Last week the UK government, via the National Cyber Security Centre (NCSC), published guidance for small and medium-sized enterprises (SMEs) on cyber security, recommending a series of steps to protect businesses (and customers) from the dangers of cyber attacks.
There is a global buzz of activity surrounding cyber security with China and the US similarly paying attention. Should you as a start-up be concerned?
In short, yes. But before running for the hills there are a few things to consider.
WHAT IS AT RISK?
Money £$€
Start-ups fall short by lulling themselves into a false sense of security in believing that they’re small enough to avoid being the target for any would-be hacker. It is true that larger businesses (in particular those in the financial sector) are often the target of everyday attacks, SMEs are by no means in the clear. The NCSC asserts that there is a 50% chance that an SME will be the victim of a successful attack.
A few examples of where a security breach could result in financial loss include:
- paying a cyber criminal for the release of encrypted data*;
- a reduction in sales due to broken customer trust;
- investors backing out as a result of obvious security flaws in the business; and
- breaking obligations under the GDPR**.
In 2016, hackers stole over $1 billion alone. It is also worth bearing in mind that you may suffer a combination of financial losses. Just because a ransom has been paid to recover data, doesn’t negate your liability under the GDPR.
Reputation
Reputation is key to gaining early traction, attracting the best talent, and financial backers to launch your company into its next stages. The reputational damage that a cyberattack brings could be difficult to shake off. This sentiment is backed up by a recent report conducted by Vodafone who found that 89% of those asked said that improvements to security would increase customer loyalty and trust. Investing time and money into cybersecurity would not go unnoticed in developing your business and that both customers and investors are unlikely to show any interest in a business who fails to think about cybersecurity as a serious issue.
Continuity
Start-ups typically work to strict timeframes, and the potential to be set back by months due to a cyber attack. Cyberattacks have the potential to cause significant disruption and time wasted figuring out what went wrong. Back in 2015, Mumsnet, the popular parenting website was subjected to a number of Distributed Denial of Service (DDoS) attacks which successfully took the site down for hours at a time. For businesses like Mumsnet who rely on their website as a main source of revenue, a successful DDoS attack grinds the entire operation to a halt.
WHAT CAN BE DONE?
Employee awareness
One of the most common ways that attacks are successful is via social engineering. Social engineering involves criminals manipulating individuals into divulging sensitive data and/or allowing malicious code to infect their system. ‘Spear phishing’ provides the best example. An individual receives a personalised email that appears to be from a colleague (or another known person), but instead is sent from a hacker and contains malicious attachments or links. Believing that the email comes from a genuine person, the individual follows the intruder’s instructions. This easily results in the transfer of company money and/or the infection of malicious code i.e. ransomware.
Start-ups should have stern conversations with employees at an early stage to ensure they think critically about their actions, are aware of tell-tale signs of a potential attack, and act responsibly when dealing with their own access to company accounts. Make it clear that only one individual from within the company will ever ask for company funds to be transferred, and that following on from an email requesting the movement of money, that individual should be contacted directly to obtain verbal approval.
Invest early in IT
Many start-ups will not have the financial backing to be able to afford in-house IT support, however there are actions that can be taken that are affordable and offer a basic level of protection from cyber attacks. For example:
Keeping regular back-ups
This has the double benefit of securing your data in the event of an outright system fault, as well as offering a safety net in the event of having your data encrypted and held at ransom. This is an effective and – more importantly – relatively cheap step in the right direction. Factors that should be considered include, what data is to be backed up, how access to back-ups may be restricted, whether to opt for cloud storage, and what the procedure is for restoring a backup should it be necessary.
Two-factor authentication (2FA)
Another possible action, this process involves having a double-layer of protection beyond a simple password. Popular amongst banks i.e. HSBC Online Banking requiring a simple password as well as a unique code via a ‘fob’. Often users adopt weak passwords that are predictable and apply the same passwords for a variety of different accounts, both factors that make life easier for potential cyber criminals. 2FA makes it significantly harder to gain access to those accounts and yet causes very little inconvenience to users.
Insurance
Start-ups who deal with particularly sensitive data i.e. medical records or customer credit card information should seriously consider purchasing insurance. This should by no means take the place of a comprehensive cybersecurity policy, but may provide reassurance to the business and to investors should you be victim to an attack. When considering insurance, carefully consider the policy details to ensure you have the protection you require as well as understand what steps you may need to take in order to not inadvertently void your policy.
LOOKING FORWARD
Whilst this article offers a small glimpse into cybersecurity, start-ups looking to get off to a positive start should set aside a suitable amount of time and resources towards combatting cybercrime and remain aware of how the cybersecurity world is moving at a significant pace. Many expect cybersecurity to become as essential to a business as health and safety and active steps should be taken at an early stage. The potential risks in not taking action far outweigh the effort required to prevent attacks.
For more information on cybersecurity and protecting your business, the following articles are recommended:
- NCSC guidance on cybersecurity
https://www.ncsc.gov.uk/guidance/10-steps-cyber-security
- Government-backed Cyber Essentials Scheme
https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
- Discussion on SMEs avoiding fines under the incoming GDPR
*Security experts strongly recommended never paying a ransom. There is no guarantee you will receive your data back (many do not) and you will unlikely be able to recoup any lost money.
**General Data Protection Regulations (GDPR). Coming into force from 25 May 2018, the GDPR applies to both data ‘controllers’ and ‘processors’ and places onerous obligations upon businesses across the EU.
Start-up bible 