Minimising cyber security risk: The first steps

As the NHS hack earlier this year showed, no organisation is too big or too small to not take data breaches and data theft seriously. The bad guys are out there. For some, it is pure mischief – teenagers hacking into NASA. For others, it is malicious – the NHS ransomware attack.

Whatever the reason, there are simple steps you can take to minimise the risk.

The next 12 months are going to be very important for all organisations, including those in the financial services sector and SMEs. On 25 May 2018, the new European General Data Protection Regulation (GDPR) comes into place, which will widen the net in terms of who is responsible should the worst happen.

Accountants and those in the financial sector are already targets. How many of you have had clients contact you about phishing emails they’ve received which they thought had come from you? It doesn’t take much for a hacker to send out an email with an extra letter or number. It is easy for a client in a hurry to respond and then find themselves the victims of a scam.

The new European law takes that one step further. If you or your third party are responsible for data loss, you could be caught in a double jeopardy. Firstly, you could be fined by the UK government’s Information Commissioner’s Office. Secondly, under the new European law, you could end up being asked to pay part of any fine by the company whose data you hold.

For example, assume you are responsible for the payroll of a large car dealership and you suffer a breach. Under the new law you could both be fined, but the dealership could also come after you to pay their fine. As the fine has now increased to up to €20m (£17million) or 4% of global revenues, it is something worth avoiding!

So how do you reduce the risk? Whilst there is still some clarity needed around the new law, the first step is to consider what you have in place as a business today in terms of security and whether that is good enough.

We recently worked with chartered accountants and financial advisers Harrison Beale and Owen who wanted to be assured they were doing all they could to protect the business and their clients and address any IT security weaknesses.

We worked with them to bring them up to the standard required for the government certification scheme – Cyber Essentials. The certification is only awarded to businesses that can demonstrate they have sufficient controls in place, from boundary firewalls and internet gateways through to controlled access to data.

The accountants already had strong policies and procedures in place. The missing link was around the use of personal mobile devices which could be vulnerable to a cyber attack. This was quickly resolved with a new policy to check and approve mobile devices before they were allowed to connect to the company’s systems.

The whole process took just a day and a half, and any organisation can apply for this certification, regardless of size of sector.

It is one of a number of security steps you can take, but it is a good first step. Increasingly, larger companies and organisations won’t even consider service providers and suppliers without some sort of compliance and certification in place.

Meanwhile here are six Q’s to ask yourself when it comes to cyber security:

  1. What data have you got?
  2. Where is that data?
  3. Who has access to that data?
  4. Why have you got that data and do you have permission to have it?
  5. What are you using that data for?
  6. How are you managing that data?

Helen Barge is managing director of Leamington based Risk Evolves, helping businesses prepare and meet risk management in IT. Helen is an expert in cyber security and works with a wide range of businesses and organisations including the police to identify and manage risk, and to protect reputation should an attack occur.

Related reading