I set up Axelisys in 2011 to help all businesses make better IT investment decisions, including turning cyber-security into a first-class concern. Many organisations compartmentalised business functions, such as marketing and IT, leaving gaps between the seams, impacting efficacy, quality and value. It also exposes the organisation to greater cybersecurity risk.
Cybercrime is a continually evolving threat. A cat and mouse game between attackers and defenders and it is much more than a technical exercise. It’s everyone’s responsibility. Whether it is websites, payment gateways, platforms, or Internet of things devices and R&D, businesses should consider security essential. Our personnel are all trained to manage information securely, and flag anything they feel looks rogue, and also be aware of new attempts that don’t look like previous attacks, but still breach the cybersecurity principles.
As the recent WannaCry outbreak demonstrated so effectively with our very own NHS, unfortunately, even large organisations don’t always get this right. More than 70 trusts across the UK cancelled operations and care visits after falling victim to the untargeted ransomware. The cybercriminals did not specifically target NHS systems. It was simply the equivalent of winning the lottery. They hit the jackpot!
Over the years, there have been many attempts to access to infrastructure or dupe staff. PayPal, RBS and NatWest phishing emails requesting users click links; emails from scammers claiming Amazon accounts have been suspended; helpdesk phone scams, claiming PC infection; malware email attachments; Distributed Denial of Service attacks clogging website with millions and millions of requests to block out, gain access to, or take down presences; brute force hacks to access to infrastructure services; SQL injection attacks to take down databases and even impressions on Google Analytics accounts telling readers to vote for Trump! The list goes on. None of which materially affected us, especially the latter.
Many providers monitor systems, including client services, and receive alerts by email and text when things go awry. Our systems also self-heal. Designing platforms to assume failure and cybercrime attacks from the start and acting like lizards that can shed a limb and grow another, we quarantine and jettison compromised system and just carry on, growing another clean one in the process. Unlike the NHS incident which affected services for days afterwards, such platforms can be back up and running in a matter of minutes, if any time at all.
Perhaps uniquely, we also have decoy systems, otherwise known as “honeypots”. Sacrificing them to bot attacks, keeps bots away from main servers, and crucially, collects information useful to law enforcement agencies in the future.
Cyber-security is not just technical. It’s strategic and cultural. As much as possible, don’t store any credit-card information. The use of best-of-breed encryption to store information in transit and at rest is also absolutely essential to the security of customer data and your own. Even we can’t get at passwords and sensitive information held on our servers. We don’t put our staff at that risk. As much as possible, mathematical hashes validate information, and such hashes also validate any communication received. No information is sent back and forth unless it absolutely has to be.
Edging on paranoid has been good in many ways. We’re internally interested in breaking our own services before hackers do. Conducting suites of activities most don’t undertake. Ensuring our internal processes adequately protects information and staff from targeting. We even deliberately attempt to compromise and infect our platforms using technical and social engineering techniques, revealing points for improvement and even employ “bug bounty” programmes, of the kind Facebook use, to identify exploits or holes that need closing. We see this as an active, collective opportunity to learn, including how we train staff and embed cybersecurity principles.
Also, we can’t forget that information governance and data protection are going through transformational change. The General Data Protection Regulations (GDPR) are front and centre of legislator and business focus. UK businesses should be in the process of transitioning into the GDPR before the deadline in May 2018.
GDPR penalties mandate a two-tiered system of fined of the higher of up-to €20 million or 4% of revenue for the most sensitive breaches, such as healthcare and personal data, credit card information, and familial links, to a lower-end set of fines of €10 million or 2% of annual revenue, for a general breach. With the Association of British Insurers stating that each data breach also costs UK SMEs an average of £65K – £115K each anyway, this means companies should very definitely consider cyber-security insurance and with it, have a strategy to transform their company to become a more responsible data controller. We ourselves are ICO registered data controllers and took that step to ensure we’re up-to-data with the UK’s position on data protection.
If I were to offer advice for business owners, I’d have to go with:
- Expect the unexpected!
Cyber-attackers and scammers are getting ever more sophisticated. Exploits will come as a surprise, otherwise business would have closed it already.
- Only hold what you absolutely need
Whilst threats evolve, cyber-security principles have been pretty static for nearly 20 years. Simply follow the maxim “If it’s not your information, it’s none of your business, but guard it with your life”. Don’t give staff any information they don’t need to know. For example, redirect callers to automated interactive voice systems for telephone card payments before returning to call handlers. No handler ever hears customer credit or debit card numbers, let alone writes them down.
- Train staff, even directors, freelancers and contractors
We can’t stress this enough. Cyber-security is a collective responsibility. Everyone should be keeping information safe. If it was their children’s data, how would staff expect someone in the company to keep that information safe?
Other options include training and certification, but do not treat it like a tick-box exercise. Certification schemes like Cyber Essentials provide reasonable baselines for attacks hat have already happened, not future attacks, even if the protection principles are the same. Companies should conduct ongoing self-assessments with that in mind, then perhaps undertake the certification. As certification cannot foresee future forms of attack. Knowledge must be continually refreshed to remain relevant.
- System Vulnerability Scans
Since this often involves embarrassing penetration testing processes that highlight major weaknesses and blind-spots, many businesses are reluctant to do this. Yet, the NHS WannaCry outbreak exploited precisely this sort of vulnerability. It is always better that you find the vulnerabilities than your attackers. For example, we offer small businesses customers cost-effective, vulnerability scans of their public presence for as little as £30+vat per site. Compared to a £115,000 data breach, this is a wise investment.
- Encrypt Information & Check sites Certificates
A classic piece of information. Ensure all website elements are secure when interacting online. Look for the “lock” icon in your browser. Both on your own websites if you sell anything, as well as other people’s when you buy.
- Firewalls, Antivirus and Anti-malware tools
More classic advice, which is as important as ever! Make sure you are running anti-virus software, such as Kaspersky, Norton, McAfee, AVG or even Windows Defender and Windows Firewall, bundled with Windows from version 7 upwards. Always ensure anti-virus software is kept up-to-date and crucially, operating systems and other software are patched. This was the technical vulnerability behind WannaCry. In March, Microsoft had released a patch for each version of Windows from XP onward, yet it is tragically ironic that NHS information governance processes delayed introduction of the patch that would have fixed it.
- Securely Dispose of Legacy
Even when you stop using computers, your disks contain information. Ensure you dispose of old, unused computers securely. Many people are not aware that you can recover information from most disks. Some have made their way abroad and data extracted to then commit identity fraud. Find a provider that magnetically erases and shreds disks. Stopping information from making their way into criminal hands. This is so important, we’ve rolled out our very own services which provide cost effective blanking and shredding, and provide a certificate of destruction, if needed. For some of our customers purchasing business cloud services from us, we can even collect and shred for FREE! There is now, no excuse for losing data this way.
- Cyber risk insurance
We definitely think that it’s worth considering cyber-risk insurance. These new policies insure against any losses relating to damage, or loss of information from IT systems and networks under the company’s remit, as well as management of the incident itself.
Like car insurance, policies fall into third-party or first-party risks and can include business interruption, ransomware, theft, privacy breaches and more. Yet, also like car insurance requires the ability to drive, these policies require adequate management and security measures, to protect your business. Specifically evaluating IT system and network risks, impact events, threat modelling and continual reviews of cybersecurity protection.
As with all specialisms, don’t leave it to chance. If you’re not sure what to do, don’t do the wrong thing. Seek advice from a specialist to assess your position and crucially make recommendations or even secure your platform for you.