Information Security Consultant and Cyber Awareness Trainer, Nick Robilliard, explores the risks of neglecting to take your cyber security seriously – both as an individual and organisation.
One of the biggest misconceptions about cyber crime is that your data is not important to hackers. Why would they choose you? What’s so special about your data in comparison to someone else’s?
I must admit, before starting my own cyber security journey, my own thought process was very much one of thinking I wasn’t important enough to be the target of cyber crime.
But the reality is, all our data is valuable. It doesn’t matter who we are or how insignificant we may feel – cyber criminals will find a use or a buyer for our data. And because our data is valuable to cyber criminals, it should be valuable to us too.
This is the same for an organisation’s data too. Small businesses are targeted frequently because hackers know that smaller organisations are more likely to have weak security controls and are therefore easier targets. So just because your company isn’t a multi-million-pound organisation, holding the data of thousands of clients, doesn’t mean you won’t be the target of a cyber attack. Don’t make the mistake of assuming you fall beneath the radar.
So, you understand that it’s important for businesses to take their cyber security seriously – but isn’t that the IT department’s job? That’s another big misconception. Cyber security is everyone’s business – from the very top all the way down. Employees neglecting to learn about and practice good cyber hygiene is one of the biggest causes of data breaches. In fact, human error plays a part in the majority of cyber attacks and data breaches.
It’s also important to understand that when it comes to security technology, firewalls and antivirus are unlikely to be enough. Think about your house. Locking the door is important, but can you rely on that as the sole protection of your valuable items? Burglaries can still happen, regardless of whether the thief lets themselves in through the front door or not. Enhancements to home security might include, safes, alarms, cameras and insurance should the worst happen. Information and cyber security should also be applied in layers, and more sensitive or valuable information should be given greater protection.
So, with that in mind, what cyber security measures should you be investing in?
One of the best things you can do to protect your business from cyber risk, is educate your team. Social engineering, which you can think of as hacking the human, is involved in 90% of cyber attacks; examples of this might be someone clicking a malicious link in an email purporting to be from a trusted sender or someone being tricked into divulging sensitive information over the phone to an unidentified caller. An organisation’s employees are its first line of defence, so it’s vital they know how to spot red flags for social engineering and how (and why) they should practice good cyber hygiene e.g. locking unattended devices, using strong passwords etc.
With that said, the unfortunate truth is that no matter what other defences you have in place, you can’t eradicate human error, and you can’t achieve 100% security. There is always a risk that someone will slip up; that they will forget; or a new threat will materialise. This is why regular cyber awareness training is so important – it keeps employees vigilant; refreshes the memory and reinforces desired behaviour. Awareness training is not a “do once” activity.
In order to assess how your organisation is doing in terms of cyber security, conducting a gap analysis is a great place to start. Our consultants will run through a question set which will involve technical staff and decision makers, and from those answers we will gain an understanding of the organisation’s complexity and current security controls. We can then work out what is required for you to improve security in line with various requirements and standards factoring in the organisation’s risk appetite.
For organisations that wish to put an emphasis on being as secure as they can be, but who may not have the resources to employ an in-house security professional, a virtual Chief Information Security Officer (vCISO) could be the way to go. A vCISO service gives you access to qualified information security professionals who will work to ensure your most important information assets and technologies are best protected against modern-day threats. They can establish standards and controls, advise the board, manage your security technologies and implement policies and procedures.