The Internet has become great leveller for business, especially for the Small and medium-sized enterprise (SME) competing against the bigger brands.
Take a moment to consider the impact on your business if your access to the Internet was denied you right now, this minute. The Internet and our interactions with it are now critical functions to our business success. That means we must understand the impact of the Internet on our business, what our customers’ expectations are, and respond in the best way for our business.
In this short article, Barry Horne MD of BPH Training looks at how cyber security is key to gaining and retaining customers.
In the online B2C (Business to Consumer) world customers want personalised service with consistently accurate information via many channels including; Web, phone, social media, mobile, email, 24/7. They expect business to be proactive in addressing their needs and responding to their feedback.
Regarding B2B (Business to Business), companies are taking advantage of the Internet, not only in marketing and sales, but also in terms of their total business processes. They use B2B connections to carry out transactions, run applications and services in the Cloud, and generally harnessing the Internet in myriad ways. Even SMEs can have global reach via the Internet.
Customers expect you to handle their personal data securely while at the same time meeting their expectations of a speedy, accurate, and personal service. Your brand reputation, and customer loyalty, depends on all of these factors.
Information Security provides a competitive advantage in meeting modern customer expectations by enabling the business to do what it wants.
To meet our customers’ requirements we need to ensure any information we share with them is readily available when they want it (Availability), accurate through its creation, processing and delivery in all channels (Integrity), and where necessary protected from persons not authorised to receive it (Confidentiality).
The introduction of specific legislation to address personal data security concerns has had a significant impact on the way we do business; for example, Data Protection Act, and now General Data Protection Regulation (GDPR) coming into force 25 May 2018.
The extent to which we implement measures to deliver Confidentiality, Integrity and Availability will depend on a fourth key element – Risk.
Risk = Threat x Vulnerability x Impact on asset
Remove any component of risk (make it zero) and there is NO RISK. Reduce any component and you lessen the risk.
You must consider a broad range of threats, vulnerabilities and impacts on the business including; the cost of physical environment damage (fire/flood), human error (poorly trained staff), equipment malfunction (server breakdowns), hacking (from inside and outside the organisation), misuse or loss of data (accidental and malicious), and application errors (software bugs), among many others.
The Need for Risk Management
Companies and individuals can be prosecuted if their computer systems are used in illegal activity, even if they are not actually carrying out that activity.
Company directors are responsible for the lawful operation of their business through exercising reasonable care, skill and diligence, whatever its size. This includes managing the information security risks to their company.
Once we have identified the risks to our business we can set about mitigating them, investigating how we can reduce each component.
Can’t I just outsource my risks and make them someone else’s problem?
Unfortunately, it’s not that simple. You can outsource work, such as services, infrastructure, software development etc. But the vendors’ risk becomes yours. Company directors must assess the risks of any outsourced service, and investigate mitigation, before contracts are signed. You could buy insurance but while this will help you replace tangible assets, it cannot rebuild your brand reputation.
Common Online Threats
Ransomware is arguably the biggest threat to us all today.
By inserting malicious code into your system the criminals encrypt your data then demand a ransom before they give you the key to decrypt it. This form of attack is attractive to criminals as it is an easy way to make money with little risk.
The most recent example that came to everyone’s attention was WannaCry on 12 May 2017. An estimated 200,000 computers were involved and the fact the NHS was severely affected brought home to many the potential harm such attacks can cause.
A survey shows the number of Ransomware attacks on small organisations and individuals is increasing.
Phishing is another common form of attack where the criminal attempts to obtain sensitive or useful information from a victim such as user names, passwords, and credit card details (and, indirectly, money), for malicious reasons.
Cyber criminals conduct comprehensive intelligence gathering when preparing an attack and social media are rich resources for that intelligence.
Hacking encompasses many means to gain unauthorised access to computer systems. Most of the hacking stories in the news media concern big brands.
However, cybercriminals are increasingly turning their attention to smaller firms. Nearly half of the global attacks during 2015 were against small companies with fewer than 250 staff. SMEs are seen as easy targets due to their poor cyber security.
But, SMEs are well placed to steal a march on the big corporates and do a good job at defending themselves against cyber criminals.
Due to their size SMEs are more agile due to less bureaucracy, fewer systems and the measures needed to achieve good cyber security and even information assurance governance are all within easy reach for them to implement.
What can you do?
Education and Awareness
Everybody in an organisation has a responsibility for security so you must provide staff with the tools to complete their work securely.
Train all users of your information assets to be aware of the threats and be competent to fulfil their roles. Staff must understand your organisation’s security requirements. Awareness programmes drip feed your security message to staff so that security becomes second nature and part of business as usual. This will help build a security culture across your organisation.
There are 5 technical controls that research by Lancaster University, and government evidence, has proven can protect your business from up to 80% of common commodity cyber threats:
- Patching (updating software and operating systems)
- Access controls
- Secure configuration
The government backed Cyber Essentials scheme assesses an organisations security in these 5 areas and, if satisfactory, awards the organisation a Cyber Essentials certificate.
The Cyber Essentials certificate gives your customers the confidence your business has appropriate security measures in place to protect their information.
Cyber Essentials is increasingly a requirement to bid for central and local government projects.
It is an essential part of data protection/GDPR preparation that your information systems are secure.
Currently, BPH Training Ltd is the only supplier of the IASME accredited Step by Step Cyber Essentials course. This course explains the scheme, the 5 controls and how they can be implemented. It also takes delegates through the process preparing you to undergo assessment.
You can check when BPH Training is running the Step by Step Cyber Essentials courses on their website, call 07500 004835 or email firstname.lastname@example.org for additional information about their training and protecting your organisation’s information.
About the author
Barry Horne is MD BPH Training Ltd a Cyber Essentials and IASME certified supplier of cyber security training and consultancy. Barry has over 20 years’ experience in Information Assurance and Cyber Security both military and commercial. He is passionate about developing security awareness and education in the business community especially among SMEs.