David Osen is our Managing Director at pebble.it. He’s also the resident guru on everything from infrastructure design and implementation to mixed-platform environments and technical work flows for the creative industries. He knows his stuff on cyber security too, so I asked him a few questions to get some hints and tips for our SME and Enterprise clients.
What’s the biggest myth surrounding cyber security?
For me, it’s the idea that the IT department is solely responsible for safeguarding and protecting the business. Of course, they’re fundamental from a software, hardware and best practice perspective, but no business should underestimate the added protection (and risk) employees can add to the mix.
Having a team that’s up to speed on cyber security, and the everyday precautions they can take to see off threats, can prove invaluable. This includes simple things like updating passwords regularly, knowing how to identify suspicious email that poses a threat, and protecting devices that are used remotely, if you operate a Bring Your Own Device (BYOD) or Choose Your Own Device (CYOD) policy.
Everyone should play a role in protecting a business, so the earlier you drive home that message as an employer or business owner, the better.
Are some businesses more at risk than others?
Some companies are certainly more attractive to hackers. Companies that deal with lots of payment transactions or where unprotected customer data could provide an opportunity for fraud for example, are more likely to attract attention. For those businesses, it’s all about data protection, so the ‘big three’ are: Security, Privacy and Integrity.
Chances are they’re already following compliance regulation around customer data, but as an extra layer of security, it’s a good idea to think about keeping data off the premises.
That would mean using a second site for data storage, remote hosting or a cloud-based service that removes the risk of any physical data source.
Essentially, the harder you make it for hackers, the higher the likelihood of them moving on to an easier target.
Is a security policy really necessary?
Absolutely, but you shouldn’t let the word ‘policy’ put you off. The best policies are clear and simple and businesses can work with an IT professional or consultancy to create a security plan that gives them all the protection and confidence they need, without stifling creativity or interrupting work flow.
Cyber security should be a hygiene factor for any business. It takes some thought up-front and requires regular updates, but there’s no need for it to be a stress or strain on the business.
How often should it be reviewed?
Rolling reviews are best. Security threats change and grow more sophisticated all the time, so it’s a good idea to keep your finger on the pulse.
A quarterly check-up is a good idea and I’d recommend resisting the temptation to make it an annual event. Regular updates and patching your system as you go is the best way to protect you and your clients.
Is it expensive to protect your business from cyber attacks?
It doesn’t have to be. A robust policy is the starting point. Add some well-chosen software, invest in your gateway protection and get employees on board - that will get you on the right track.
A business operating system is a little like a car, it needs to be updated and patched regularly to keep everything ticking over nicely, otherwise things can start to slow down and get manual and stressful.
Maintaining that regularity and machine parity across the business is essential, and to use the car analogy again, any good mechanic will tell you that the services are likely to be a lot less expensive than the big fix, if you let things go.
There’s no one piece of software, hardware or firewall that will do everything on the cyber security front, unfortunately. It’s more about building defences with good technology and a common-sense approach. None of that costs the Earth, so don’t let expense put you off. There’s an affordable plan out there for every business.
What advice would you give a business looking at cyber security for the first time?
Prevention is always better than cure, so I’d lead with Data Storage, Business Continuity Planning and Machine Management. They’re big subjects, but I can break them down a little.
It’s important to understand the importance of data storage - that is, where it is and the risk the location exposes you to. Different businesses benefit from different levels of storage protection, so it’s worth having that conversation with an IT expert as an off-site, hosted or cloud-based solution might be better for you operationally and from a security perspective.
Business Continuity Planning is crucial, because if things go south or you are faced with an unexpected disaster, a good BCP is your best chance of bouncing back quickly and with as little damage as possible.
We were treated to a master class in global hacking earlier this year, when a cyber attack using tools believed to have been developed by the US National Security Agency crippled the NHS, challenged FedEx and infected computers in 150 countries across the world.
More than 300,000 devices were infected by ‘the biggest ransom-ware outbreak in history’ using a virus that exploited a vulnerability in Microsoft. A patch to fix the known issue was released by Microsoft in March 2017, but for the targeted companies, who hadn’t bothered to patch their systems, the attack proved very public, embarrassing and expensive.
In Britain, the NHS was the worst hit, with hospitals across England forced to turn patients away.
In the event of a disaster like this, a business continuity plan that allows you to manage recovery in an organised way is worth its weight in gold.
The same attack can be used to illustrate the importance of Machine Management, proving the value of regular updates and ensuring patches go in on time.
Are there any quick fixes a business can implement themselves?
There are countless ways for businesses to protect themselves and reduce their IT support costs in the process. Such as:
- Putting security and awareness training in place
- Installing anti-virus protection
- Educating employees
- Changing passwords regularly
- Having a designated IT support manager, so issues are resolved fast
- Being smart about devices used remotely
- Applying the same protection to employee devices used for work
What’s the most cost-efficient measure a business with a small budget can do to protect themselves?
Invest well in enterprise-grade security software, so the gateway for traffic in and out is protected as much as possible. It’s an important piece of kit in your overall armour and a ‘must have’ even for businesses working with a tight budget.
It’s also worth looking at any point of protection that’s power-managed, so outage doesn’t leave you open to attack.
These should both be picked up by a good security policy, bringing us back to the benefit of prevention.
You've been helping protect businesses for more than 10 years at pebble.it, what's the biggest learning you can share?
At the risk of sounding a little grim, plan for disaster. ‘It won’t happen to us’ isn’t a strategy and when things go wrong, you need a recovery plan that kicks in fast, because the longer you’re down, the more the business will suffer.
Attacks don’t do anything for a business’s credibility or consumer confidence, but if you protect it as best you can and the worst does happen, coming back fast and proving how well prepared you were to manage the business out of any potential risk, is the best defence you have.
Ensure your business is safe from cyber attack by downloading our Cyber Security Checklist: