Cybersecurity for business: where to invest
Plugging the gaps in your defences
With cybercrime posing a serious threat, understanding potential weaknesses in your business is key to making effective investment decisions.
For a long time, businesses have been urged to protect themselves against cybercrime, but unfortunately the threat from the fraudsters is going nowhere.
Whilst all businesses want to do whatever they can to stay safe, knowing where to invest money can be difficult – particularly as most budgets can only be stretched so far.
For this article, we’ve taken three broad categories where businesses can be vulnerable, examining each in turn and highlighting important areas where there may be gaps in your defences. We’ve also provided some ideas on where allocating funds could make a difference.
The nature of cybercrime – and the differences between each and every business – means it’s impossible to provide fool-proof guidance. Instead, this is a way to help clarify your own thinking about the threat to your business, and to help you to make the cyber security investments that are right for you.
Modern ways of working are combining with new technology to make connected devices in the workplace increasingly common.
And it’s not just smartphones and laptops. A whole host of other equipment – ranging from printers to CCTV cameras – are connecting to the internet and, potentially providing entry points into business networks.
So what steps can you take to be more secure?
“One of the most important things to invest in is ensuring that all devices have the latest software updates, and putting processes in place to keep them up to date,” says Ian Workman, Co-Head of SME, Business Banking, Barclays. “We would also always recommend a paid anti-virus solution where possible.”
Taking more control
It’s important to consider how your employees are using personal devices for business purposes, and to make decisions based on your own level of risk.
Quick wins could include investing the time to set out proper guidelines for employees to follow. But if you have a higher risk profile – and potentially a higher budget – you might want to consider whether supplying employees with company-owned devices is the right option for your business.
This can give you a greater level of control, allowing you to enforce data encryption and remote wiping abilities that can help if devices are lost or stolen.
“There is also software you can download that restricts activity on your devices,” says Marco Alves, Digital Fraud Strategy Manager at Barclays. “This can help to protect against malicious websites that harvest data or inject malware. It gives you an extra layer of defence because it prevents access to these websites in the first place.”
The Internet of Things
The Internet of Things (IoT) describes the growing number of devices that can connect to the internet – ranging from household appliances and toys to office equipment, machinery and infrastructure. According to Gartner forecasts, there will be 20.4bn IoT devices by 20201.
But with this boom comes an escalating threat. It’s also predicting that worldwide IoT security spending will hit $1.5bn in 2018, up from $1.2bn in 20172.
“We’re seeing malicious activity being rooted through these types of devices,” says Ian. “They could potentially be used to gain a foothold because they can provide a back door into the network.”
Not all businesses can – or perhaps even need – to put sophisticated firewalls in front of all of their systems. The key thing is to ensure you’re making appropriate investment decisions based on your own individual needs.
“It’s important to get technical advice from people who know what your platform is, what everything does and what the risks are to your business,” says Chris Johnson, Vice-President, Fraud Strategy & Risk, Barclays.
Having a criminal gain access to your systems is nobody’s idea of fun. Data breaches, financial losses, even industrial espionage – the potential for large-scale damage is extreme.
Taking the appropriate steps to maintain the integrity of your systems is essential. There are some simple things that are important not to overlook – such as making sure your firewall is on, keeping antivirus software up to date and ensuring that all the default passwords for your internal systems have been changed.
“You should also consider how you’re monitoring your network,” says Chris.
Network monitoring solutions can help to increase the security of your systems in many ways, such as spotting attempted cyber attacks or unusual activity, as well as preventing staff from connecting to malicious websites.
There are other things you could invest in too that might help prevent staff from compromising your systems or data.
“If you aren’t already, one obvious recommendation is that staff working remotely connect to your systems via a Virtual Private Network (VPN),” says Marco. VPNs extend a private network, such as a business's, over a public network. The benefit is that they allow users working remotely on laptops or smartphones to send and receive data as if they were connected directly to the private network, making it much more secure.
