprises. Amongst these obvious key benefits are:

Lower Costs

Small businesses with limited budgets are now able to leverage massive cost-savings through the introduction of VOIP technology without breaking the bank for such benefits. Also, unlike traditional PSTN telephone systems which tool long time to install and proved overly expensive to maintain and make calls VoIP introduces minimal hardware and software purchasing requirements for similar technology experiences.

Additionally, when compared to conventional phone systems, VOIP call costs are significantly cheaper than the monthly fees for the same call time and destination.

We've also seen scenarios where VOIP services providers are offering 24/7 support to their clients for VOIP services, which means which means IT operation expenditures can now be budgeted for upfront without worrying about unexpected surprises.

Higher Scalability

Having VoIP implemented within your business doesn't mean the buck stops there. The flexibility of the service readily lends it to easy growth and expansion via quick addition of extra lines, extension numbers and licenses agreement revision. This means that tart-ups and small businesses can define their technology road-map and gradually scale their operations and services through a deliberate strategy than lends itself to the strategy of the business instead of being wagged about by restricted arrangements.

With this approach, it is least likely that a business that doesn't have a healthy budget at the outset is least likely to overspend on technology that is not yet meet their needs, this is a wonderful benefit that VOIP brings to the table.

As more and more businesses get warm up to the concept of VOIP, it is clear that they can budget upfront and only pay for service usage based on consumption. No longer is there a need to purchase dedicated hardware, fixed-line packages and rigid contracts that cost an arm and leg. Flexibility is now the new way for saving cost and let technology facilitate organic brand growth.

Increased Security

With VOIP being established on internet protocol (IP) technology, it is possible to harness security layer features for improving data privacy and threat mitigation. One such features applicable for VOIP based telephony is identity management and encryption.

By integrating these two key security features into VOIP, data protections and threat mitigation from cyber attacks is achievable. Although technology becomes obsolete rapidly, it will take some time before these security features become irrelevant. Therefore, the possibility for increased data communication and protection against eavesdropping is now achievable.