Cyber security and data breach prevention

Over £190,000 is stolen through cyber-crime every day so protecting your business from online crime is crucial. Here’s how to reduce the risk of a data breach with effective cyber security measures.

There’s little doubt that cyber crime is a growing problem for businesses of all sizes:

  • In the first six months of 2018, 291 records were compromised every single second according to Gemalto’s Breach Level Index
  • In the first six months of 2019 alone, 4.1 billion sensitive records were exposed by hackers

The average cost per-business, per-crime is £3,000, a sum few small-to-medium companies could absorb without it having a significant impact.

The most effective way to limit your risk of attack is to adopt stringent security policies and then get the right cyber insurance to protect your finances should the worst still happen.

Assess your risk first

Before you can put effective prevention measures in place you need to look at where your business is most vulnerable.

Your devices

Start by looking at all the hardware connected to your network, and answer these key questions:

  • How are these devices protected?
  • Who has access to them?
  • What sensitive information does each device contain?

It’s not just your computer at risk – don’t forget to include any mobile devices you use as these are becoming increasingly high-risk.

Norton has warned that malware on mobile devices is on the rise. Symantec’s 2018 Internet Security Threat Report shows there’s been a 54% increase in malware variants for mobile devices.

Listing all your devices in this way should help identify any weak spots you have and where you’re most vulnerable.

You can then prioritise addressing any devices that store sensitive information or that lack up to date security software.

Your data

Next you need to consider the data your business holds.

According to AVG, criminals target everything from addresses and phone numbers, to passwords and sensitive intellectual property.

Personally Identifiable Information (PII) is particularly important to protect, especially any financial or health related information.

PII is any data that could be used to identify an individual person and can include things like:

  • Name
  • Date of birth
  • Address
  • Phone numbers
  • IP addresses
  • Bank account information
  • Health records

Following the introduction of the General Data Protection Regulation (GDPR) it’s your legal obligation to ensure PII is properly protected and that you don’t store any data for longer than you need it.

It’s also worth asking:

  • What is the most valuable data asset you have?
  • How vulnerable is your most valuable data to a potential attack?

Cover yourself where it counts

Once you’ve assessed your main risk areas, you can start to implement improvements to tighten up your security measures.

If you haven’t already it’s crucial to have a reliable and reputable antivirus software.

Techradar’s top five antivirus programmes for 2019 are:

  • Bitdefender Antivirus Plus 2020
  • Norton AntiVirus Plus
  • Webroot SecureAnywhere AntiVirus
  • ESET NOD32 Antivirus
  • F-Secure Antivirus SAFE

Once your anti-virus protection is in place, the other key areas you should focus on (even if your resources are limited) are:

  • Keeping your software up to date. With every update, there are generally renewed security measures.
  • Use firewalls and protect your internet gateways.
  • Change any default passwords still in use, and ensure staff do the same. Aim to change your passwords on a regular basis, at least every six months.
  • Encrypt your data, especially documents that include PII.

Secure and back up your data

Data doesn’t only stay on your premises, with more of us working remotely and sharing data online than ever before.

Mobile devices, tablets and laptops are commonly used by employees to work off site and it’s these items that are far more vulnerable to theft.

Security measures on mobile devices are also nowhere near as effective as the ones you might have in place in your office.

Backing up your data to a secure cloud-based platform and having your staff work online, as opposed to simply saving their work on their mobile devices, can decrease your risk of losing precious data (and can also ensure that your employees don’t lose their work if they lose their device).

If you invest in cloud storage check what security measures are available. The more encryption, password protection and multi-factor authentication measures in place, the better, even if those measures do annoy some of your employees occasionally and cost a little extra too.

Real world back up doesn’t hurt either. It’s advisable that you do both. Server backups can be set to run after hours, when you and your employees are less likely to be inconvenienced or experience work interruptions. You won’t necessarily need to back up every day. But it’s an effective failsafe to have in place.

Train your staff

Most cyber-attacks still occur because of human error.

Someone clicks on the wrong link, downloads the wrong attachment or is tricked into sharing information they shouldn’t.

Training your staff about cyber security and how to be vigilant is just as important as having formal technical measures in place.

All the firewalls in the world won’t matter if one of your staff members inadvertently gives away a password, for example.

Even if you do have back up measures in place, advise your staff to back up any key data to password protected external drives too.

Get expert help

It is often worth paying for a cyber security analyst to come and assess your potential weak points so that you can boost your cyber-security measures upfront.

You can also bring in experts to train your staff on the key risks too.

But if you do it yourself, simply try to break your assessment down into simple steps. Maybe you can afford security software that has comprehensive support, so that someone is always at the end of the phone?

Mitigate the risk with cyber cover

While you can lessen your risk, it’s impossible to eradicate it all together.

This is where cyber insurance comes in and helps your business recover if hackers or cyber criminals breach your defences.

A good policy can help make up for loss of income, repairs or setup costs, and even legal and customer communication and relationship management costs.

For more help you can read our guides on what cyber insurance covers and how much cyber insurance costs.

We also offer impartial comparisons of the best cyber-insurance providers in the UK, so that you can make a more informed decision.

We have no affiliation with any of the companies listed, so you can rest assured that all reviews are completely unbiased.

Have a response plan ready

Beyond this, you should have a cyber risk management plan in place as a business owner.

Response plans usually include education for all employees, as well as appropriate tech support.

Further to that, all online transactions should be protected for your users. Talk to your vendors and have contracts in place that ensure security measures are being taken by them.

Make sure email authentication is in place, such as domain key authentication. This puts a digital signature on outgoing mail that identifies it as genuinely coming from you.

Before that, when deciding on a web host, think about their security. Transport Layer Security (TLS) is a basic requirement, and when it is in place most browsers will see a domain as secure (the web address will begin with https/).

In the unfortunate instance of a breach, you should also have a plan. Think about how you would notify customers, how you would save and store the data so that it can be rescued and how the business could be run with compromised systems.

Cyber Security FAQs

You need to report any personal data breach to the Information Commissioners Office (ICO), you can do this online on the ICO website.

If you’re unsure if your business needs to declare a breach you can complete the ICO self-assessment tool.

You should report any data breach within 72 hours of becoming aware of the breach. This means if the breach occurred weeks or months earlier you should report it within 72 hours of finding out about the breach.

It can be, if it contains personally identifiable information about your customers and was sent to an email outside your organisation then it could be considered a data breach.

There are several websites that can tell you if your details have been exposed in a data breach, including:

Yes, you could have to compensate third parties if you inadvertently expose their data and this causes them harm.

Thankfully, cyber insurance can offer third party cover to protect your business if you face legal action following a data breach

Martin Lane
Written by Martin Lane, Head of Content
Martin is an experienced writer in the financial services sector previously serving as Managing Editor at money.co.uk with regular guest slots on BBC Radio 4 and featured in the national press.

Cyber insurance buying guide for SME’s

2021

footer-logo

BUYING GUIDE FOR CYBER INSURANCE

Free for a limited time