How to protect your business from a cyber-attack
The internet has made life easier for businesses in so many ways. But it has also made it possible for almost any organisation to get hacked.
While cyber-attacks on big companies dominate the news, according to the Government’s Cyber Security Breaches Survey 2022, 38% of smaller firms, who are least likely to have a response plan in place, have fallen victim in the past 12 months.
The effects of attacks are well-documented: laptops and PCs may effectively be locked for days, weeks or months, and core business data can be inaccessible, encrypted or erased. The results can be the loss of customers and goodwill, while the business still incurs the full costs of operating, something which no small business can sustain for long.
We have partnered with Inoni, business continuity experts, for a series of articles on business risk and continuity planning aimed at small to medium sized businesses, including how to protect your business from a cyber-attack.
Is my business at risk from a cyber-attack?
While cyber-attacks can appear to be random, it is inevitably the least-well-defended businesses that become targets of choice – simply because they take less time and effort to exploit. A poorly defended business is less likely to have the in-house technical expertise to recover and is therefore more likely to pay a ransom if that is the motive. However, even the most secure systems can get hacked if the potential reward is big enough, whether that’s money, kudos, information or malicious intent.
How to reduce the risk of a cyber-attack
The threat of cyber-attacks is now so significant that all businesses need a well-understood cyber strategy to avoid falling victim to attack. The best option is to retain an accredited professional to ‘harden’ your business, and failing that, consider at least the following, non-exhaustive list of measures:
- Draw up an information security strategy and policy
- Identify all the electronic information that is essential to keep your business running
- Train staff in information security principles and practices
- Run the latest security software, browser versions and operating systems on all devices
- Install and maintain effective firewalls, including home user devices
- Control physical access to all your computers and devices
- Prevent and prohibit all forms of shared access (unique user accounts)
- Password-secure and encrypt Wi-Fi networks
- Fully apply best practices on accepting payments by cards and keeping payment card data
- Control employee access to data on a strict need-to-know basis
- Restrict authority to install software on company devices
- Take backups daily or weekly and check you can restore them.
How to respond to a cyber-attack
The National Cyber Security Centre (NCSC) identifies five key steps for responding to and recovering from a cyber incident that can be summarised as Prepare, Confirm, Resolve, Report, and Learn. The main practical response and recovery steps you might take from this are:
- Immediately notify insurers and apply their guidance
- Learn to identify warning signs, such as slow systems, strange emails or unusual activity
- Analyse what’s happening and assess the potential impact, and isolate affected devices
- Run antivirus on the affected devices, and seek online clues and advice
- Deactivate vulnerable accounts and databases, not just physical devices e.g. if cloud resources are under attack
- Contact your IT provider or person responsible for IT management within your business, and then depending on the type of incident:
o replace or re-image (clean) affected hardware
o restore and rebuild from backups
o apply patching (repair) software, where available
o change all potentially compromised passwords on all devices.
Crisis management is an important part of resilience and continuity and determines how the outside world perceives you handled things. A calm, measured and well-prepared response sends a positive message and promotes confidence, helping reduce the impact. As part of this:
- Consider legal advice or refer to your cyber insurance policy if you have one
- Report the incident to stakeholders on an obligatory and need-to-know basis and the Information Commissioner's Office (ICO) so you meet your legal obligations
- Learn from the incident and close any gaps in practices or infrastructure it revealed.
We are working together with Inoni to bring you insight into resilience, risk and continuity planning to help make your business stronger. If you feel your business would benefit from specialist support to develop your Business Continuity Plan, please send an email to our partners Inoni, who can explain the services they offer.
If you feel you need support with your Business Insurance needs, please get in touch with your local NFU Mutual agency office.