In the latest issue of Aurigny's En Voyage, our Senior Security Consultant, James Kelsh, talks about the role of cyber security in your business:
Bored with all thingscyber security? Fed up with relentless talk of breaches and botnets. Do you know your water-holing from your whaling? If it’s all too much, don’t worry. There’s a growing army of cyber criminals who see your boredom as beguiling, whose cyber intent is to make your business their business. If you like figures (and you should if you’re running a business), cyber attacks cost UK SMEs more than £8.8 billion last year with financial services hit the most.There is a commonly misheld perception that IT equals security; that the latter automatically comes with the former. Unfortunately, this is not true. As our technology has become more advanced, allowing us to digitally share and store our data, so have cyber attacks. It’s just not possible for an IT provider to implement it all under the one IT umbrella and whilst we advise all our clients on what cyber security measures they should take, the decision on what steps to take rests firmly with them. The Resolution IT intent is to raise the cyber security bar but we still need clients’ permission to start raising it. Realistically, you need to set aside around 10% of your IT budget for cyber security and work out what layers you can afford to put in place; email security, web filtering, firewalls, understanding who is hitting your network, putting policies in place on password guidance, acceptable use, Bring Your Own Device (BYOD), information security and so on.As cybercrime rises, so must your cyber security budget. Before you can get to this point though, as a business, you need to have carried out a risk assessment. You’ll then be able to grade your perceived risks against the budget you have and from that, work out what cyber security layers you realistically need to put in place. The Guernsey Financial Services Commission (GFSC) published their ‘Self-Assurance Help Sheet (as a result of their recently completed Cyber Thematic)which lets businesses assess their cyber security offering against international standards. It’s a useful checklist of a broad range of measures to consider when setting up your own cyber security framework. What’s the alternative? None really. More and more clients are receiving questionnaires from third parties e.g.financial institutions and suppliers, asking for evidence of what cyber security measures they have put in place to mitigate any attacks. And investors will increasingly incorporate cyber security into their environmental, social and governance risk.So where do you start? Something like Cyber Essentials and Cyber Essentials + are a solid first start. As the first Guernsey IT service provider to offer the certification to Guernsey businesses, we’ve seen a steady interest in this UK government backed scheme. And with the States of Jersey making it mandatory this year that any supplier being awarded a contract worth more than £25,000 needs to demonstrate adherence to Cyber Essentials or a higher standard, it’ll be interesting to see if Guernsey follows suit. We think it should be a part of every businesses’ governance and are working towards making sure all our clients have it. And for any new clients who come onboard, it’s our intention that Cyber Essentials certification is built into their contract with us.With cyber security built into your business risk register you can plot what security measures need to be put in to place. Don’t forget to include incident response plans, make sure your staff are well trained; at least an annual presentation on the latest cyber-crime developments as well as regular phishing simulations throughout the year. Consider putting in place dark web monitoringwhich identifies, analyses and proactively monitors the dark web for any compromised employee email addresses.The dark web is hidden from conventional search engines and is estimated to be growing at 550 times faster than the conventional web we all use. The ability to operate anonymously means the dark web holds a wealth of stolen data and illegal activity. Once the data is posted for sale within the dark web, it is quickly copied and distributed (re-sold or traded) to a large number of cyber criminals. Dark web monitoring allows businesses to take immediate remedial action by changing passwords.The level of cyber security knowledge and experience required is probably beyond the capabilities and budgets of most SMEs which is where the vISO (Virtual Information Security Officer) comes in. The vISO service provided by your IT managed services provider includes carrying out a risk assessment of your current cyber security and then creating a treatment plan with recommendations. There should be quarterly meetings with your Board which would reveal any phishing attempts, near misses, as well as provide context and understanding on how your security appliances and controls are working. Whilst the Board are expected to offer the highest strategic business expertise and guidance, this is just not possible with the fast-changing nature of cyber security. Utilising a vISO represents considerable cost savings and guarantees you Board level up-to-date cyber security knowledge. With the continued use of the cloud, expansion in mobile networks and increased use of AI, our digital working lives will continue to change. We need to remember that change opens up new opportunities; not just for us but also for cyber criminals. Make sure you’re as prepared for them as they are for you.