Businesses have a one in four chance in a 12 month period of being affected by an information technology security breach according to a government survey.
The survey found that many of the breaches are a consequence of the internet. The most common breaches are viruses, spyware or malware (68%), and breaches involving impersonation of the organisation (32%). However businesses are improving productivity and getting more efficient by using digital technologies and the survey reveals that UK consumers are the biggest internet shoppers in Europe.
While many businesses saw cyber security as important, many have not fully understood how their business is at risk and what action to take.
Help for small businesses
Guidance aimed at small businesses is provided in a publication 'Small businesses: What you need to know about cyber security' goo.gl/48p1AU. It recommends three steps a businesses can take to tackle cyber security:
- getting the basics right
- adopting a risk management approach
- adopting Cyber Essentials.
Cyber security: the basics
There are a number of simple actions and behaviours that can be followed including:
- downloading software and app updates as soon as they appear on devices and computers
- using strong passwords
- delete suspicious emails
- using anti-virus software and
- training staff.
Links to further advice are provided in the small business publication. It is important for staff to appreciate the importance of security and the government offers free online training courses at nationalarchives.gov.uk/sme
The small business guide suggests a risk management approach to cyber security with four steps:
Understanding the risks - consider what is at stake if the business suffers a breach: money and IT equipment, information (from customer details to trade secrets), and even the reputation of the business. Think also about who poses the risk - it could be malicious hackers, but it may be accidental security failures by employees.
Planning - ask questions such as: what information assets are critical to the business and what risks could they be exposed to? How could the business continue to operate if systems were attacked?
Implementing - this involves putting in place security controls to protect the equipment, information and IT systems, and explaining responsibilities and best practice to staff.
Reviewing - implementing routines to review and test the effectiveness of controls in the business.
Cyber Essentials scheme
To help businesses protect themselves from common internet based threats, the government has developed 'Cyber Essentials'. It has two functions - to provide a clear statement of the basic controls all organisations should implement and to provide the Assurance Framework. The Assurance Framework offers a mechanism for organisations to demonstrate to customers, and others, that they have taken these essential precautions.
The government recommends that all businesses operating online, selling goods and services online, or storing customer details and personal data, should aim to adopt Cyber Essentials as a minimum. The government already mandates this for many of its suppliers.
More details about the Assurance Framework can be found at cyberstreetwise.com/cyberessentials.