Swipe cards and CCTV are often used as the first defence of any brick and mortar business; they protect businesses from balaclava clad thieves, but they only guard the tangible assets. For most companies, where the real value lies is the data stored on PCs, servers or the cloud. Currently, 83% of UK workforce jobs are within the services sector; in the US, this figure was 78% in 2018 and in Australia the services sector accounts for 79% of the workforce.
What this shows is that for most organisations, their resources of value and their internal processes are digital (online and virtual). Therefore, CCTV guards against the theft of cash, bullion, stock and equipment, but to secure all non-physical property a new and different approach is needed: cyber-security.
Organisations need to develop a comprehensive approach to cyber-security, as this is the twenty-first century equivalent of padlocks on the gate. A professional IT support company could be of great benefit when generating these plans; these IT consultancies have been providing professional services on an ever-increasing level.
Key habits every SME should adopt
Good cyber-security is like accident prevention; it takes a whole organisation approach, not just dependent upon one person. If a business engages an external IT consultancy to help design its cyber-security, the company will no doubt embed this into the organisation’s culture like an indelible mantra: good cyber-security is everyone’s business. In the past, a secretary would lock the filing cabinet and was the last one out the front door; however, it doesn’t work like that anymore.
Most small businesses don’t have an in-house IT person – they use an IT consultant / contractor. Cyber-security isn’t the job of one IT person, either; the external consultant will furnish the organisation with the right know-how, but all staff need to apply the security. Every company needs to develop a cyber-security policy and make it clearly known that it’s the job of all staff to adhere to this policy. To note, there’s not just one program or tool which can address cyber-security. Antivirus software isn’t a stand-alone solution – think continuous prevention, or small actions implemented consistently. Management needs to inculcate cyber-security into the culture of the organisation and should be encouraging positive cyber-security practices to all staff.
Some of the simple protocols which staff need to be trained in may include the following:
Creating strong passwords/passphrases and two-factor authentication
Training of staff in generating strong passwords is key to the cyber defence of any business. In fact, a passphrase is widely accepted as better than a password. A passphrase is much more difficult to crack than a standard password. Additionally, employees need to be prevented from sharing passwords or leaving them written down in accessible places.
Best practice would also include building two factor authentication into online activity for more serious data activity; what this involves, as the name suggests, is a second barrier after the initial password. That next security wall could be a four or six-digit number sent to the staff member’s phone (which needs to be typed into the system to unlock it), or perhaps a fingerprint or retina scan. The point of the two-factor authentication is that a business prevents access to its more important software with two steps which become habitual practice for all staff.
Identifying safe/unsafe websites
Staff must be trained in identifying safe and unsafe websites. Fortunately, it requires just a few seconds to ensure a URL is legitimate. As an example of what to look for, the Australian department of Home Affairs has the following URL https://www.homeaffairs.gov.au/; however, cyber criminals may generate a URL to look so similar to an unsuspecting eye – such as https://www.homeaffair.gov.au – but which would divert all data accessed. Staff need to check URLs carefully before clicking on them. When SMEs are on a tight budget, they can access free guidance and resources from government departments like the Australian Cyber Security Centre.
This Australian government agency is tasked with maintaining national cyber-security; any business, small or large, can access support from them. Each country has a similar state-based site which assists in cyber security; for instance, the UK site has a great deal of support and information as well.
Draft a company cyber-security plan
As mentioned above, it’s essential for every company to generate a comprehensive cyber-security plan. This needs to come ‘from the top’ and should demonstrate that the company takes cyber-security as seriously as traditional business activities like strategy, marketing, growth, etc. Whilst an IT consultancy will provide excellent support, the first port of call could be standard government sites; they not only provide small businesses with guidance on tax, HR policy, business development and so forth, but now also cyber safety for SMEs.
A good cyber-security plan should state best practices for all employees and explain how to achieve that goal. Work with a good IT consultancy and generate a self-assessment to understand what business resources need securing. In addition, this will allow the company to recognise any obvious holes and consequent resolutions. Finally, there also needs to be an identification of the possible risks and an evaluation of each, which leads to finding solutions and documenting them. The document needs to be in plain English, easy to read, easy to follow and comprehensive. What needs to be included at the most basic level is roles for key go-to people, responsibilities of each member of staff and procedures for everybody to follow.
Provide exceptional cyber-security staff training
Interestingly, the major cause of security breaches isn’t lack of updated technology in a company, nor good antivirus software – it’s human error. Given this, a comprehensive document from the boardroom outlining company policies on IT use is only as good as the staff training which supports it. Training can be provided by reliable external IT consultants or by in-house line managers, especially when taking on new staff. Management needs to approach this with the same diligence as OHS in a hospital, with more frequency and seriousness than fire drills and ensure an active engagement with the policy top-down.
Whilst the generation of a cyber-security policy needs to come from the boardroom, its implementation requires constant oversight and engagement. Staff training would not only include the most basic information, but also best practices which together comprise good IT hygiene – activities like safe USB practice, accessing safe websites, regular back-up of data, implementing updates as soon as they become available, etc.
For those with businesses in Europe, the European Union General Data Protection Regulations (GDPR) were updated in May 2018 to protect private citizens’ data and how it’s used. These rules affect every country currently part of the EU, so ensure your team understands how to remain compliant, if needed. Once the UK has left the EU, these regulations will remain law in Britain and will still apply to British businesses.
Stay ahead of ever-evolving cyber threats
Cyber threats are constantly changing, so the security policy needs to change to meet those challenges. The cyber-security plan generated by the company needs to be a living document; each time a threat is encountered, the document must be updated.
As of 2019, cyber-crime is said to be worth approximately US$1.5 trillion. Prevention of cyber-crime is not only the domain of IT specialists; it’s the responsibility of everyone employed by a business, small or large.