“Ideally they'll connect via a two-factor authentication process where access codes are generated and sent to something personal to the employee – for example as a text message or to a trusted email address.”
The value of encryption
If your employees are transferring work between home and the office via USB, Ian says that it could be worth thinking about investing in those that have encryption. This can help to prevent unauthorised access to potentially compromising information should they be lost or stolen. For some businesses, it may be appropriate to consider this kind of technology on a wider basis.
“If you’re holding sensitive information for your customers I would certainly look at encryption solutions, and particularly investing in where the encryption keys are stored,” says Ian.
“There’s no point having data encrypted and then having the keys to decrypt lying on a shared network somewhere. If it’s appropriate for your business, there are hardware encryption devices that companies can invest in where keys are stored securely.”
Of course, it’s important to remember that there are no perfect solutions. The government’s Cyber Security Breaches Survey 2018 shows that 43% of UK businesses have experienced a cyber attack or breach in the last 12 months, with that figure rising to 72% for larger businesses3.
With that in mind it’s worth considering the kind of investments you wish to make in planning for a worst case scenario.
For example, it may be worthwhile for some businesses to invest in off-site servers to back up business data, which could help mitigate the effects of a ransomware attack. For others, the most appropriate investment may be spending time formulating a robust policy so that everyone knows what to do in the event of an emergency.
“Having a suitable disaster recovery plan in place can be massively important,” says Chris. “It enables you as a business to work at speed and lock down any threats.”
It’s widely acknowledged that in any robust security system, the weakest link is usually the human being in the process. So while your employees are among your biggest assets, they may also be one of your biggest risks.
Education is key, yet for many businesses it’s still not happening. The UK government’s Cyber Security Breaches Survey 2018 shows that just 20% of businesses had staff attending internal or external cyber security training over the last 12 months3.
“It makes sense to invest in regular, mandatory learning for your staff,” says Marco.
But it’s important to consider other elements too. Educating employees effectively is undoubtedly best practice, but it doesn’t mean that everybody will always remember the advice.
“The more you can automate the highest risk processes and reduce manually-reliant controls the better,” says Chris.
“Take for example an employee downloading an email attachment from an unknown source. If you have high quality software and monitoring in place, you can prevent this and remove the manual element from the process. The more you can do of that the better.”
People are fallible when it comes to being deceived, but Chris says that this is unsurprising because of the sophistication of the scams now being used.
One way businesses can be hit hard is through invoice fraud. One way this happens is when fraudsters hack into email accounts and intercept invoices. They then change the account details to their own and wait for the victim to make the payment into their account.
“You should never work off emails as a payment structure, because of those risks,” says Chris. “Pick up the phone and speak to people directly on numbers you know. It’s not fool-proof, but it’s sound advice for any business.”
In a targeted attack criminals can often be one step ahead though, hijacking the calls used to establish that requests or details are genuine. But you can invest in technology to help.
“There are some tools that will detect if calls are being diverted or SIM cards have been swapped,” says Marco. “Having technologies that detect this type of activity will help minimise the risk.”
Managing employee risk
There are other ways in which your employees can pose a potential cyber security risk. From a risk management perspective, investing in a regular audit to determine whether each staff member still needs the IT privileges they’ve been assigned can be worthwhile.
“Employees change roles and may no longer need access to certain systems,” says Marco. “By having regular audits you can make your security more robust.”
And while it’s perhaps unlikely, there’s always the possibility of criminals using an employment opportunity to introduce a cyber threat. As such, it’s worth considering whether you should vet your new recruits.
“There are services that will check potential employees out against police databases and other records,” says Chris. “Businesses have to pay for this, but it’s definitely something to consider the value of.”
“We would also recommend the same strength of controls, checks and education for temporary members of staff as we would for permanent members. Once people are in the door you’re giving them access to your systems, so it’s too great a risk not to.”