Building a cybersecurity culture for your business

You can’t communicate in the modern world without technology, so how can you ensure your business doesn’t fall victim to hackers? Professor Kamal Bechkoum, Head of the University of Gloucestershire’s School of Computing and Engineering, guest blogs for More Fire PR on how having an effective cybersecurity culture within your organisation is vital.

Many organisations don’t see cybersecurity as a serious issue and fail to take a pro-active approach to serious online threats, he adds. In 2018 the average cost of cybercrime in the UK is ranging from £894 for microbusinesses up to £8,180 for SMEs, and around £9,260 for large companies.

In addition PWC’s Global State of Information Security Survey offers some alarming food for thought on this topic, including:

  • 18% of UK organisations don’t know how many cyber-attacks they suffered last year
  • Nearly eight in 10 experienced down-time due to security incidents
  • The average number of security incidents faced by UK companies increased by 23% to 5,792
  • Only 28% of UK boards are involved in setting a security strategy
  • Current employees top the insider risk, but this is increasingly including business partners and the supply chain.

The bad news is that no one is immune from cyber-attacks and it is increasingly important that organisations are aware of the damaging implications of failing to prepare for the impact on their finances, reputation and legal position.

To counter this, well-run businesses not only need to prioritise security at senior team meetings, they must also insist that all of their frontline employees do the same. Cybersecurity cannot be solved by simply buying in more technology to patch problems. It is about taking a strategic approach to budget allocation to deliver genuine improvements in security and protection.

The ideal organisational culture sees managers and staff taking a second-nature approach to keeping information safe and viewing security as a positive force.

If you become a victim of cybercrime it is vital that you act quickly. First of all, ensure that the incident is contained to the best of your ability while your company continues to operate. Then, prepare to notify all relevant stakeholders, including your insurers, regulators, lawyers, the police and your clients.

To help avoid all of this consider the following steps:

1. Educate employees

It’s essential that all employees accessing a network are trained in your company’s security policies and updated on new protocols frequently. Ensure each staff member is informed and understands the consequences of not following security policies.

2. Plan for workers own devices

The spread of remote employees working on their own devices means certain measures need to be put in place. Ensure a layered approach such as device authentication, data encryption and the ability to remotely wipe data if a device is lost or stolen.

3. Employ a firewall

One of the first lines of defence in a cyber-attack is an external-facing firewall. Many companies are also installing internal firewalls for additional protection. Employees working from home should install a firewall on their personal network.

4. Backup your data

Having a backup procedure should be a crucial part of your cybersecurity culture. It is also important to check that your backup is safe as cyber criminals can target this as well. Remember, failing to protect essential documentation and data can threaten your business to its core.

5. Employ anti-malware software

Phishing attacks can install malware on an employee’s computer when an offending link is clicked. Have anti-malware software installed on all devices and the network to cope with this.

6. Document cybersecurity policies

Cyber security policies and protocols should be documented and supported by staff training, checklists and information specifically to protect businesses. This is not just for staff at the business delivery level and should include the senior team.

7. Use safe password protocols

If users think of ‘passphrases’ the annoyance of having to frequently change a password can be easily overcome. ‘The Boy Stood On The Burning Deck’ is a much stronger password than “QX!”:143”, even though it only contains letters. Increasing the number of characters in a password dramatically improves security and makes brute-force attacks far more difficult for hackers.

8. Don’t forget mobile devices

It’s essential that company employees set up automatic security updates and require that the company’s password policy applies to any mobile devices accessing the network. In addition, while it’s tempting to connect to public Wi-Fi, attackers can intercept your traffic over an unencrypted network. Never send sensitive information over public Wi-Fi, such as passwords or carry out internet banking transactions.

Remember – while online threats will continue to evolve, the good news is that as long you stay vigilant and treat cybersecurity as a primary part of your business strategy so will the ways we combat them.