Business Clinic: Cybersecurity

Expert advice on the business of running a garment decoration company

Q&A

Following the recent, high-profile ransomware attacks on the NHS and many other organisations across the world, I want to know what I can do to protect my company from similar attacks.

An organisation’s cybersecurity is only as strong as the weakest link; that is especially the case with SMEs. This is why it is vital there is buy-in from staff of all levels and that best practice is adopted across the organisation. In the first instance, managing directors need to make it clear that employees are accountable. Increased accountability will ensure that greater care is taken by employees; and by giving employees proper cybersecurity training, they will better understand what is at stake.

If you think of security as a pyramid where the horizontal axis is the number of incidents and the vertical axis is the level of sophistication involved, the top of the pyramid features the smallest number of incidents, but a level of sophistication that is very, very difficult to defeat. The bottom of the pyramid has the highest numbers and the least sophistication. This is often the realm of phishing or related exploits that depend on someone clicking without paying attention, or exercising bad judgement. Training and awareness can help minimise the number of such incidents.

The first line of defence remains looking at the traffic. With email, for example, most organisations drop anywhere between 65% to nearly 75% of the incoming email – they never make it to your inbox. Some of the email is merely suspicious or annoying and you may see emails come through marked with labels such as [SPAM], [Marketing Mail] or the like. The intent is to avoid blocking something that might be legitimate, but to give the user a flag and the opportunity to delete or to create a rule to divert the emails so marked.

Phishing is one of a number of exploits that attempt to get an individual to participate in something not to the person’s or the organisation’s benefit by such things as opening an attachment, clicking on a link, etc. An alternative that’s been used successfully is scattering a bunch of USB flash drives featuring malicious code around a carpark and waiting for someone to plug it into a machine. The common element is the human one, and such attacks are also termed social engineering.

Another security issue is posed through the use of apps, including work and personal within the workplace. Even though apps are a huge part of our lives, a significant amount of the world’s population has shown they can be very careless with how they use them.

When applied to workforce and office settings, employees can introduce new threats to corporate security and risk management. This is always the weakest thread in a comprehensive security fabric.

In a survey we’ve just conducted, the results show a significant amount of the world’s population is not thinking about security when using apps and, when combined with apathetic attitudes that grudgingly accept cyber attacks as inevitable, this introduces even more risks. From a human psychology perspective, this research shows a tendency to want to think we’re safe – and some countries more than others want to trust internal and third-party app developers who may not have their best security interests in mind. Essentially, this mindset needs to be changed.

Organisations have to take responsibility for investing in well-managed security tools, which have controls designed to prevent, detect, contain and remediate data breaches. Instead of buying a single solution for each issue, businesses must trust security solutions from best-of-breed vendors and partnerships that answer a number of security needs.

IT decision-makers need to think more strategically. The bad guys are looking for ROI just like the good guys, and they don’t want to work too hard to get it. Instead of focusing on doing everything right, 100% of the time, IT leaders can be more effective by doing a few things very strategically with the best technology available. It’s the cyber security equivalent of the zombie marathon — as long as you can avoid being the slowest in outrunning the zombies, you minimise risk.