By Mark Brown, Founder of Psybersafe
I worked in cybersecurity in the finance sector for many years, and I know from experience that there are three “must haves” that all businesses should have in place in order to keep their online systems safe from hackers. Without these three pillars – People, Processes and Technology all being present, the cybersecurity job becomes much harder.
Of these three, my view is that ‘People’ must be at the top of this list. Of course, many companies take this to mean hiring specialist cyber security staff. But actually, everyone in your business is part of this pillar. Every single one. And that’s because statistics show that 90% of cyber security breaches are down to human error.
And, regardless of how experienced they are, it could as easily be your CIO or someone in your IT team as the customer service rep who opened an email that looked like it was from the client. It could equally easily be the accountant who thought she was clicking on an invoice, or the HR Director who followed a link to an updated CV.
That’s how cyber criminals get into your business. They tend to use people. That makes your people your first line of defence against cyber criminals. Everyone in your business needs to know not just what to look out for, but how to change the way they behave to stop inadvertently opening the door to data loss and all the serious financial and reputational damage that inevitably comes with it.
All the data in your business is sensitive – it’s your data. And the data of your clients, suppliers, and shareholders. Importantly, a criminal doesn’t need highly personal details to do real damage – names and email addresses may be enough. So anyone working in your business with access to any information could put your business at risk. To support your people, you need three things: good quality, behaviour changing cyber security training, backed by the other two pillars of effective cyber security.
Every organisation – no matter how big or small and no matter what type – should have processes in place that help manage cyber security issues. Who has access to what data? How do people log on? Do you use two-factor authentication? What happens if your security is breached? How do you tell your customers you’ve lost their private data? How do you manage the damage to your reputation? You really don’t want to be doing all of this when you’ve fallen victim to an attack. Develop clear, robust policies and share them with your teams so they know you are taking this significant risk seriously.
Technology plays a critical role in protecting your business against attack. But where to start? Whilst ISO 27001 is the strongest standard, smaller companies can start with adopting the Cyber Essentials certification – a government-backed scheme that is managed by the National Cyber Security Centre. This certification covers a wide technical scope and gives your customers, suppliers and investors confidence in the general standards of your technology and systems.
At the moment, Cyber Essentials includes a range of requirements for IT infrastructure – hardware, software and devices – including:
- Wireless devices
- Bring Your Own devices
- Externally managed, or cloud devices
- Other externally managed services
- Web applications
- Desktop devices
In addition, the certification looks at other issues, including password-based authentication and administration of accounts..
Your internal or external IT support should be constantly assessing the potential risks to your business and putting mitigation in place to keep systems secure.
Together, these three pillars form the basis of a strong and secure approach to the risks that cyber crime presents. But you need to have all three in place to be truly effective. Many companies focus on the tech and forget the people – and that’s a mistake. Your people are the heart of your business, and they are the hacker’s easiest way to your data.
I am a great believer in getting the right technology in place to support good cyber security practice. But technology alone is not going to protect you. Make sure you put your people at the heart of your cyber security defences.