Companies of all sizes need to ensure their staff are well-equipped to counter the threat of cyber attack
Last year, almost half of British businesses were targeted by cybercriminals – with the figure almost doubling from 24pc to 46pc between 2016 and 2017, according to recent government figures.
But there’s one common factor that unites many businesses that have fallen prey to cybercriminals: a lack of preparation. Analysis by GCHQ and the National Cyber Security Centre (NCSC) shows that the vast majority of successful cyberattacks exploit basic weaknesses in IT.
Kevin Chapman, senior vice president and general manager of Avast’s small business unit, says many businesses still make things too easy for cybercriminals by making basic mistakes. “Cybercriminals are no longer solo acts trying to hack into a company or government system for a challenge,” he says. “Cybercrime is becoming increasingly professionalised.
“One in three security breaches in UK small businesses start with human error; this shows that workers aren’t getting the training they need.”
In other words, every workforce should receive adequate support when using the necessary business systems and processes, to make sure they feel comfortable using it securely.
Businesses can help their staff by ensuring they have the basics in place – as set out in the Government’s Cyber Security: Small Business Guide. However most small businesses mistakenly think that hackers will not target them, according to research by analyst KPMG, with 51pc believing they won’t be targeted.
This is, however, a myth. In fact, hackers now target small businesses as a matter of choice, says John Davies, director at cybersecurity company Pervade Software and chairman of the South Wales Cyber Security Cluster.
Mr Davies says: “Recently we have seen a huge rise in extortion attacks being aimed at smaller companies. It is far easier to get a thousand small businesses to pay £100 than it is to get a large corporate to pay off a £100,000 blackmail threat.
Key measures: setting up secure systems is one of the five basics of Cyber Essentials CREDIT: GETTY
“These attacks are indiscriminate. The best possible advice to small businesses is to prepare. Thankfully, this has been made easier through the availability of a best-practice framework, developed in the UK and readily available for all companies.
“The Government’s Cyber Essentials scheme has been designed to prepare businesses for the most common cyber threats and serve as a first step, along with the Small Business Guide, to improving cybersecurity awareness.”
The Cyber Essentials scheme – available for all organisations, including businesses, charities and schools – suggests five basic steps: boundary firewalls, setting up systems securely, restricting access, malware protection and patch management.
There are also several online courses that businesses can offer staff, offering tailored training according to their expertise – whether they’re HR professionals or accountants.
Since launch in 2014, more than 10,000 certificates have been awarded to companies signing up for the Cyber Essentials scheme, including household names such as Barclays and Vodafone.
“Cybersecurity can feel like a daunting challenge, but a few easy and inexpensive steps can protect from the most basic cybersecurity threats,” says Ciaran Martin, chief executive of the NCSC. “Following these steps could save time, money and even your business’s reputation.”
It’s also important that all workers are aware that cybersecurity is part of their jobs, according to Cath Goulding, head of IT security at Nominet. She says: “The main challenge is to get staff to understand that information security is everybody’s responsibility – not just that of the IT team.”
Ms Goulding personally inducts every new employee and maintains league tables between departments, rating them for good security practice. “You must engage staff, and that means going beyond PowerPoint presentations and tick-box exercises,” she says.
“Having a strong culture of security means that staff will be more vigilant, and will be less likely to fall for social engineering tricks. Without this culture, any business can become vulnerable.”
John Shaw, vice president of product management at Sophos, says hands-on training is a good way to make the reality of cybercrime even more “real” to employees – while also testing how they respond to threats.
Such training should, of course, occur in conjunction with preventative measures such as implementing anti-spoofing controls and filters, and protecting accounts with two-factor authentication; the NCSC details some useful tips. But engaging training can help bring these issues to life.
Early learning: to really embed cyberawareness in businesses, it’s important to educate young people as well CREDIT: GETTY
Mr Shaw says: “Businesses and schools are starting to run simulated ‘phishing’ campaigns by sending convincing-looking emails that get users to reveal passwords, bank details and so on. The IT team can let the users know when they have been tricked and train them how to avoid this in future.”
This could form part of a wider strategy to tackle phishing, based on the latest government anti-phishing guidance.
The fact that schools are taking part in these initiatives is significant; to really embed cyberawareness in businesses, it’s important to educate young people as well. The Government’s pioneering Cyber Discovery resource was set up with this in mind, with the aim of developing the next generation of cybersecurity talent.
With a range of online games and tutorials, the scheme has already received more than 22,000 applications from young people who want to develop cutting-edge cybersecurity skills.
There is no single way to make sure we will have the skills we’ll need in the future, but building awareness is an important starting point if we are to tackle the growing threat of cybercrime.https://www.telegraph.co.uk/business/cybersecurity-for-small-business/how-to-prevent-cyber-crime/