When it comes to cyber-attacks, it’s not a question of if, rather of when. The combination of more sophisticated cyber-crime techniques, greater connectivity between companies and the fact that almost all businesses are now digital, means that without proper protection, companies are left exposed and vulnerable to hacking.
While we’re all familiar with the attacks on big organisations like IBM, TalkTalk and the NHS, almost half of all cyber-attacks now target small businesses. And the results can prove fatal. The IBM sponsored Ponemon Cost of Data Breach Study found that the average cost of a data breach is $3.62 million; a price that many companies would not survive.
Now, IT and cyber-security must be the concern of every single employee from the C-suite down to the receptionist; because implementing the best cyber-security system possible isn’t just about firewalls and encryption, it’s about changing the entire culture of your organisation. For this change to take place, strong leadership is required. So, what exactly is the role of the business leader?
Lead from the front
To lead and implement change, the first step should be watertight knowledge. If you don’t understand all the threats, how can you hope to educate others? As a business leader, taking decisive ownership of cyber-security is crucial if you want to make it a core value of your business, so make sure you’re 100% confident on all the facts.
Understanding what online criminals want and how exactly attacks happen will help you to establish any cyber-weaknesses and take action. An effective way to do this is through a certified course, such as the government backed initiative CyberEssentials. Committing to change in this way and making it clear that cyber security is a top priority for you, makes it much more likely that the rest of your organisation will follow suit.
Set the ambition
What is your vision for the company’s cyber security? For many businesses, the objectives are likely to be areas like compliance with GDPR, protecting corporate reputation and securing IP and sensitive data.
As a business leader, it’s your responsibility to set the ambition. If you need to make significant changes to meet those objectives, then do it. The alternative could be much more challenging, costly or even fatal to the business, so leave no stone unturned.
How will cyber-security fit into corporate planning? How and when will staff receive training? What plans are in place in case of a breach? Would it be disclosed? If so, how? How will your company’s needs change in the future?
Creating a crystal clear vision of where you want to go makes it much more likely that you’ll get there – and that you’ll take everyone else with you.
Create the plan
While you need to be at the forefront of change as a business leader, to create a cyber-security plan, you need the right team in place to help drive that change forward. Think about the various functions across your organisation. Which people would be most effective in implementing significant change? You don’t necessarily need a huge team, but you need the right people.
The technicalities of your cyber-security plan might include things like implementing an intelligence plan to identify potential attackers, restricting employee access to certain files and providing security training for employees. Whatever the specifics are, some level of delegation is vital at this stage to ensure changes are implemented and communicated effectively.
Set the culture
While most companies recognise the pressing need for technical security measures, without a culture of security in the workplace, the risk of threat can remain high. Human error can very quickly and easily undo even the most stringent digital protection, so establishing a culture of awareness around cyber-security is crucial to the ongoing security of your company.
Even if you have the most advanced technical defences in the world, something as simple as employees opening phishing emails can allow hackers to access your internal network and your customers’ data. This is exactly what happened at eBay in 2014, resulting in criminals having access to eBay’s systems for 229 days and stealing 145 million customers’ personal information.
To ensure employees adopt a culture of good cyber-security ‘hygiene’, it’s important to communicate exactly how a cyber-attack could affect the company as a whole – and them, as an individual. Try to create an inclusive, open environment, where employees are encouraged to ask questions about cyber-security.
Explain how the divulging of seemingly innocuous information, such as project names or employee details can be used maliciously by cyber criminals. Talk about phishing emails, DDOS attacks and employing best practices when using personal devices for work.
It’s important not to take anything for granted: don’t presume that people know these things. According to research from Friedrich Alexander University, 50% of email users click on links from unknown senders, and 78% of people are unaware of the dangers of unknown links.
In order to really change the culture and attitudes towards cyber-security, you need everyone to buy in to the changes, so make sure everyone feels included in the processes. Providing relevant training for all employees is an effective way to do this – and the key word is relevant.
Although there are plenty of training programmes available, you need to make sure the one you choose is specific to the needs of your company and your staff. If you opt for generic training, there’s a chance some or most of it will be irrelevant, and you run the risk of staff not engaging or being bored.
In addition to all the practical measures, one of the most effective ways to engender real cultural change is by showing your employees how committed you are to the cause. Again, lead from the front and demonstrate your passion for creating a digitally secure company.
Secure infrastructures and processes
Some cyber-attacks exploit vulnerabilities in software and IT but most exploit human error. According to research from Phishme, 91% of all cyber-attacks begin with phishing emails. Unfortunately, not all companies have technology which is secure by default (i.e. optimal, in-built security that you don’t have to turn on), so how do you fill in the gaps to create the best protection possible?
By going back to basics. You can significantly mitigate risk by taking simple measures which are the digital equivalent of locking your front door.
Is your data on a central file server? How do you manage which employees have access to sensitive files? Is all your data backed up? Are portable devices security marked? How do you discourage employees from sharing information? Do you use two-factor authentication for banking and emails?
Implementation of systems and protocols is key to protecting your company from the threat of cyber-crime. Often the most simple, low-cost steps are overlooked – and they can prove to be the most detrimental.
However, all these changes mean very little without a holistic shift towards understanding and appreciating the importance of cyber-security.
Your employees are the front line of defence; they are the ones who will receive phishing emails; they are the ones who may not realise the value of the information they give away; they are the ones who may have weak passwords on their portable devices. Without them on board and fully clued up about what to look out for, your business will be at risk.
Creating a work environment which is vigilant and proactive is the only way to truly protect your business. Although there is no such thing as perfect protection, as a business leader, you have the responsibility and power to significantly reduce the risks. Lead from the front, take everyone with you and don’t forget the basics.