In the new issue of Bridal Buyer, Adam Bernstein explains the risks you take unless you have the proper procedures in place to prevent cyber-attacks that can seriously damage your business
Consider the situation that Oxford-based Popham Hairdressing found itself facing recently. A small, two-salon firm, it suffered at the hands of an overseas cyber-attacker who infected and locked down the firm’s eight computers and demanded a payment of £5,000 per computer. Popham didn’t - couldn’t - pay and the attacker made good on his threat. Some data was recovered, but not before much disruption and cost which the firm estimates as being in the region of £8,000.
This type of problem is only set to increase. The Government’s 2013 Information Security Breaches Survey showed that 87 percent of small firms experienced a breach of some kind while 93 percent of large firms had been targeted. In some cases, the damage caused cost over £1m but, for small firms, the average cost ranged from £35,000 to £65,000.
Technology users can never be totally safe - the best that they can do is minimise the risk of attack.
The first step is to understand exactly what data and IT equipment is at risk. Just think of what you hold and use - employee, supplier and customer information, payroll data, banking credentials, pricing and performance information and so on. In terms of equipment think of the computers, web connected printers, your telephony systems and broadband and data backup systems.
It’s important to realise that the threats are not just external (as in career criminals), they can be other shops or former and current employees. And remember that cyber-attack doesn’t necessarily mean attack by a gang armed with banks of computers; it can boil down to an employee who abuses a computer system for their own benefit. By way of example, a small family-run publishing house in Sussex suffered a £210,000 loss perpetrated by their bookkeeper with access to the accounts system. But other forms of attack include the blatant theft of equipment - laptops, smartphones and memory sticks, remotely conducted attacks on systems, and attacks on systems such as cloud storage belonging to other firms linked to you.
The practical implementation of a new security plan will involve several steps.
Controlling access to your network is the first line of defence. This means turning on the firewalls on your computers and the network devices you employ. At the same time, take care of your wireless networks by enabling the strongest encryption the network allows, engaging MAC address filtering and turning off the SSID broadcasting. In simple terms, the encryption is akin to a lock to your front door; the MAC address can be likened to an approved guest list; and the SSID is the name the device broadcasts to other network devices to identify it.
Next you need good anti-virus software on all computers. As one unnamed Oxfordshire NHS surgery recently found, once a virus is loaded to one networked computer, it can quickly propagate around the whole network causing pandemonium. Lock down computers to allow certain acceptable sites and no more and at the same time, ensure that all computers are regularly updated to take account of software patches that are issued.
Part of the solution is to also educate employees (write policies) as to what they can and cannot do with a computer and the best practices of data security. The National Cyber Security Alliance in the US - www.staysafeonline.org - offers materials and information on employee education that may help. The advice for email is to be careful on what is opened and the links that maybe shown. The best phishing scams replicate legitimate organisations and seek information that can be used to log on to accounts without the need to hack. At the same time, don’t let web browsers store passwords and also look for ‘https’ in the web browser address of any financial organisation you are logging into to demonstrate site safety.
Secure equipment. This means logging all the equipment that you possess, the software (and licences) utilised and most importantly, the passwords for individuals and for administrators. All passwords need to be changed regularly and whenever, for example, someone leaves. Also restrict the use of recordable media such as CD/DVD disks, USB memory sticks and external hard drives or you could see your designs walk. This not only makes it that much harder for anyone to take data off the premises but also reduces the risk of data being lost.
Monitor everything. Collect activity logs and make sure that you have the ability to find unauthorised usage. Broadband routers can easily be set to automatically report any third party attempts at intrusion.
Only collect and store data that you need. The Data Protection Act 1998 makes this quite clear, but in simple terms, one way to limit risk of breach is to simply not collect and store information beyond what is absolutely necessary.
Lastly, and most importantly, create a disaster recovery plan and test it. Don’t wait until it’s too late.
There’s more sound advice in Bridal Buyer - the magazine that brings you the very latest news on issues that affect your business.