Cybercrime is increasing exponentially and we have already seen a number of major breaches across the world including: Yahoo!, Travelex, Sony, JP Morgan, Panama Files, etc.
Motives are far and wide - some for financial gain, some state sponsored due to geo-political tensions, ultimately whatever the scenario, this leads to loss of money, lost business, loss of intellectual property / trade secrets, loss of reputation, breach of legal and regulatory requirements.
SME’s play a part in many major cybercrime events as they tend to be easier to hack than the big corporations (who have near unlimited resources), but the fact SME’s are usually connected to larger supply chains giving hackers a way into the top of the pyramid.
To put it bluntly, no business is 100% bullet proof.
The Board and Senior Management Teams need to ensure Cyber Security Risks are added onto the business agenda and key objectives as formulated as part of the strategy.
What can businesses and do? General Tips
Build data security into board strategy - expand Information Security (InfoSec), Data Protection (DP) and Business Continuity Planning (BCP) is added on the corporate risk register + Board Agenda – importantly to invest resources (monetary and people) to drive through. Recruit a Chief Information Security Officer to report to the Board and Senior Management Team to lead, develop InfoSec, BCP and DP strategy, controls (people, process and technology), policies, guidelines, Standards, and Procedures using ISO27001 as a baseline standard.
Lead by example - think, breathe, live security and cascade messages to all directors. – Protecting Information is Everyone’s responsibility.
Simplicity - enhance mind-set by keeping things simple.
Setup a forum/committee with InfoSec and BCP governance; either via risk or compliance committee, keep it lean and efficient, with quarterly reporting and status updates to the MC. One member from each business unit. Engage with key business units including technology, human resources, compliance, private, corporate, marketing, legal and facilities teams in advance with expansions, acquisitions, audits, direct dials, major changes etc. Make them part of the forum/committee above.
Enhance physical security in the way we process visitors, 3rd parties and internal staff. Keep a clear desk policy, and hard copy sensitive information (investigations and file closures). Ensure Business Continuity Planning is embedded across the business units.
Regulatory Compliance such as local relevant Data Protection Legislation – Meet local regulatory requirements by acknowledging its importance. Setup a Data Protection committee to map out information flows, understand what type of information you are processing. Support consistency across the business in regards to client legal terms and conditions.
Patch and Secure Configuration – Patch management, maintenance of an asset inventory (licences, hardware, software, resources, 3rd parties), incident and change management, secure development lifecycle, access control and segregation of duties.
Raise User Awareness – enforcing all staff to complete online Information Security Training and creating exciting internal comms marketing campaigns such as ‘how to identify email scams?’, ‘how to select and remember a strong password / passphrase?’ ‘Shred it!’
Regular Auditing – Application, Network and Physical Penetration testing and vulnerability scanning. In addition access control reviews – tighten joiners and leavers process.
Business Continuity – how do we respond and continue to a major Cyber Incident? What do we do? Develop and emergency response process including key communications – Internal Staff, External Clients, 3rd party and Regulatory bodies. Create a plan to cover the scenarios – 1) Loss of Life / Key Man Risk 2) Loss of Office 3) Loss of Critical Application, 4) Loss of Communications – Email, phone, mobile network, and 5) Loss of reputation – from 3rd party exposure. Example – Panama Papers, Paradise Papers, Lux Leaks, Travelex.
Strategic we recommend:
Continual Improvement – push the boundaries always think, breathe and live security.
Go for accreditation to the International Standard ISO27001:2013 Information Security.
Basic hygiene – continue to keep your systems updated, review technical security controls and get a performance metric. Is it providing value to the business?