On 13th June 2019 Fact3, Xyone Cyber Security and A&B Insurance hosted an executive roundtable in Manchester, focusing on the issue of cyber security for SMEs.

Alongside our cyber specialists and Detective Superintendent of Cyber and Digital Security from Greater Manchester Police, in attendance were business owners and IT representatives from a wide range of sectors including legal, banking and finance, technology, retail and pharmaceutical.

“When it comes to a cyber-attack on your business it’s not a case of if, it’s a case of when”.

Neil J Jones, Detective Superintendent Cyber and Digital Security, Greater Manchester Police

The outputs of the discussion were as alarming as they were reassuring.  The scale of the problem is huge, the impact on SMEs of a serious cyber-attack can be catastrophic; if you have employees and a wide supply chain the risk to your business is significant and a large proportion of SMEs are not adequately prepared.  The good news is, protecting your business is within your control; there are relatively simple steps you can take to minimise the risks and fantastic experts just a phone call away to support you to protect your organisation.

As a business owner, there are only two actions you need to consider:

– Prioritise the issue of cyber security in your business and never take if off the agenda
– Reach out to an expert and take steps today to develop a robust and agile cyber security strategy

How big is the problem – the facts

• According to Microsoft, 90% of cyber-attacks are as a result of phishing emails.

• £65,000 is the average cost to an SME victim of cyber-crime – as a result of this 2 out of 3 businesses don’t survive

• 59% of companies in the UK and US have experienced a breach. As technology continues to advance at light speed, so too do hacker strategies with the risks increasing year on year.

• According to the UK Government, cyber-crime is a bigger threat than nuclear war.

How easily can this happen to your organisation?

As technology develops, so too do sophisticated hacker strategies.  Within our executive audience, several examples were provided from real world experiences including ‘manipulation testing’ where either an external consultant or an internal representative will perform tests with employees to gauge the current state of their cyber security.

 Real world

• In 2018 a Manchester based SME was held to ransom by a hacker who had accessed data via a phishing email. The hackers requested a ransom, which after 5 days offline the company subsequently paid. The overall cost to the business of the ransom and business interruption was £1m.

• Marriott Hotels experienced a significant data breach with 500 million guest’s personal data breached as a result of a previously identified security issue that hadn’t been correctly resolved.

Manipulation

This is a service Xyone Cyber Security carry out for their clients and they shared 2 recent stories

• A well-known law firm felt their employees did not require Cyber Security training; however felt they would like us to conduct a service called ‘Manipulate’ to establish this was the case. An external consultant from Xyone was tasked to see if they could get the Finance Department to change bank details over the phone. Following some very simple research they gathered 2 vital pieces of information 1. A supplier name from the company’s website 2. Rebecca (Financial Controller) was known as Becs and she did not work on a Thursday. Equipped with this information a call was made to the Finance Team on a Thursday from the known supplier asking for Becs who was not available. The consultant from Xyone was able to establish trust immediately as a well-known supplier and mentioning they had already had a conversation with Becs (Rebecca) who failed to get back them. Eager to please, the assistant Finance person provided a balance owing to them for audit purposes and was kind enough to amend the bank details for payment – that is what is known as ‘MANIPULATION’.

• An external consultant was given access to the employee email system by the management team to perform a data security test using a mock phishing email. All employees received an email, supposedly from the management team asking for their usernames and passwords on email as part of an IT update. Employees were told they would be entered into a prize draw to win a holiday to encourage them to respond. Upwards of 200 people, including members of the management team unaware of the test submitted these details.

In reality, both of these manipulation exercises would be easy for a skilled hacker to carry out, and the impact on the business could have been devastating.

“Hackers are becoming more sophisticated and every business has a duty of care to train all staff to mitigate their internal risk – employees are the biggest risk”

Zain Javed, CTO Xyone Cyber Security

The three key elements of a robust cyber security strategy

For any organisation, large or small there are three key pillars you need to consider when developing your cyber security strategy.

• Your IT support – should it be internal or outsourced or a combination of the two? Do you have the skillsets and systems in house to ensure a cyber security strategy will be implemented accurately?

• External cyber security certification – do you know the level of certification you should have as a bare minimum and what you should be demanding from your suppliers?

• Cyber Insurance – do you have the right level of cyber insurance and do your policies and procedures adhere to the terms of the insurance agreement?

What are the biggest risk areas?

• Employees – Phishing emails; company issue smart phones; widely available employee information accessible via social media and a lack of cyber security education mean that employees are one of the top risk areas for cyber security.

• Supply Chain – Do you know the security protocols and procedures in place for every 3rd party you deal with? Their risk becomes your risk, which is why a large number of security breaches often take place as a direct result of your supply chain.

What kind of strategies are others implementing?

Cyber security strategies will differ for every organisation.  Highly regulated businesses such as financial or legal institutions are extremely high risk and therefore must employ sophisticated cyber security measures.  Simpler, and less regulated organisations won’t need the same level of cover. The type and extent of coverage your business needs depends on the market you operate in.  This is why undertaking an audit with an expert is critical to ensure your strategy is reasonable and appropriate. The attendees at the executive roundtable operated across a range of sectors, so here are some examples to give you a better idea of the different measures organisations are undertaking:

• Private portals only accessible by employee login

• Email filtering systems that are designed to block and flag suspicious communication

• Risk assessment processes for suppliers, only working with those who meet minimum system requirements

• Encrypted data with adequate un-encrypted back-up

• Investment in ongoing education across the organisation

• Outsourcing IT support to a specialist

• Robust disaster recovery and business continuity planning

• Using email providers such as GSuite who have cyber security built in

• Rapid, offline incident response processes in place in case of a cyber emergency

• Strict VPN access so if employees link to public Wi-Fi data is secure

• Regular manipulation testing carried out to continuously test security systems

As a small business owner, what should I do now?

We’ve had other priorities and not yet thought about a cyber security strategy

If you haven’t taken any steps toward a cyber security strategy, the first thing you need to do is get in contact with an expert for an initial consultation (details below).  The starting point will be an audit of your current situation with a view to providing recommendations and a framework that will work for your specific organisation. This may be a combination of simple and easy wins, as well as certifications, supply chain analysis and insurance cover.

We’ve already got cyber insurance, so my organisation should be fine right?

If you’ve already taken steps to protect your organisation against a cyber-attack, are you certain those strategies are up to date and in line with the latest guidelines? Does your insurance really cover you for all eventualities?   This is a common mistake whereby SMEs take out insurance against cyber-crime, but there’s not a clear understanding of what exactly that covers. In the event of an attack, you may find that your internal processes and certifications aren’t in line with the terms of the insurance, so you’re not covered anyway.  If you haven’t kept up to date with the latest guidelines you may find that your insurance was sufficient at the time it was taken out but may no longer be fully applicable. You need to contact an expert and undertake a review.

The threat of cyber-attacks is very real and happens on a daily basis.  The consequences from a financial and operational point of view can easily result in organisational shut down.  But this doesn’t have to be the case. If you’re aware of the importance of cyber security and prepare adequately with the help of experts you can significantly mitigate risk to your organisation.

It’s better to be safe than sorry – be pro-active not reactive!