Businesses need to get to grips with cyber attack threat - Douglas McLachlan
There’s no one answer. Some perpetrators are organised criminals who have moved online. They’ve worked out that it can be far more lucrative (and less risky) for them to rob a database than a bank.
Some are hackers of varying degrees of expertise. Ask anyone to picture a hacker and it’s usually a teenage computer genius in a hoodie sitting in a darkened bedroom that springs to mind. The truth is that free online tools can turn just about anyone into a successful hacker.
Then there’s the employee with a grudge, looking to steal or leak trade secrets or data. Or maybe they’re a corporate spy? Or a foreign agent?
Or … maybe it’s you? Have you ever mistakenly sent a work email to the wrong recipient? The perils of autofill can make data leakers of us all.
Businesses need to get to grips with all these ‘threat vectors’ and fast. If your business hasn’t thought about this, it may only be a matter of time. Imagine how you’d feel if every email your organisation has ever sent was posted online – or one of your finance staff was tricked into sending money to the wrong account?
The good news is that there’s an increasing number of free resources and (paid) service providers available to help. The National Cyber Security Centre has excellent materials and its ‘Cyber Essentials’ self-assessment option is simple to follow and can help you protect against a wide variety of the most common cyber-attacks. That’s a good start, but if you really want to reassure customers that you’re working to protect their data, carry out a hands-on technical verification and be certified to ‘Cyber Essentials Plus’. Some Government contracts now require this.
There’s a growing industry of cyber security specialists, auditors, ‘white hat’ hackers and penetration testers to help businesses defend against cyber threats. And every business should ask if it needs Cyber Insurance.
In Scotland, this growing cyber security eco-system has been helped along immensely by the presence of Edinburgh Napier University’s Cyber Academy. Even the Law Society of Scotland has been active in this field offering solicitors like me the opportunity to become a Certified Specialist in Cyber Security.
In the meantime, what can you do to prepare for a cyber-incident? First, identify where you keep your data. If you don’t even know where it is, how can you protect it? Regularly backing-up your data and patching your computer operating systems is essential too. Consider migrating your data to the Cloud. Google and Amazon have an army of cyber security specialists to protect your cloud computing data. Who do you have?
It’s also a good idea to develop a Cyber Incident Response Plan in advance. Just as you plan and prepare for a Fire Alarm, you should plan and prepare for a cyber-incident. Everyone should know in advance what role they should play and what to do. They should follow pre-written ‘playbooks’ to cut improvisation down to a minimum. In cyber security, pressure doesn’t make diamonds – it makes mistakes!
Finally, don’t make the mistake of thinking this is an IT problem. It’s a management problem. More specifically, it’s your management problem. Be part of the solution.
Douglas McLachlan is Partner and Head of Data & Technology, Anderson Strathern
Want to join the conversation? Please or to comment on this article.