There’s little doubt that cyber crime is a massive threat to businesses of all sizes, as well as to individuals (I had a card hacked very recently – I suspect from an online ride hailing service site).
But are you taking the cyber security risk seriously, do you have comprehensive protection, have you plans in place for coping with it, and are you insured against it? Cybersecurity is, after all, about a lot more than protecting data as so much of our business processes and interactions with customers and suppliers are cyber-based so continuity is essential and should a breach occur the business will be affected negatively and its reputation could be damaged, too.
Remember, that directors of companies are expected to manage risk. To not be able to demonstrate you have been actively doing so could render you liable for any losses or damages suffered by any other party in connection with your business – and that’s apart from the statistic showing 60% of small businesses fail within six months of a successful cyber-attack.
So, how can you manage the risks appropriately?
Protect your environment. This includes websites and applications, your network and any cloud services your business uses, all its information and, of course your personal information (high net worth individuals are often targeted directly).
This is about far more than a simple anti-virus program installed on the company’s PCs (and not just one of the free ones used by a third of smaller companies) – it needs a comprehensive suite protecting all interfaces and aspects of the business. It needs clear policies for such things as backups, keeping software updated at all times, passwords – regular changing and use of two-factor authentication being among these – and the use of personal equipment such as mobile phones to access company systems.
Companies should also undertake regular training of staff to keep them aware of, and updated on, the current social engineering and other techniques used to attempt access.
Test your defences. Having an environment you believe is secure is only part of the solution. It needs to be tested regularly to ensure it is still secure and to highlight any changes that might be necessary. Fortunately, there are “ethical hackers” (sometimes referred to as “White Hats”) who do just this. Utilise their services – and don’t be tempted to use one from the company/ies that installed your security systems. You want a fresh set of eyes to be trying to hack into your systems.
Have plans for when a breach occurs. Better to have plans and never need to use them than be completely unprepared. Given the rapidly rising incidence of cyber attacks and their increasing sophistication, a comprehensive set of plans is essential.
Look at what you would need to do, for example, if your systems were rendered inoperable through a ransomware attack – do you have disaster recovery in place? What about if your data is stolen, is your data tightly encrypted at all times or can it be harvested by criminals, and how do you respond if it is accessed?
Extend these plans to include incidents of natural disasters such as fire or flooding as they, too, could mean systems unavailable. Discuss plans with your service providers, such as those providing cloud systems, data lines and electricity – what are they guaranteeing you in terms of downtime and is this acceptable or do you need to complement them in some way?
The plans should not just be about ensuring you can get your systems back on line quickly, but also include communication with your stakeholders to ensure they are aware of what’s happening and your plans to restore service. Of course, if you’re a public company you’re obligated to inform at least your shareholders of any breaches (and should let other stakeholders know, as well), but private companies are well-advised to let all their stakeholders know, too.
And, just as you test your defences, test your plans, too – you don’t want to find they are unworkable when you’re in trouble.
Be insured. Just as the business insures against various other risks, it should insure against cyber attacks. Policies should cover the costs to the company of lost business resulting from an attack, as well as for getting the company back to normal working, communications, investigator and legal costs, and any third-party claims arising from a successful attack.
While this might seem a lot of work, the costs of doing nothing and being unprepared can be immense, can threaten the very existence of your business and your personal assets, too. Cybersecurity has to be taken seriously.
As cybersecurity expert Stéphane Nappo says, ““One of the main cyber-risks is to think they don’t exist.”
#BusinessFitness #Boards #Business #CEO #CyberCrime #Disruption #Governance #Paranoid #Resilience #Risk #Training #Unstoppable
Some related, posts you might find useful:
- 2022 – Looking Ahead – Top Trends Facing Business
- Pointers to a Successful Future for Your Business
- Drive your Business by Looking Through the Windscreen Not the Rear-View Mirror
- CEOs – 6 Important Questions to Ask Yourself Before Next Year
- Why a Proper Board is Essential, Even for Small Businesses
- Directors – Are You Risking Your Assets?
- The Role & Responsibilities of the Company Board
- Why a Proper Board is Essential, Even for Small Businesses
- “Cyber Crime is the Greatest Threat to Every Company in the World.” – Ginni Rometty
You might also find these reports interesting, too:
- 30 Surprising Small Business Cyber Security Statistics (2021)
- 15 Small Business Cyber Security Statistics That You Need to Know
- Top 10 Computer Security Threats to Business IT in 2021